Skip to content

✨ Add NamespaceSelector to generated webhook configs #2076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

perdasilva
Copy link
Contributor

Description

Sets the NamespaceSelector in generated Validating and MutatingWebhookConfiguration resources. This ensures that webhooks for operators installed in single/own namespace mode are (at least for namespaced APIs) restricted to the target namespace of the installation.

The implementation diverges from that of OLMv0. In OLM v0 the namespace selector is derived from OperatorGroup labels OLM sets on the target namespaces. In OLMv1 we don't have OperatorGroups and there's probably no need to add any labels to target namespaces. So, we use the kubernetes provided "kubernetes.io/metadata.name" label. This may not work in older versions of kubernetes.

Note: the renderer itself supports rendering the bundle manifests for multi-namespace mode. OLMv1 just doesn't support MultiNamespace mode. Therefore, the namespace selector uses a match expression with the In operator.

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@perdasilva perdasilva requested a review from a team as a code owner July 7, 2025 08:47
Copy link

netlify bot commented Jul 7, 2025

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 6ec2d73
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/686b89be5ed8490008b953df
😎 Deploy Preview https://deploy-preview-2076--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copy link

codecov bot commented Jul 7, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.37%. Comparing base (7d4414b) to head (6ec2d73).
Report is 3 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2076      +/-   ##
==========================================
+ Coverage   73.34%   73.37%   +0.03%     
==========================================
  Files          77       77              
  Lines        7056     7076      +20     
==========================================
+ Hits         5175     5192      +17     
- Misses       1541     1543       +2     
- Partials      340      341       +1     
Flag Coverage Δ
e2e 44.90% <5.00%> (-0.18%) ⬇️
experimental-e2e 51.15% <5.00%> (-0.15%) ⬇️
unit 58.38% <100.00%> (+0.11%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@@ -29,6 +30,8 @@ import (
const (
tlsCrtPath = "tls.crt"
tlsKeyPath = "tls.key"

labelKubernetesNamespaceMetadataName = "kubernetes.io/metadata.name"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this right? Should it be metadata.namespace? Because this ought to be the name of the resource, not the namespace?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Unless you're looking at namespaces?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so. We're selecting for the name of namespace. In more recent kube versions, the label "kubernetes.io/metadata.name" started to be stamped out to allow for label selection on the resource name. So, if targetNamespaces = ["ns1"], it will limit the webhook to namespaces with label "kubernetes.io/metadata.name" in ["ns1"] => the namespace with name ns1. Or, am I misunderstanding your question?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think i may have been confused, but you're looking at namespace resources for this selector, so I think we're good.

@tmshort
Copy link
Contributor

tmshort commented Jul 8, 2025

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 8, 2025
Copy link

openshift-ci bot commented Jul 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit d101484 into operator-framework:main Jul 8, 2025
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants