1Password / onepassword-operator

The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password. The operator also handles autorestarting deployments when 1Password items are updated.
https://developer.1password.com/docs/connect/
MIT License
541 stars 59 forks source link

Feature request: Watch namespaces by annotation #8

Open csullivannet opened 3 years ago

csullivannet commented 3 years ago

Sometimes we have clusters that have dynamic namespaces, i.e. those that would be created after provisioning the operator.

Rather than forcing an update to the operator, I'd prefer to be able to annotation my namespace manifest so that the operator automatically starts watching it.

nesl247 commented 3 years ago

This is an absolute must. We can't update the operator for every new application we deploy (too much work), as we create a namespace per application.

SimonBarendse commented 3 years ago

Thank you for opening this issue. We're investigating options to allow dynamically watching namespaces without requiring an update or restart.

Note that you can already set WATCH_NAMESPACE to the empty string to watch all namespaces. @nesl247 Would this help with your use case?

nesl247 commented 3 years ago

I believe that in our use case that would work. I haven't looked into this enough to see if there would be any issues with that.

mcmarkj commented 3 years ago

Note that you can already set WATCH_NAMESPACE to the empty string to watch all namespaces. @SimonBarendse I don't believe that's documented in the README, perhaps that should be added, as I was very close to writing off the operator as unsuitable for our use-case as I thought we had to list the namespaces to watch.

SimonBarendse commented 3 years ago

Definitely Mark! Thank you for pointing this out. I've opened https://github.com/1Password/onepassword-operator/pull/39 to address this.

SimonBarendse commented 3 years ago

I'm curious to learn if this was just a documentation issue or there's more we can do.

@csullivannet @pdavisfmnh @camilb and @liftedkilt, will watching all namespaces work for your use cases?

Note that the operator only takes action when you create OnePasswordItem CRDs or add an operator.1password.io annotation. It leaves other deployments where you're not using 1Password untouched.