Added config to make operator watch in arbitrary namespaces

Signed-off-by: David Losert <[email protected]>

Author: davelosert

charts/jaeger-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: jaeger-operator Helm chart for Kubernetes
 name: jaeger-operator
-version: 2.14.2
+version: 2.15.0
 appVersion: 1.17.1
 home: https://www.jaegertracing.io/
 icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg

charts/jaeger-operator/README.md

@@ -59,7 +59,8 @@ The following table lists the configurable parameters of the jaeger-operator cha
 | `rbac.create`           | All required roles and rolebindings will be created                                                         | `true`                          |
 | `serviceAccount.create` | Service account to use                                                                                      | `true`                          |
 | `rbac.pspEnabled`       | Pod security policy for pod will be created and included in rbac role                                       | `false`                         |
-| `rbac.clusterRole`      | ClusterRole will be used by operator ServiceAccount                                                         | `false`                         |
+| `rbac.clusterRole`      | ClusterRole will be used with ClusterRoleBinding by operator ServiceAccount to watch all namespaces         | `false`                         |
+| `rbac.watchNamespaces`  | ClusterRole will be used with RoleBindings in all specified namespaces by operator ServiceAccount           | `[]`                            |
 | `serviceAccount.name`   | Service account name to use. If not set and create is true, a name is generated using the fullname template | `nil`                           |
 | `resources`             | K8s pod resources                                                                                           | `None`                          |
 | `nodeSelector`          | Node labels for pod assignment                                                                              | `{}`                            |

charts/jaeger-operator/templates/deployment.yaml

@@ -40,6 +40,8 @@ spec:
             - name: WATCH_NAMESPACE
               {{- if .Values.rbac.clusterRole }}
               value: ""
+              {{- else if .Values.rbac.watchNamespaces }}
+              value: {{ join "," .Values.rbac.watchNamespaces | quote }}
               {{- else }}
               valueFrom:
                 fieldRef:

charts/jaeger-operator/templates/role-binding.yaml

@@ -1,4 +1,5 @@
 {{- if .Values.rbac.create }}
+{{- if not .Values.rbac.watchNamespaces }}
 kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -14,4 +15,24 @@ roleRef:
   kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}Role
   name: {{ include "jaeger-operator.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
+{{- else }}
+{{- range .Values.rbac.watchNamespaces }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "jaeger-operator.fullname" $ }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+{{ include "jaeger-operator.labels" $ | indent 4 }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ . }}
+  name: {{ include "jaeger-operator.serviceAccountName" $ }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "jaeger-operator.fullname" $ }}
+  apiGroup: rbac.authorization.k8s.io
+---
+{{- end -}}
+{{- end -}}
 {{- end }}

charts/jaeger-operator/templates/role.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.rbac.create }}
-kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}Role
+kind: {{ if or .Values.rbac.clusterRole .Values.rbac.watchNamespaces }}Cluster{{ end }}Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ include "jaeger-operator.fullname" . }}

charts/jaeger-operator/values.yaml

@@ -20,6 +20,8 @@ rbac:
   create: true
   pspEnabled: false
   clusterRole: false
+  # Specifies arbitrary namespaces to be watched
+  watchNamespaces: []
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created