Allow Maesh to Run in a Singular Namespace

[cbrintnall]

Proposal

Have Maesh label its own services .maesh so it doesn't need a unique namespace. From there Maesh can then identify its own services via the label, and other services without.

On service creation Maesh should add the label service=maesh, or a unique ID that it tracks internally (id=<uuid4>).

Background

The issue comes from multi-tenant Kubernetes clusters. Although it is still possible to spin up another namespace by requesting one from the cluster admins, removing the need to have a unique namespace for the .maesh services would allow multi-tenant clusters to run Maesh in one namespace, similar to how Traefik can run in a singular namespace.

Workarounds

None currently, although going down the recommended path (spinning up a unique namespace for Maesh) is also possible. Difficulty depends on the clusters themselves.

Extra

This may also require / allow (if not already possible) Maesh to target specific namespaces to watch.

More context can be found here on Discourse: https://community.containo.us/t/why-does-maesh-need-to-be-in-its-own-namespace/1850/3

[dtomcej]

We could extend the ignoreWrapper to include labels that can also be used to ignore events.

[jlevesy]

I'll work on this one

[jlevesy]

Hey @cbrintnall,

Have Maesh label its own services .maesh

Quick question, could you clarify what you meant by label its own services please ? Do you mean creating a service with a name in .maesh (for example whoami.maesh) ? If so, it is sadly impossible as service names are required to comply with the RFC DNS-1035 which excludes the possibility of having the . character in a name.

Creating the following service

---
kind: Service
apiVersion: v1
metadata:
  name: whoami.maesh
  namespace: playground
spec:
  selector:
    app: whoami
  ports:
    - name: web
      protocol: TCP
      port: 80
      targetPort: 80

You get this error

The Service "whoami.maesh" is invalid: metadata.name: Invalid value: "whoami.maesh": a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character (e.g. 'my-name',  or 'abc-123', regex used for validation is '[a-z]([-a-z0-9]*[a-z0-9])?')

Is that what you meant or did I miss something ? (which is completely possible :sweat_smile:)

Anyway, thanks for your contribution !

[cbrintnall]

@jlevesy IIRC I meant something more along the lines of:

---
kind: Service
apiVersion: v1
metadata:
  name: maesh-service
  namespace: playground
  labels:
    owner: maesh
spec:
  selector:
    app: whoami
  ports:
    - name: web
      protocol: TCP
      port: 80
      targetPort: 80

I haven't visited this in awhile, but I believe Maesh is in its own namespace to isolate itself from other services, since when Maesh looks for its services, it simply just queries its namespace. The issue here is in multi-tenant clusters not every one can create a namespace, and if a private namespace is just needed to query the services, adding a label such as owner: maesh would make it so you just query for service's with that label, instead of all the services in your namespace.

[jlevesy]

Gotcha, thanks.