Get extension watch namespace from annotation

Per Goncalves da Silva · perdasilva · commit 1b4058aef02b · 2025-02-14T12:01:18.000+01:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/internal/operator-controller/applier/helm.go b/internal/operator-controller/applier/helm.go
@@ -15,7 +15,6 @@ import (
 	"helm.sh/helm/v3/pkg/postrender"
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/storage/driver"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	apimachyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -79,7 +78,11 @@ func shouldSkipPreflight(ctx context.Context, preflight Preflight, ext *ocv1.Clu
 }
 
 func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels map[string]string, storageLabels map[string]string) ([]client.Object, string, error) {
-	chrt, err := convert.RegistryV1ToHelmChart(ctx, contentFS, ext.Spec.Namespace, []string{corev1.NamespaceAll})
+	watchNamespace, err := GetWatchNamespace(ext)
+	if err != nil {
+		return nil, "", err
+	}
+	chrt, err := convert.RegistryV1ToHelmChart(ctx, contentFS, ext.Spec.Namespace, []string{watchNamespace})
 	if err != nil {
 		return nil, "", err
 	}
diff --git a/internal/operator-controller/applier/watchnamespace.go b/internal/operator-controller/applier/watchnamespace.go
@@ -0,0 +1,32 @@
+package applier
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/validation"
+
+	ocv1 "github.com/operator-framework/operator-controller/api/v1"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
+)
+
+const (
+	AnnotationClusterExtensionWatchNamespace = "olm.operatorframework.io/watch-namespace"
+)
+
+// GetWatchNamespace determines the watch namespace the ClusterExtension should use
+// Note: this is a temporary artifice to enable gated use of single/own namespace install modes
+// for registry+v1 bundles. This will go away once the ClusterExtension API is updated to include
+// (opaque) runtime configuration.
+func GetWatchNamespace(ext *ocv1.ClusterExtension) (string, error) {
+	if features.OperatorControllerFeatureGate.Enabled(features.SingleOwnNamespaceInstallSupport) {
+		if ext != nil && ext.Annotations[AnnotationClusterExtensionWatchNamespace] != "" {
+			watchNamespace := ext.Annotations[AnnotationClusterExtensionWatchNamespace]
+			if errs := validation.IsDNS1123Subdomain(watchNamespace); len(errs) > 0 {
+				return "", fmt.Errorf("invalid watch namespace '%s': namespace must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character", watchNamespace)
+			}
+			return ext.Annotations[AnnotationClusterExtensionWatchNamespace], nil
+		}
+	}
+	return corev1.NamespaceAll, nil
+}
diff --git a/internal/operator-controller/applier/watchnamespace_test.go b/internal/operator-controller/applier/watchnamespace_test.go
@@ -0,0 +1,83 @@
+package applier_test
+
+import (
+	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	featuregatetesting "k8s.io/component-base/featuregate/testing"
+
+	v1 "github.com/operator-framework/operator-controller/api/v1"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
+)
+
+func TestGetWatchNamespace(t *testing.T) {
+	featuregatetesting.SetFeatureGateDuringTest(t, features.OperatorControllerFeatureGate, features.SingleOwnNamespaceInstallSupport, true)
+
+	for _, tt := range []struct {
+		name        string
+		want        string
+		csv         *v1.ClusterExtension
+		expectError bool
+	}{
+		{
+			name: "cluster extension does not have watch namespace annotation",
+			want: corev1.NamespaceAll,
+			csv: &v1.ClusterExtension{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "extension",
+					Annotations: nil,
+				},
+				Spec: v1.ClusterExtensionSpec{},
+			},
+			expectError: false,
+		}, {
+			name: "cluster extension has valid namespace annotation",
+			want: "watch-namespace",
+			csv: &v1.ClusterExtension{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "extension",
+					Annotations: map[string]string{
+						"olm.operatorframework.io/watch-namespace": "watch-namespace",
+					},
+				},
+				Spec: v1.ClusterExtensionSpec{},
+			},
+			expectError: false,
+		}, {
+			name: "cluster extension has invalid namespace annotation: multiple watch namespaces",
+			want: "",
+			csv: &v1.ClusterExtension{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "extension",
+					Annotations: map[string]string{
+						"olm.operatorframework.io/watch-namespace": "watch-namespace,watch-namespace2,watch-namespace3",
+					},
+				},
+				Spec: v1.ClusterExtensionSpec{},
+			},
+			expectError: true,
+		}, {
+			name: "cluster extension has invalid namespace annotation: invalid name",
+			want: "",
+			csv: &v1.ClusterExtension{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "extension",
+					Annotations: map[string]string{
+						"olm.operatorframework.io/watch-namespace": "watch-namespace-",
+					},
+				},
+				Spec: v1.ClusterExtensionSpec{},
+			},
+			expectError: true,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := applier.GetWatchNamespace(tt.csv)
+			require.Equal(t, tt.want, got)
+			require.Equal(t, tt.expectError, err != nil)
+		})
+	}
+}
