From f3756542a66564124a96d0ab525fdcfe08d11f7e Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Tue, 5 Aug 2025 20:39:22 +0800 Subject: [PATCH 1/8] Allow scoping operator on specific namespaces --- .../twingate-operator/templates/deployment.yaml | 8 +++++++- .../__snapshot__/default_values_test.yaml.snap | 2 +- .../tests/deployment_optional_values_test.yaml | 15 +++++++++++++++ deploy/twingate-operator/values.schema.json | 8 +++++++- deploy/twingate-operator/values.yaml | 16 ++++++++++++++++ 5 files changed, 46 insertions(+), 3 deletions(-) diff --git a/deploy/twingate-operator/templates/deployment.yaml b/deploy/twingate-operator/templates/deployment.yaml index 7b3ce8ec..d5d7d4c1 100644 --- a/deploy/twingate-operator/templates/deployment.yaml +++ b/deploy/twingate-operator/templates/deployment.yaml @@ -45,7 +45,13 @@ spec: - kopf - run - ./main.py - - "-A" + {{- with .Values.twingateOperator.namespaces }} + {{- range . }} + - "--namespace={{ . }}" + {{- end }} + {{- else }} + - "--all-namespaces" + {{- end }} - "--standalone" - "--liveness=http://0.0.0.0:8080/healthz" - "--log-format={{ $logFormat }}" diff --git a/deploy/twingate-operator/tests/__snapshot__/default_values_test.yaml.snap b/deploy/twingate-operator/tests/__snapshot__/default_values_test.yaml.snap index e322fa2a..9d4985a9 100644 --- a/deploy/twingate-operator/tests/__snapshot__/default_values_test.yaml.snap +++ b/deploy/twingate-operator/tests/__snapshot__/default_values_test.yaml.snap @@ -111,7 +111,7 @@ should render: - kopf - run - ./main.py - - -A + - --all-namespaces - --standalone - --liveness=http://0.0.0.0:8080/healthz - --log-format=full diff --git a/deploy/twingate-operator/tests/deployment_optional_values_test.yaml b/deploy/twingate-operator/tests/deployment_optional_values_test.yaml index 4b588974..b62f3754 100644 --- a/deploy/twingate-operator/tests/deployment_optional_values_test.yaml +++ b/deploy/twingate-operator/tests/deployment_optional_values_test.yaml @@ -37,6 +37,21 @@ tests: content: name: TWINGATE_DEFAULT_RESOURCE_TAGS value: '{"cluster":"test-cluster","owner":"eran"}' + - it: should use `namespaces` + set: + twingateOperator: + namespaces: + - "foo" + - "bar" + asserts: + - contains: + path: spec.template.spec.containers[0].command + content: + --namespace=foo + - contains: + path: spec.template.spec.containers[0].command + content: + --namespace=bar - it: should use `imagePullSecrets` set: imagePullSecrets: diff --git a/deploy/twingate-operator/values.schema.json b/deploy/twingate-operator/values.schema.json index bab8509f..a06ef14b 100644 --- a/deploy/twingate-operator/values.schema.json +++ b/deploy/twingate-operator/values.schema.json @@ -155,7 +155,13 @@ "additionalProperties": { "type": "string" } - } + }, + "namespaces": { + "type": "array", + "description": "Array of namespaces to monitor by the operator", + "items": { "type": "string" }, + "default": [] + } }, "examples": [{ "apiKey": "sdlkwdlsknsldknsldkcnm", diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index 062dd1ca..caf57ddb 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -22,6 +22,22 @@ twingateOperator: {} # tag1: value_for_tag1 # tag2: value_for_tag2 +## Restrict operator to monitor resources in specific namespaces. You should either: +## 1. Specify a list of namespaces: +## namespaces: ["foo-dev", "foo-stg"] +## 2. Use globs to match multiple namespaces: +## namespaces: ["*-dev", "*-stg"] +## 3. Use negation to include all namespaces except those excluded: +## namespaces: ["!*-test"] +## 4. Use multiple globs can be used in one pattern: +## namespaces: ["foo-*,!*-test"] + +## Caveat: Globs in separate array elements are evaluated independently, and the final list of namespaces is the union of all globs' results. +## i.e., `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` + +## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes +# namespaces: [] + # Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access. kubernetes-access-gateway: enabled: false From 6468db467d5d976daedd6e46ca1a1d6a41dade17 Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Tue, 5 Aug 2025 20:50:00 +0800 Subject: [PATCH 2/8] Update comment --- deploy/twingate-operator/values.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index caf57ddb..bc0931ed 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -29,11 +29,12 @@ twingateOperator: {} ## namespaces: ["*-dev", "*-stg"] ## 3. Use negation to include all namespaces except those excluded: ## namespaces: ["!*-test"] -## 4. Use multiple globs can be used in one pattern: +## 4. Use multiple globs in one pattern: ## namespaces: ["foo-*,!*-test"] -## Caveat: Globs in separate array elements are evaluated independently, and the final list of namespaces is the union of all globs' results. -## i.e., `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` +## Note: Each glob pattern in separate array elements is evaluated independently, creating a union of results. +## This differs from comma-separated patterns within a single element. +## For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` ## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes # namespaces: [] From 30b1b80d130bf81c62986709dd6b17d82f021dd4 Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Tue, 5 Aug 2025 21:10:58 +0800 Subject: [PATCH 3/8] Update comment --- deploy/twingate-operator/values.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index bc0931ed..3f9a8583 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -31,13 +31,12 @@ twingateOperator: {} ## namespaces: ["!*-test"] ## 4. Use multiple globs in one pattern: ## namespaces: ["foo-*,!*-test"] +## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes -## Note: Each glob pattern in separate array elements is evaluated independently, creating a union of results. -## This differs from comma-separated patterns within a single element. +## Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element. ## For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` - -## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes -# namespaces: [] +## `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. +# namespaces: ["default"] # Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access. kubernetes-access-gateway: From ad183e1ea163ae1290cdafda4e5b4cd2df0092bc Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Tue, 5 Aug 2025 22:04:33 +0800 Subject: [PATCH 4/8] Update test --- .../deployment_optional_values_test.yaml | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/deploy/twingate-operator/tests/deployment_optional_values_test.yaml b/deploy/twingate-operator/tests/deployment_optional_values_test.yaml index b62f3754..09551126 100644 --- a/deploy/twingate-operator/tests/deployment_optional_values_test.yaml +++ b/deploy/twingate-operator/tests/deployment_optional_values_test.yaml @@ -41,17 +41,20 @@ tests: set: twingateOperator: namespaces: - - "foo" - - "bar" + - foo + - bar asserts: - - contains: - path: spec.template.spec.containers[0].command - content: - --namespace=foo - - contains: + - equal: path: spec.template.spec.containers[0].command - content: - --namespace=bar + value: + - kopf + - run + - ./main.py + - --namespace=foo + - --namespace=bar + - --standalone + - --liveness=http://0.0.0.0:8080/healthz + - --log-format=full - it: should use `imagePullSecrets` set: imagePullSecrets: From 66897c3c78860c98f186c5f23e779a731052f2d8 Mon Sep 17 00:00:00 2001 From: Clement Tee Date: Wed, 6 Aug 2025 08:19:23 +0800 Subject: [PATCH 5/8] Update comments --- deploy/twingate-operator/values.yaml | 29 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index 3f9a8583..caedda31 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -22,21 +22,20 @@ twingateOperator: {} # tag1: value_for_tag1 # tag2: value_for_tag2 -## Restrict operator to monitor resources in specific namespaces. You should either: -## 1. Specify a list of namespaces: -## namespaces: ["foo-dev", "foo-stg"] -## 2. Use globs to match multiple namespaces: -## namespaces: ["*-dev", "*-stg"] -## 3. Use negation to include all namespaces except those excluded: -## namespaces: ["!*-test"] -## 4. Use multiple globs in one pattern: -## namespaces: ["foo-*,!*-test"] -## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes - -## Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element. -## For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` -## `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. -# namespaces: ["default"] +# Restrict operator to monitor resources in specific namespaces. You should either: +# 1. Specify a list of namespaces: +# namespaces: ["foo-dev", "foo-stg"] +# 2. Use globs to match multiple namespaces: +# namespaces: ["*-dev", "*-stg"] +# 3. Use negation to include all namespaces except those excluded: +# namespaces: ["!*-test"] +# 4. Use multiple globs in one pattern: +# namespaces: ["foo-*,!*-test"] +# For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes + +# Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element. +# For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` +# `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. # Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access. kubernetes-access-gateway: From 38219961aba6622db510f56b9d7035e571eaa728 Mon Sep 17 00:00:00 2001 From: Eran Kampf Date: Thu, 7 Aug 2025 13:36:19 -0700 Subject: [PATCH 6/8] fix indent --- deploy/twingate-operator/values.schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/twingate-operator/values.schema.json b/deploy/twingate-operator/values.schema.json index a06ef14b..79d3c603 100644 --- a/deploy/twingate-operator/values.schema.json +++ b/deploy/twingate-operator/values.schema.json @@ -161,7 +161,7 @@ "description": "Array of namespaces to monitor by the operator", "items": { "type": "string" }, "default": [] - } + } }, "examples": [{ "apiKey": "sdlkwdlsknsldknsldkcnm", From 131d1909e83155fc4b7a5625a22da20a7d8c8545 Mon Sep 17 00:00:00 2001 From: Eran Kampf Date: Thu, 7 Aug 2025 13:43:55 -0700 Subject: [PATCH 7/8] Update values.yaml docs --- deploy/twingate-operator/values.yaml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index caedda31..fe446fcb 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -23,19 +23,15 @@ twingateOperator: {} # tag2: value_for_tag2 # Restrict operator to monitor resources in specific namespaces. You should either: -# 1. Specify a list of namespaces: -# namespaces: ["foo-dev", "foo-stg"] -# 2. Use globs to match multiple namespaces: -# namespaces: ["*-dev", "*-stg"] -# 3. Use negation to include all namespaces except those excluded: -# namespaces: ["!*-test"] -# 4. Use multiple globs in one pattern: -# namespaces: ["foo-*,!*-test"] -# For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes - +# 1. Specify a list of namespaces: ["foo-dev", "foo-stg"] +# 2. Use globs to match multiple namespaces: ["*-dev", "*-stg"] +# 3. Use negation to include all namespaces except those excluded: ["!kube-*"] +# 4. Use multiple globs in one pattern: ["foo-*,!*-test"] +# # Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element. # For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` # `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. +namespaces: [] # Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access. kubernetes-access-gateway: From e613a0844d2f87423f75aa34ea8b1a0447fcec37 Mon Sep 17 00:00:00 2001 From: Eran Kampf Date: Thu, 7 Aug 2025 13:51:18 -0700 Subject: [PATCH 8/8] adjust logs and move namespaces under twingateOperator --- deploy/twingate-operator/values.yaml | 30 ++++++++++++++++++---------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/deploy/twingate-operator/values.yaml b/deploy/twingate-operator/values.yaml index fe446fcb..aa678cd8 100644 --- a/deploy/twingate-operator/values.yaml +++ b/deploy/twingate-operator/values.yaml @@ -2,9 +2,26 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# Required: you have to specify `network` and +# Twingate operator configurations +# +# **Required**: you have to specify `network` and # - either `apiKey` or `existingAPIKeySecret` # - either `remoteNetworkId`, `remoteNetworkName` or `existingRemoteNetworkIdSecret` +# +# **Restricting Operator to Specific Namespaces** +# Use the `namespaces` property to restrict operator to monitor resources only in specific namespaces. +# You can either: +# 1. Specify a list of namespaces: ["foo-dev", "foo-stg"] +# 2. Use globs to match multiple namespaces: ["*-dev", "*-stg"] +# 3. Use negation to include all namespaces except those excluded: ["!kube-*"] +# 4. Use multiple globs in one pattern: ["foo-*,!*-test"] +# +# Default value is an empty list (`[]`) which means operator will monitor or all namespaces. +# +# *Note:* Defining glob patterns as a separate array elements is different from defining +# comma-separated patterns within a single element. +# For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` +# `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. twingateOperator: {} # apiKey: "" # existingAPIKeySecret: @@ -16,22 +33,13 @@ twingateOperator: {} # name: my-secret # key: TWINGATE_REMOTE_NETWORK_ID # remoteNetworkName: "" +# namespaces: [] # logFormat: "plain|full|json" # logVerbosity: "quiet|verbose|debug" # defaultResourceTags: # tag1: value_for_tag1 # tag2: value_for_tag2 -# Restrict operator to monitor resources in specific namespaces. You should either: -# 1. Specify a list of namespaces: ["foo-dev", "foo-stg"] -# 2. Use globs to match multiple namespaces: ["*-dev", "*-stg"] -# 3. Use negation to include all namespaces except those excluded: ["!kube-*"] -# 4. Use multiple globs in one pattern: ["foo-*,!*-test"] -# -# Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element. -# For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]` -# `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results. -namespaces: [] # Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access. kubernetes-access-gateway: