Skip to content

feat: Allow scoping Operator installation on specific namespaces #738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
clement0010 merged 9 commits into from
Aug 8, 2025
Merged

feat: Allow scoping Operator installation on specific namespaces #738

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
f375654
Allow scoping operator on specific namespaces
clement0010 Aug 5, 2025
6468db4
Update comment
clement0010 Aug 5, 2025
30b1b80
Update comment
clement0010 Aug 5, 2025
ad183e1
Update test
clement0010 Aug 5, 2025
66897c3
Update comments
clement0010 Aug 6, 2025
3821996
fix indent
ekampf Aug 7, 2025
131d190
Update values.yaml docs
ekampf Aug 7, 2025
4749f24
Merge branch 'main' into feat/add-namespace-scoping
ekampf Aug 7, 2025
e613a08
adjust logs and move namespaces under twingateOperator
ekampf Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion deploy/twingate-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,13 @@ spec:
- kopf
- run
- ./main.py
- "-A"
{{- with .Values.twingateOperator.namespaces }}
{{- range . }}
- "--namespace={{ . }}"
{{- end }}
{{- else }}
- "--all-namespaces"
{{- end }}
- "--standalone"
- "--liveness=http://0.0.0.0:8080/healthz"
- "--log-format={{ $logFormat }}"
Expand Down
2 changes: 1 addition & 1 deletion deploy/twingate-operator/tests/__snapshot__/default_values_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ should render:
- kopf
- run
- ./main.py
- -A
- --all-namespaces
- --standalone
- --liveness=http://0.0.0.0:8080/healthz
- --log-format=full
Expand Down
15 changes: 15 additions & 0 deletions deploy/twingate-operator/tests/deployment_optional_values_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,21 @@ tests:
content:
name: TWINGATE_DEFAULT_RESOURCE_TAGS
value: '{"cluster":"test-cluster","owner":"eran"}'
- it: should use `namespaces`
set:
twingateOperator:
namespaces:
- "foo"
- "bar"
asserts:
- contains:
path: spec.template.spec.containers[0].command
content:
--namespace=foo
- contains:
path: spec.template.spec.containers[0].command
content:
--namespace=bar
- it: should use `imagePullSecrets`
set:
imagePullSecrets:
Expand Down
8 changes: 7 additions & 1 deletion deploy/twingate-operator/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,13 @@
"additionalProperties": {
"type": "string"
}
}
},
"namespaces": {
"type": "array",
"description": "Array of namespaces to monitor by the operator",
"items": { "type": "string" },
"default": []
}
Copy link
Copy Markdown
Contributor

@ekampf ekampf Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indentation?

},
"examples": [{
"apiKey": "sdlkwdlsknsldknsldkcnm",
Expand Down
16 changes: 16 additions & 0 deletions deploy/twingate-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,22 @@ twingateOperator: {}
# tag1: value_for_tag1
# tag2: value_for_tag2

## Restrict operator to monitor resources in specific namespaces. You should either:
## 1. Specify a list of namespaces:
## namespaces: ["foo-dev", "foo-stg"]
## 2. Use globs to match multiple namespaces:
## namespaces: ["*-dev", "*-stg"]
## 3. Use negation to include all namespaces except those excluded:
## namespaces: ["!*-test"]
## 4. Use multiple globs in one pattern:
## namespaces: ["foo-*,!*-test"]
## For more information on using multiple globs, see: https://kopf.readthedocs.io/en/stable/scopes
Copy link
Copy Markdown
Contributor Author

@clement0010 clement0010 Aug 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple globs can be used in one pattern. The rightmost matching one wins. The first glob is decisive: if a namespace does not match it, it does not match the whole pattern regardless of what is there (other globs are not checked). If the first glob is a negation, it is implied that initially, all namespaces do match (as if preceded by *), and then the negated ones are excluded.

This is the full explanation of how the comma-separated globs pattern works. I didn't include it here because it's very long and overwhelming.

Maybe we could even remove this example so it's simpler, even though we support it. I think in most cases, method 1-3 should be sufficient? 🤔

Copy link
Copy Markdown
Contributor

@minhtule minhtule Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I second this. I read the kopf example and it was quite unexpected how this comma-separated syntax works... @ekampf WDYT?

Copy link
Copy Markdown
Contributor

@ekampf ekampf Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whats this comment format with ##? Make it look like the rest of the file please

Copy link
Copy Markdown
Contributor

@ekampf ekampf Aug 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also we dont need to point to kopf

Copy link
Copy Markdown
Contributor Author

@clement0010 clement0010 Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ekampf removed the # comment format.

Also we dont need to point to kopf

Not sure if I understand, do you mean removing the URL to kopf in line 34?


## Note: Defining glob patterns as a separate array elements is different from defining comma-separated patterns within a single element.
## For example, `namespaces: ["foo-*", "!*-test"]` is not the same as `namespaces: ["foo-*,!*-test"]`
## `namespaces: ["foo-*", "!*-test"]` will evaluate each glob pattern independently and combine the results.
# namespaces: ["default"]

# Twingate Kubernetes Access is currently in beta. Sign up for early access at https://www.twingate.com/product/kubernetes-access.
kubernetes-access-gateway:
enabled: false
Expand Down