From 74fa7b949230c683098a76e6f178af774e4de585 Mon Sep 17 00:00:00 2001
From: Sergey Dudoladov <sergey.dudoladov@zalando.de>
Date: Wed, 7 Feb 2018 16:44:49 +0100
Subject: [PATCH] Restrict operator to single watched namespace via env var

---
 pkg/controller/controller.go | 34 +++++++++++++++++++++++++---------
 pkg/controller/node.go       |  2 +-
 pkg/controller/pod.go        |  4 ++--
 pkg/controller/postgresql.go |  2 +-
 pkg/util/config/config.go    |  2 +-
 5 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index c697217e4..f905ade50 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -97,18 +97,34 @@ func (c *Controller) initOperatorConfig() {
 		c.logger.Infoln("no ConfigMap specified. Loading default values")
 	}
 
-	// env var takes priority over the same param from the operator ConfigMap
-	watchedNamespace := os.Getenv("WATCHED_NAMESPACE")
-	if watchedNamespace != "" {
-		c.logger.Infof("Watch the %q namespace specified in the env variable WATCHED_NAMESPACE\n", watchedNamespace)
-		configMapData["watched_namespace"] = watchedNamespace
+	// by default, the operator listens to all namespaces
+	// by setting the env variable, one can restrict the operator to a single namespace
+	watchedNamespace, isPresentInEnv := os.LookupEnv("WATCHED_NAMESPACE")
+	if isPresentInEnv {
+		// special case: v1.NamespaceAll currently also evaluates to the empty string
+		// so when the env var is set to the empty string, use the default ns
+		// since the meaning of this env var is only one namespace
+		if watchedNamespace == "" {
+			c.logger.Infof("The WATCHED_NAMESPACE env var evaluates to the empty string, falling back to watching the 'default' namespace.\n", watchedNamespace)
+			configMapData["watched_namespace"] = v1.NamespaceDefault
+		} else {
+			c.logger.Infof("Watch the %q namespace specified in the env variable WATCHED_NAMESPACE\n", watchedNamespace)
+			configMapData["watched_namespace"] = watchedNamespace
+		}
+
+	} else {
+		c.logger.Infof("Watch all namespaces. Set the WATCHED_NAMESPACE env var  to restrict to a single namespace.\n", watchedNamespace)
+		configMapData["watched_namespace"] = v1.NamespaceAll
 	}
 
-	if configMapData["watched_namespace"] == "" {
-		c.logger.Infoln("No namespace to watch specified. Fall back to watching the 'default' namespace.")
-		configMapData["watched_namespace"] = v1.NamespaceDefault
-	}
+	/*
+		// env var takes priority over the same param from the operator ConfigMap
 
+			if configMapData["watched_namespace"] == "" {
+				c.logger.Infoln("No namespace to watch specified. Fall back to watching the 'default' namespace.")
+				configMapData["watched_namespace"] = v1.NamespaceDefault
+			}
+	*/
 	if c.config.NoDatabaseAccess {
 		configMapData["enable_database_access"] = "false"
 	}
diff --git a/pkg/controller/node.go b/pkg/controller/node.go
index efa1ca5c2..a4a558a2c 100644
--- a/pkg/controller/node.go
+++ b/pkg/controller/node.go
@@ -80,7 +80,7 @@ func (c *Controller) moveMasterPodsOffNode(node *v1.Node) {
 	opts := metav1.ListOptions{
 		LabelSelector: labels.Set(c.opConfig.ClusterLabels).String(),
 	}
-	podList, err := c.KubeClient.Pods("").List(opts)
+	podList, err := c.KubeClient.Pods(c.opConfig.WatchedNamespace).List(opts)
 	if err != nil {
 		c.logger.Errorf("could not fetch list of the pods: %v", err)
 		return
diff --git a/pkg/controller/pod.go b/pkg/controller/pod.go
index 35b23cc52..070e6da2d 100644
--- a/pkg/controller/pod.go
+++ b/pkg/controller/pod.go
@@ -17,7 +17,7 @@ func (c *Controller) podListFunc(options metav1.ListOptions) (runtime.Object, er
 		TimeoutSeconds:  options.TimeoutSeconds,
 	}
 
-	return c.KubeClient.Pods("").List(opts)
+	return c.KubeClient.Pods(c.opConfig.WatchedNamespace).List(opts)
 }
 
 func (c *Controller) podWatchFunc(options metav1.ListOptions) (watch.Interface, error) {
@@ -27,7 +27,7 @@ func (c *Controller) podWatchFunc(options metav1.ListOptions) (watch.Interface,
 		TimeoutSeconds:  options.TimeoutSeconds,
 	}
 
-	return c.KubeClient.Pods("").Watch(opts)
+	return c.KubeClient.Pods(c.opConfig.WatchedNamespace).Watch(opts)
 }
 
 func (c *Controller) dispatchPodEvent(clusterName spec.NamespacedName, event spec.PodEvent) {
diff --git a/pkg/controller/postgresql.go b/pkg/controller/postgresql.go
index 9e0b1c207..f83779a21 100644
--- a/pkg/controller/postgresql.go
+++ b/pkg/controller/postgresql.go
@@ -46,7 +46,7 @@ func (c *Controller) clusterListFunc(options metav1.ListOptions) (runtime.Object
 
 	req := c.KubeClient.CRDREST.
 		Get().
-		Namespace("").
+		Namespace(c.opConfig.WatchedNamespace).
 		Resource(constants.CRDResource).
 		VersionedParams(&options, metav1.ParameterCodec)
 
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 3253d6288..0bd2b1edf 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -67,7 +67,7 @@ type Config struct {
 	Resources
 	Auth
 	Scalyr
-	WatchedNamespace         string            `name:"watched_namespace"`
+	WatchedNamespace         string            `name:"watched_namespace"` // may be v1.NamespaceAll, meaning watch all namespaces
 	EtcdHost                 string            `name:"etcd_host" default:"etcd-client.default.svc.cluster.local:2379"`
 	DockerImage              string            `name:"docker_image" default:"registry.opensource.zalan.do/acid/spiloprivate-9.6:1.2-p4"`
 	ServiceAccountName       string            `name:"service_account_name" default:"operator"`