search

mongodb / mongodb-atlas-kubernetes

MongoDB Atlas Kubernetes Operator - Manage your MongoDB Atlas clusters from Kubernetes
http://www.mongodb.com/cloud/atlas
Apache License 2.0
152 stars 78 forks source link

Cross Namespace Watching Does Not Work for Global API Key #270

Closed Freyert closed 2 years ago

Freyert commented 3 years ago
  1. Deploy operator into namespace : mongodb
  2. set environment variable WATCH_NAMESPACE: ns2
  3. receive error reason":"AtlasCredentialsNotProvided","message":"Secret \"mongodb-atlas-operator-api-key\" not found"

I used the debugger to discover that the cache for the manager's kubernetes client uses the WATCH_NAMESPACE to populate its cache of Secrets. Therefore the cache will not have mongodb/mongodb-atlas-operator-api-key.

This is the documented behavior of the Namespace option for controller mangers: https://github.com/kubernetes-sigs/controller-runtime/blob/ef5c8a3ffd288667b89005aebad5ff6e0cf0c5e4/pkg/manager/manager.go#L188-L194

Namespace if specified restricts the manager's cache to watch objects in the desired namespace Defaults to all namespaces

Note: If a namespace is specified, controllers can still Watch for a cluster-scoped resource (e.g Node). For namespaced resources the cache will only hold objects from the desired namespace.

So for the GlobalAPIKey secret to be usable I think we need to be able to mount the secret as a volume or otherwise configure a different kubernetes client for retrieving the GlobalAPIKey secret.

Please let me know if there's a workaround/configuration I'm missing! Thank you for your help.

Freyert commented 3 years ago

Related to #215

jamesbroadhead commented 2 years ago

Fixed in #282

sunchill06 commented 2 years ago

I can still see the same issue with GlobalAPIKey.

kubectl get secret mongodb-atlas-operator-api-key -n mongodb --show-labels                             
NAME                             TYPE     DATA   AGE   LABELS
mongodb-atlas-operator-api-key   Opaque   3      18h   atlas.mongodb.com/type=credentials