MYSQLCLUSTER-8824 Support multiple OLM install modes

paulofasilva · paulofasilva · commit a6c09fa10831 · 2025-03-24T13:17:50.000Z
Enhanced NDB Operator to support multiple OLM install modes:
- All Namespaces: Cluster-wide scope, allowing the NDB Operator to
  monitor NdbCluster resource changes across all namespaces.
- Own Namespace: Limited scope, restricting the NDB Operator to monitor
  NdbCluster resource changes only in its own deployment namespace.
- Single Namespace: Customizable scope, enabling the Ndb Operator to
  monitor NdbCluster resource changes in a user-specified namespace.

Previously, the `-cluster-scoped` argument offered limited support for
'All Namespaces' and 'Own Namespace' modes, but lacked integration with
OLM settings and proper documentation. This update introduces the
`-watch-namespace` argument, which activates 'Single Namespace' mode
when set with a specific namespace together with
`-cluster-scoped=false`. Additionally, the implementation now seamlessly
integrates with the OLM installation model by checking for the presence
of the WATCH_NAMESPACE environment variable.

Change-Id: I26617cf6678e4a8dde982f39d5f28eb4bbd81df7
diff --git a/README.md b/README.md
@@ -47,6 +47,7 @@ kubectl apply -f https://raw.githubusercontent.com/mysql/mysql-ndb-operator/main
 ```
 
 To run the operator in a different namespace, the manifest file has to be updated before applying it to the K8s Server.
+To modify the install mode from the default cluster-wide scope, you can set the `-cluster-scoped` argument to `false` in the manifest file. Additionally, you can specify a custom namespace to monitor for NdbCluster resource changes using the `-watch-namespace` flag. If a namespace is provided, the NDB Operator will exclusively watch for changes within that namespace. Otherwise, it will default to monitoring the namespace where the operator itself is deployed.
 
 ### Verify Installation
 
diff --git a/cmd/ndb-operator/main.go b/cmd/ndb-operator/main.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 //
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
@@ -41,12 +41,24 @@ func main() {
 		// Operator is running inside K8s Pods
 		cfg, err = restclient.InClusterConfig()
 
-		if !config.ClusterScoped {
-			// Operator is namespace-scoped.
-			// Use the namespace it is deployed in to watch for changes.
-			config.WatchNamespace, err = helpers.GetCurrentNamespace()
-			if err != nil {
-				klog.Fatalf("Could not get current namespace : %s", err)
+		// First, we check if the namespace to watch is available from the environment.
+		// Only if it could not be found, the command flags will be used.
+		watchNamespace := helpers.GetWatchNamespaceFromEnvironment()
+		if watchNamespace != "" {
+			// Operator is in Single Namespace install mode
+			klog.Infof("Getting watch namespace from environment: %s", watchNamespace)
+			config.ClusterScoped = false
+			config.WatchNamespace = watchNamespace
+		} else {
+			klog.Info("No namespace to watch found in environment. Using flags.")
+			if !config.ClusterScoped && config.WatchNamespace == "" {
+				// Operator is namespace-scoped.
+				// If no namespace is specified
+				// Use the namespace it is deployed in to watch for changes.
+				config.WatchNamespace, err = helpers.GetCurrentNamespace()
+				if err != nil {
+					klog.Fatalf("Could not get current namespace : %s", err)
+				}
 			}
 		}
 	} else {
diff --git a/config/flags.go b/config/flags.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2023, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 //
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
@@ -23,17 +23,13 @@ var (
 
 func ValidateFlags() {
 
-	runningInsideK8s := helpers.IsAppRunningInsideK8s()
-	if runningInsideK8s && WatchNamespace != "" {
-		// Ignore WatchNamespace if operator is running inside cluster
-		klog.Warning("Ignoring option 'watch-namespace' as operator is running inside K8s Cluster")
-		WatchNamespace = ""
-	} else if ClusterScoped && WatchNamespace != "" {
+	if ClusterScoped && WatchNamespace != "" {
 		// Ignore WatchNamespace if operator is cluster-scoped
 		klog.Warning("Ignoring option 'watch-namespace' as 'cluster-scoped' is enabled")
 		WatchNamespace = ""
 	}
 
+	runningInsideK8s := helpers.IsAppRunningInsideK8s()
 	if !runningInsideK8s {
 		if Kubeconfig == "" && MasterURL == "" {
 			// Operator is running out of K8s Cluster but kubeconfig/masterURL are not specified.
@@ -56,8 +52,7 @@ func InitFlags() {
 	flag.StringVar(&MasterURL, "master", "",
 		"The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.")
 	flag.StringVar(&WatchNamespace, "watch-namespace", "",
-		"The namespace to be watched by the operator for NdbCluster resource changes."+
-			"Only required if out-of-cluster.")
+		"The namespace to be watched by the operator for NdbCluster resource changes.")
 	flag.BoolVar(&ClusterScoped, "cluster-scoped", true, ""+
 		"When enabled, operator looks for NdbCluster resource changes across K8s cluster.")
 }
diff --git a/deploy/charts/ndb-operator/README.md b/deploy/charts/ndb-operator/README.md
@@ -4,7 +4,7 @@ This chart installs the NdbCluster CRD, deploys the Ndb Operator and the webhook
 
 ## License
 
-Copyright (c) 2021, 2024, Oracle and/or its affiliates.
+Copyright (c) 2021, 2025, Oracle and/or its affiliates.
 
 License information can be found in the LICENSE file. This distribution may include materials developed by third parties. For license and attribution notices for these materials, please refer to the LICENSE file.
 
@@ -64,16 +64,17 @@ Note that removing the NdbCluster CRD will also stop and delete any MySQL Cluste
 
 ## Configuration
 
-The following table has the configurable options supported by the chart and their defaults.
+The following table lists the configurable options supported by the chart, along with their default values.
 
-| Parameter             | Description                         | Default                     |
-| ----------------------| ------------------------------------| ----------------------------|
-| `image`               | NDB Operator image name with tag    | `mysql/ndb-operator:latest` |
-| `imagePullPolicy`     | NDB Operator image pull policy      | `IfNotPresent`              |
-| `imagePullSecretName` | NDB Operator image pull secret name |                             |
-| `clusterScoped`       | Scope of the Ndb Operator.<br>If `true`, the operator is cluster-scoped and will watch for changes to any NdbCluster resource across all namespaces.<br>If `false`, the operator is namespace-scoped and will only watch for changes in the namespace it is released into. | `true`|
+| Parameter             | Description                                                                                                                                                                                                                                 | Default                     |
+| ----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
+| `image`               | The name of the NDB Operator image, including its tag.                                                                                                                                                                                      | `mysql/ndb-operator:latest` |
+| `imagePullPolicy`     | The image pull policy for the NDB Operator.                                                                                                                                                                                                 | `IfNotPresent`              |
+| `imagePullSecretName` | The name of the secret used to authenticate image pulls for the NDB Operator.                                                                                                                                                               | None                        |
+| `clusterScoped`       | Determines the scope of the NDB Operator.<br>When set to `true`, the operator watches for changes to any NdbCluster resource across all namespaces.<br>When set to `false`, the operator only watches for changes within its own namespace. | `true`                      |
+| `watchNamespace`      | Specifies the namespace to monitor for NdbCluster resource changes.<br>This option is only applicable when `clusterScoped` is set to `false`. If not specified, the operator will only watch the namespace where it is deployed.            | None                        |
 
-These options can be set using the '–set' argument of the helm CLI.
+These options can be set using the '–set' argument of the Helm CLI.
 
 For example, to specify a custom imagePullPolicy,
 ```bash
diff --git a/deploy/charts/ndb-operator/templates/cluster-roles.yaml b/deploy/charts/ndb-operator/templates/cluster-roles.yaml
@@ -35,6 +35,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: {{$userRoleKind}}
 metadata:
   name: {{.Release.Name}}-cr
+  {{- if .Values.watchNamespace}}
+  namespace: {{.Values.watchNamespace}}
+  {{- end }}
 rules:
   - apiGroups: [""]
     resources: ["pods"]
@@ -101,7 +104,8 @@ rules:
       - delete
 
   - apiGroups: ["policy"]
-    resources: ["poddisruptionbudgets"]
+    resources:
+      - poddisruptionbudgets
     verbs:
       - list
       - watch
diff --git a/deploy/charts/ndb-operator/templates/deployments.yaml b/deploy/charts/ndb-operator/templates/deployments.yaml
@@ -77,9 +77,18 @@ spec:
             - ndb-operator
           args:
             - -cluster-scoped={{.Values.clusterScoped}}
+            - -watch-namespace={{.Values.watchNamespace}}
           ports:
             - containerPort: 1186
           env:
+            - name: CURRENT_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.annotations['olm.targetNamespaces']
             # Expose the image name via env to the operator app
             - name: NDB_OPERATOR_IMAGE
               value: {{.Values.image}}
diff --git a/deploy/charts/ndb-operator/templates/rolebindings.yaml b/deploy/charts/ndb-operator/templates/rolebindings.yaml
@@ -41,7 +41,11 @@ kind: {{$bindingKind}}
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{.Release.Name}}-crb
+  {{- if .Values.watchNamespace }}
+  namespace: {{.Values.watchNamespace}}
+  {{- else }}
   namespace: {{.Release.Namespace}}
+  {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: {{$userRoleKind}}
diff --git a/deploy/charts/ndb-operator/values.yaml b/deploy/charts/ndb-operator/values.yaml
@@ -10,3 +10,4 @@ imagePullSecretName:
 # will be watching for NdbCluster resource changes only in the namespace
 # it is released into (controlled by helm's --namespace option).
 clusterScoped: true
+watchNamespace:
diff --git a/deploy/manifests/ndb-operator.yaml b/deploy/manifests/ndb-operator.yaml
@@ -2365,9 +2365,18 @@ spec:
             containers:
                 - args:
                     - -cluster-scoped=true
+                    - -watch-namespace=
                   command:
                     - ndb-operator
                   env:
+                    - name: CURRENT_NAMESPACE
+                      valueFrom:
+                        fieldRef:
+                            fieldPath: metadata.namespace
+                    - name: WATCH_NAMESPACE
+                      valueFrom:
+                        fieldRef:
+                            fieldPath: metadata.annotations['olm.targetNamespaces']
                     - name: NDB_OPERATOR_IMAGE
                       value: container-registry.oracle.com/mysql/community-ndb-operator:9.2.0-1.7.0
                     - name: NDB_OPERATOR_IMAGE_PULL_SECRET_NAME
diff --git a/operator_hub_bundle/patch_bundle_operatorhub.yaml b/operator_hub_bundle/patch_bundle_operatorhub.yaml
@@ -155,6 +155,15 @@ spec:
   replaces: 1.6.0
   #skips: []
   minKubeVersion: 1.23.0
+  installModes:
+    - supported: true
+      type: OwnNamespace
+    - supported: true
+      type: SingleNamespace
+    - supported: false
+      type: MultiNamespace
+    - supported: true
+      type: AllNamespaces
   keywords:
     - mysql
     - ndb
diff --git a/pkg/helpers/k8s_utils.go b/pkg/helpers/k8s_utils.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2021, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2021, 2025, Oracle and/or its affiliates.
 //
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
@@ -67,8 +67,23 @@ func GetServiceAddressAndPort(service *corev1.Service) (string, int32) {
 // GetCurrentNamespace returns the current namespace value,
 // on failure to fetch current namespace value it returns error.
 func GetCurrentNamespace() (string, error) {
+	// First, it checks the environment for value set with CURRENT_NAMESPACE environment variable
+	var currentNamespaceEnvVariable = "CURRENT_NAMESPACE"
+	currentNamespace, variableFound := os.LookupEnv(currentNamespaceEnvVariable)
+
+	if variableFound {
+		return currentNamespace, nil
+	}
+
 	// Default namespace to be used by containers are placed in,
 	// "/var/run/secrets/kubernetes.io/serviceaccount/namespace" file in each container
 	namespace, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+
 	return string(namespace), err
 }
+
+func GetWatchNamespaceFromEnvironment() string {
+	var watchNamespaceEnvVariable = "WATCH_NAMESPACE"
+	namespace, _ := os.LookupEnv(watchNamespaceEnvVariable)
+	return namespace
+}
