Merge pull request #46 from Infisical/daniel/scoped-namespaces

feat: multiple scoped namespaces

Author: varonix0

cmd/main.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -65,10 +66,12 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
-	var namespace string
+	var namespaces string
+	var deprecatedScopedNamespaceWarning bool
 
 	var tlsOpts []func(*tls.Config)
-	flag.StringVar(&namespace, "namespace", "", "Watch InfisicalSecrets scoped in the provided namespace only")
+	flag.StringVar(&namespaces, "namespaces", "", "Comma-separated list of namespaces to watch. If empty, watches all namespaces (cluster-scoped)")
+	flag.BoolVar(&deprecatedScopedNamespaceWarning, "deprecated-scoped-namespace-warning", false, "If true, logs a deprecation warning for the scopedNamespace field")
 	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
 		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -203,15 +206,35 @@ func main() {
 		// LeaderElectionReleaseOnCancel: true,
 	}
 
+	// Parse namespaces and configure cache for namespace-scoped watching
+	var namespaceList []string
+	if namespaces != "" {
+		for _, ns := range strings.Split(namespaces, ",") {
+			ns = strings.TrimSpace(ns)
+			if ns != "" {
+				namespaceList = append(namespaceList, ns)
+			}
+		}
+	}
+
+	isNamespaceScoped := len(namespaceList) > 0
+
+	// Log deprecation warning if using the deprecated scopedNamespace field
+	if deprecatedScopedNamespaceWarning {
+		setupLog.Info("WARNING: The 'scopedNamespace' field is deprecated and will be removed in a future version. Please use 'scopedNamespaces' (plural) instead.")
+	}
+
 	// Only set cache options if we're namespace-scoped
-	if namespace != "" {
+	if isNamespaceScoped {
+		defaultNamespaces := make(map[string]cache.Config)
+		for _, ns := range namespaceList {
+			defaultNamespaces[ns] = cache.Config{}
+		}
 		managerOptions.Cache = cache.Options{
-			Scheme: scheme,
-			DefaultNamespaces: map[string]cache.Config{
-				namespace: {}, // whichever namespace the operator is running in
-			},
+			Scheme:            scheme,
+			DefaultNamespaces: defaultNamespaces,
 		}
-		ctrl.Log.Info(fmt.Sprintf("Watching CRDs in [namespace=%s]", namespace))
+		ctrl.Log.Info(fmt.Sprintf("Watching CRDs in namespaces: %v", namespaceList))
 	}
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), managerOptions)
@@ -226,17 +249,15 @@ func main() {
 		Client:            mgr.GetClient(),
 		Scheme:            mgr.GetScheme(),
 		BaseLogger:        ctrl.Log,
-		Namespace:         namespace,
-		IsNamespaceScoped: namespace != "",
+		IsNamespaceScoped: isNamespaceScoped,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "InfisicalSecret")
 		os.Exit(1)
 	}
 	if err := (&controller.InfisicalPushSecretReconciler{
 		Client:            mgr.GetClient(),
 		Scheme:            mgr.GetScheme(),
-		IsNamespaceScoped: namespace != "",
-		Namespace:         namespace,
+		IsNamespaceScoped: isNamespaceScoped,
 		BaseLogger:        ctrl.Log,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "InfisicalPushSecret")
@@ -246,8 +267,7 @@ func main() {
 		Client:            mgr.GetClient(),
 		Scheme:            mgr.GetScheme(),
 		BaseLogger:        ctrl.Log,
-		IsNamespaceScoped: namespace != "",
-		Namespace:         namespace,
+		IsNamespaceScoped: isNamespaceScoped,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "InfisicalDynamicSecret")
 		os.Exit(1)

config/manager/kustomization.yaml

@@ -1,5 +1,3 @@
-resources:
-- manager.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

helm-charts/secrets-operator/templates/_helpers.tpl

@@ -59,4 +59,40 @@ Create the name of the service account to use
 {{- else }}
 {{- printf "%s-controller-manager" (include "secrets-operator.fullname" .) }}
 {{- end }}
+{{- end }}
+
+{{/*
+Compute the list of scoped namespaces.
+scopedNamespaces takes precedence over the deprecated scopedNamespace.
+Handles both array input (--set "scopedNamespaces={ns1,ns2}") and
+comma-separated string input (--set scopedNamespaces="ns1,ns2").
+Returns a JSON object with a "list" key that should be parsed with fromJson.
+Usage: $namespaces := (include "secrets-operator.scopedNamespaces" . | fromJson).list
+*/}}
+{{- define "secrets-operator.scopedNamespaces" -}}
+{{- if .Values.scopedNamespaces -}}
+  {{- if kindIs "string" .Values.scopedNamespaces -}}
+    {{- /* Handle comma-separated string input */ -}}
+    {"list": {{ splitList "," .Values.scopedNamespaces | toJson }}}
+  {{- else -}}
+    {{- /* Handle array input */ -}}
+    {"list": {{ .Values.scopedNamespaces | toJson }}}
+  {{- end -}}
+{{- else if .Values.scopedNamespace -}}
+{"list": {{ list .Values.scopedNamespace | toJson }}}
+{{- else -}}
+{"list": []}
+{{- end -}}
+{{- end }}
+
+{{/*
+Check if we're using the deprecated scopedNamespace field.
+Returns "true" or "false" as a string.
+*/}}
+{{- define "secrets-operator.usingDeprecatedScopedNamespace" -}}
+{{- if and (not .Values.scopedNamespaces) .Values.scopedNamespace -}}
+true
+{{- else -}}
+false
+{{- end -}}
 {{- end }}

helm-charts/secrets-operator/templates/deployment.yaml

@@ -22,8 +22,12 @@ spec:
       containers:
       - args:
         {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
-        {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-        - --namespace={{ .Values.scopedNamespace }}
+        {{- $namespaces := (include "secrets-operator.scopedNamespaces" . | fromJson).list }}
+        {{- if and $namespaces .Values.scopedRBAC }}
+        - --namespaces={{ join "," $namespaces }}
+        {{- if eq (include "secrets-operator.usingDeprecatedScopedNamespace" .) "true" }}
+        - --deprecated-scoped-namespace-warning
+        {{- end }}
         {{- end }}
         command:
         - /manager

helm-charts/secrets-operator/templates/manager-rbac.yaml

@@ -1,16 +1,8 @@
-apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-kind: Role
-{{- else }}
-kind: ClusterRole
-{{- end }}
-metadata:
-  name: {{ include "secrets-operator.fullname" . }}-manager-role
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
-  labels:
-  {{- include "secrets-operator.labels" . | nindent 4 }}
+{{- $namespaces := (include "secrets-operator.scopedNamespaces" . | fromJson).list }}
+{{- $isScopedMode := and $namespaces .Values.scopedRBAC }}
+
+{{- /* Define the rules once to avoid repetition */ -}}
+{{- define "secrets-operator.managerRules" }}
 rules:
 - apiGroups:
   - ""
@@ -95,30 +87,59 @@ rules:
   - get
   - patch
   - update
+{{- end }}
+
+{{- if $isScopedMode }}
+{{- /* Scoped mode: Create a Role and RoleBinding in each namespace */ -}}
+{{- range $ns := $namespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "secrets-operator.fullname" $ }}-manager-role
+  namespace: {{ $ns | quote }}
+  labels:
+  {{- include "secrets-operator.labels" $ | nindent 4 }}
+{{- include "secrets-operator.managerRules" $ }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
 kind: RoleBinding
+metadata:
+  name: {{ include "secrets-operator.fullname" $ }}-manager-rolebinding
+  namespace: {{ $ns | quote }}
+  labels:
+  {{- include "secrets-operator.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "secrets-operator.fullname" $ }}-manager-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "secrets-operator.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
+{{- end }}
 {{- else }}
+{{- /* Cluster-scoped mode: Create a ClusterRole and ClusterRoleBinding */ -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "secrets-operator.fullname" . }}-manager-role
+  labels:
+  {{- include "secrets-operator.labels" . | nindent 4 }}
+{{- include "secrets-operator.managerRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-{{- end }}
 metadata:
   name: {{ include "secrets-operator.fullname" . }}-manager-rolebinding
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  namespace: {{ .Values.scopedNamespace | quote }}
-  {{- end }}
   labels:
-
   {{- include "secrets-operator.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
-  kind: Role
-  {{- else }}
   kind: ClusterRole
-  {{- end }}
-  name: '{{ include "secrets-operator.fullname" . }}-manager-role'
+  name: {{ include "secrets-operator.fullname" . }}-manager-role
 subjects:
 - kind: ServiceAccount
-  name: '{{ include "secrets-operator.serviceAccountName" . }}'
-  namespace: '{{ .Release.Namespace }}'
+  name: {{ include "secrets-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm-charts/secrets-operator/values.yaml

@@ -32,7 +32,19 @@ controllerManager:
       type: RuntimeDefault
   replicas: 1
 kubernetesClusterDomain: cluster.local
+
+# DEPRECATED: Use scopedNamespaces instead. This field will be removed in a future version.
+# If both scopedNamespace and scopedNamespaces are set, scopedNamespaces takes precedence.
 scopedNamespace: ""
+
+# List of namespaces to watch. If empty, the operator watches all namespaces (cluster-scoped).
+# When scopedRBAC is true, a Role and RoleBinding will be created in each namespace.
+# Example:
+#   scopedNamespaces:
+#     - team-a-namespace
+#     - team-b-namespace
+scopedNamespaces: []
+
 scopedRBAC: false
 installCRDs: true
 imagePullSecrets: []

internal/controller/infisicaldynamicsecret_controller.go

@@ -45,7 +45,6 @@ type InfisicalDynamicSecretReconciler struct {
 	BaseLogger        logr.Logger
 	Scheme            *runtime.Scheme
 	Random            *rand.Rand
-	Namespace         string
 	IsNamespaceScoped bool
 }
 

internal/controller/infisicalpushsecret_controller.go

@@ -50,7 +50,6 @@ type InfisicalPushSecretReconciler struct {
 	BaseLogger        logr.Logger
 	Scheme            *runtime.Scheme
 	IsNamespaceScoped bool
-	Namespace         string
 }
 
 var infisicalPushSecretResourceVariablesMap map[string]util.ResourceVariables = make(map[string]util.ResourceVariables)

internal/controller/infisicalsecret_controller.go

@@ -46,7 +46,6 @@ type InfisicalSecretReconciler struct {
 	Scheme     *runtime.Scheme
 
 	SourceCh          chan event.TypedGenericEvent[client.Object]
-	Namespace         string
 	IsNamespaceScoped bool
 }