search

redhat-cop / cert-utils-operator

Set of functionalities around certificates packaged in a Kubernetes operator
Apache License 2.0
95 stars 35 forks source link

Allow specification of a list of namespaces for the operator to watch #106

Open ron1 opened 2 years ago

ron1 commented 2 years ago

I would like to limit the set of namespaces that the operator is watching. This should be configurable when deploying the operator.

raffaelespazzoli commented 2 years ago

can you describe the use case you are trying to address?

ron1 commented 2 years ago

I have a central namespace in which I store externally-defined tls certs/keys as secrets w/cert-utils-operator annotations. I use kyverno resource generation w/sync (https://kyverno.io/policies/other/sync_secrets/) to clone and rename these secrets into multiple workload-(dev|test)-[1-9] namespaces for use by Ingress resources and Java-based Deployment resources. The cert-utils-operator augments these secrets with a keystore and a truststore to support the Java applications running in the different namespaces.

Currently, both kyverno and the cert-utils-operator are watching and mutating these secrets in the central source namespace and all the target workload namespaces. It is inefficient for the cert-utils-operator to watch the secrets that get cloned/synced to the target namespaces. Furthermore, it seems that management of these secrets in both the source and target namespaces by the cert-utils-operator is causing kyverno to thrash as it attempts to sync these secrets.

I would like to configure the cert-utils-operator to only watch and mutate secrets in the central source namespace as an optimization and also to minimize any potential conflicts with kyverno resource generation.

raffaelespazzoli commented 2 years ago

can you share one of these secrets, just the annotations. I'd like to get a better idea of what is happening.

ron1 commented 2 years ago

My secret is as follows:

Name: my-secret
Namespace: my-namespace
Labels:
- app.kubernetes.io/managed-by=kyverno
- kyverno.io/generated-by-kind=Namespace
- kyverno.io/generated-by-name=myNamespace
- kyverno.io/generated-by-namespace=
- policy.kyverno.io/gr-name=gr-n7vqx
- policy.kyverno.io/policy-name=sync-my-system-my-secret
- policy.kyverno.io/synchronize=enable
Annotations:
- cert-utils-operator.redhat-cop.io/generate-java-keystores="true"