villebro opened a new pull request, #54: URL: https://github.com/apache/superset-kubernetes-operator/pull/54
## Summary Adds a namespace-scoped install mode alongside the default cluster-scoped one. Operators can now deploy on restricted clusters that forbid cluster-scoped RBAC, or narrow the blast radius for single-tenant installs, by setting `WATCH_NAMESPACE` (comma-separated) via the Helm `watch.scope: namespaces` value or the bundled Kustomize `watch-namespace` component. Default behavior is unchanged — existing Helm releases and `make deploy` flows upgrade with no difference. ## Details **Runtime (`cmd/main.go` + `cmd/main_test.go`)** - Parse `WATCH_NAMESPACE` env var, populate `cache.Options.DefaultNamespaces`, log the resolved watch set at startup. - Unit test covers empty / single / CSV / whitespace-trim / empty-skip / duplicate-collapse. **Helm** - New `watch.scope` (`cluster` | `namespaces`) and `watch.namespaces` values. - `watch.scope: cluster` (default) — renders manager `ClusterRole` + `ClusterRoleBinding` as today. - `watch.scope: namespaces` — renders one `Role` + `RoleBinding` per watched namespace and emits **no manager `ClusterRole`** at all, so the chart installs on clusters that deny cluster-scoped RBAC (with CRDs preinstalled and `metrics.enabled: false`). - `validateWatchScope` fails the template on unknown values; a `managerRules` helper defines the rule set once so the cluster-scoped and per-namespace paths can't drift. - Empty `watch.namespaces` list falls back to the release namespace. - `deployment.yaml` conditionally injects `WATCH_NAMESPACE=<CSV>` in namespaces mode. **Kustomize** - New `config/components/watch-namespace/` Kustomize Component. Replaces the manager `ClusterRoleBinding` with a namespaced `RoleBinding` pointing at the same controller-gen-generated `ClusterRole` (the `RoleBinding → ClusterRole` pairing restricts the granted permissions to the binding's namespace). - Injects `WATCH_NAMESPACE` via the Downward API (self-namespace watch). Single-namespace only; extend for multi-namespace. - Commented-out `[NAMESPACED]` reference added to `config/default/kustomization.yaml`. The default `make deploy` path is unchanged. **Docs** - `docs/reference/security.md` — "Install Scope" rewritten to describe both modes, the Helm vs. Kustomize RBAC-shape divergence, and the constraints (CRDs always cluster-admin; metrics auth still needs cluster-scoped RBAC; manager restart required on list change; stray CRs silently ignored). - `docs/user-guide/installation.md` — new "Namespace-scoped install" section with a Helm example and a note that watched namespaces must already exist. - `docs/index.md` — new "Flexible install scope" feature bullet. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
