Feature request: Watch namespaces by annotation

[csullivannet]

Sometimes we have clusters that have dynamic namespaces, i.e. those that would be created after provisioning the operator.

Rather than forcing an update to the operator, I'd prefer to be able to annotation my namespace manifest so that the operator automatically starts watching it.

[nesl247]

This is an absolute must. We can't update the operator for every new application we deploy (too much work), as we create a namespace per application.

[SimonBarendse]

Thank you for opening this issue. We're investigating options to allow dynamically watching namespaces without requiring an update or restart.

Note that you can already set WATCH_NAMESPACE to the empty string to watch all namespaces. @nesl247 Would this help with your use case?

[nesl247]

I believe that in our use case that would work. I haven't looked into this enough to see if there would be any issues with that.

[mcmarkj]

Note that you can already set WATCH_NAMESPACE to the empty string to watch all namespaces. @SimonBarendse I don't believe that's documented in the README, perhaps that should be added, as I was very close to writing off the operator as unsuitable for our use-case as I thought we had to list the namespaces to watch.

[SimonBarendse]

Definitely Mark! Thank you for pointing this out. I've opened https://github.com/1Password/onepassword-operator/pull/39 to address this.

[SimonBarendse]

I'm curious to learn if this was just a documentation issue or there's more we can do.

@csullivannet @pdavisfmnh @camilb and @liftedkilt, will watching all namespaces work for your use cases?

Note that the operator only takes action when you create OnePasswordItem CRDs or add an operator.1password.io annotation. It leaves other deployments where you're not using 1Password untouched.