cert-utils-operator
cert-utils-operator copied to clipboard
redhat-cop
Allow specification of a list of namespaces for the operator to watch
I would like to limit the set of namespaces that the operator is watching. This should be configurable when deploying the operator.
I have a central namespace in which I store externally-defined tls certs/keys as secrets w/cert-utils-operator annotations. I use kyverno resource generation w/sync (https://kyverno.io/policies/other/sync_secrets/) to clone and rename these secrets into multiple workload-(dev|test)-[1-9] namespaces for use by Ingress resources and Java-based Deployment resources. The cert-utils-operator augments these secrets with a keystore and a truststore to support the Java applications running in the different namespaces.
Currently, both kyverno and the cert-utils-operator are watching and mutating these secrets in the central source namespace and all the target workload namespaces. It is inefficient for the cert-utils-operator to watch the secrets that get cloned/synced to the target namespaces. Furthermore, it seems that management of these secrets in both the source and target namespaces by the cert-utils-operator is causing kyverno to thrash as it attempts to sync these secrets.
I would like to configure the cert-utils-operator to only watch and mutate secrets in the central source namespace as an optimization and also to minimize any potential conflicts with kyverno resource generation.
can you share one of these secrets, just the annotations. I'd like to get a better idea of what is happening.
My secret is as follows:
Name: my-secret
Namespace: my-namespace
Labels:
- app.kubernetes.io/managed-by=kyverno
- kyverno.io/generated-by-kind=Namespace
- kyverno.io/generated-by-name=myNamespace
- kyverno.io/generated-by-namespace=
- policy.kyverno.io/gr-name=gr-n7vqx
- policy.kyverno.io/policy-name=sync-my-system-my-secret
- policy.kyverno.io/synchronize=enable
Annotations:
- cert-utils-operator.redhat-cop.io/generate-java-keystores="true"