Watch subset of namespaces for secrets (#3170)

* Watch subset of namespaces for secrets

Add new command line option "watch-secret-namespace" that can be used to
configure namespaces watched for secrets.

Closes #3154

* Apply suggestions from code review

Co-authored-by: Ciara Stacke <[email protected]>

* Update cmd/nginx-ingress/flags.go

Co-authored-by: Ciara Stacke <[email protected]>

Author: hafe

cmd/nginx-ingress/flags.go

@@ -31,6 +31,11 @@ var (
 
 	watchNamespaces []string
 
+	watchSecretNamespace = flag.String("watch-secret-namespace", "",
+		`Comma separated list of namespaces the Ingress Controller should watch for secrets. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See "watch-namespace". `)
+
+	watchSecretNamespaces []string
+
 	nginxConfigMaps = flag.String("nginx-configmaps", "",
 		`A ConfigMap resource for customizing NGINX configuration. If a ConfigMap is set,
 	but the Ingress Controller is not able to fetch it from Kubernetes API, the Ingress Controller will fail to start.
@@ -188,6 +193,16 @@ func parseFlags() {
 	initialChecks()
 
 	watchNamespaces = strings.Split(*watchNamespace, ",")
+	glog.Infof("Namespaces watched: %v", watchNamespaces)
+
+	if len(*watchSecretNamespace) > 0 {
+		watchSecretNamespaces = strings.Split(*watchSecretNamespace, ",")
+	} else {
+		// empty => default to watched namespaces
+		watchSecretNamespaces = watchNamespaces
+	}
+
+	glog.Infof("Namespaces watched for secrets: %v", watchSecretNamespaces)
 
 	validationChecks()
 
@@ -297,6 +312,11 @@ func validationChecks() {
 		glog.Fatalf("Invalid values for namespaces: %v", namespacesNameValidationError)
 	}
 
+	namespacesNameValidationError = validateNamespaceNames(watchSecretNamespaces)
+	if namespacesNameValidationError != nil {
+		glog.Fatalf("Invalid values for secret namespaces: %v", namespacesNameValidationError)
+	}
+
 	statusPortValidationError := validatePort(*nginxStatusPort)
 	if statusPortValidationError != nil {
 		glog.Fatalf("Invalid value for nginx-status-port: %v", statusPortValidationError)

cmd/nginx-ingress/main.go

@@ -53,7 +53,9 @@ func main() {
 
 	validateIngressClass(kubeClient)
 
-	checkNamespaceExists(kubeClient)
+	checkNamespaceExists(kubeClient, watchNamespaces)
+
+	checkNamespaceExists(kubeClient, watchSecretNamespaces)
 
 	dynClient, confClient := createCustomClients(config)
 
@@ -127,6 +129,7 @@ func main() {
 		RestConfig:                   config,
 		ResyncPeriod:                 30 * time.Second,
 		Namespace:                    watchNamespaces,
+		SecretNamespace:              watchSecretNamespaces,
 		NginxConfigurator:            cnf,
 		DefaultServerSecret:          *defaultServerSecret,
 		AppProtectEnabled:            *appProtect,
@@ -240,8 +243,8 @@ func validateIngressClass(kubeClient kubernetes.Interface) {
 	}
 }
 
-func checkNamespaceExists(kubeClient kubernetes.Interface) {
-	for _, ns := range watchNamespaces {
+func checkNamespaceExists(kubeClient kubernetes.Interface, namespaces []string) {
+	for _, ns := range namespaces {
 		if ns != "" {
 			_, err := kubeClient.CoreV1().Namespaces().Get(context.TODO(), ns, meta_v1.GetOptions{})
 			if err != nil {

deployments/helm-chart/README.md

@@ -187,6 +187,7 @@ Parameter | Description | Default
 `controller.ingressClass` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx
 `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false
 `controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | ""
+`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | ""
 `controller.enableCustomResources` | Enable the custom resources. | true
 `controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false
 `controller.enableOIDC` | Enable OIDC policies. | false

deployments/helm-chart/templates/controller-daemonset.yaml

@@ -163,6 +163,9 @@ spec:
           - -ingress-class={{ .Values.controller.ingressClass }}
 {{- if .Values.controller.watchNamespace }}
           - -watch-namespace={{ .Values.controller.watchNamespace }}
+{{- end }}
+{{- if .Values.controller.watchSecretNamespace }}
+          - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }}
 {{- end }}
           - -health-status={{ .Values.controller.healthStatus }}
           - -health-status-uri={{ .Values.controller.healthStatusURI }}

deployments/helm-chart/templates/controller-deployment.yaml

@@ -166,6 +166,9 @@ spec:
           - -ingress-class={{ .Values.controller.ingressClass }}
 {{- if .Values.controller.watchNamespace }}
           - -watch-namespace={{ .Values.controller.watchNamespace }}
+{{- end }}
+{{- if .Values.controller.watchSecretNamespace }}
+          - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }}
 {{- end }}
           - -health-status={{ .Values.controller.healthStatus }}
           - -health-status-uri={{ .Values.controller.healthStatusURI }}

deployments/helm-chart/values.yaml

@@ -186,6 +186,9 @@ controller:
   ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces.
   watchNamespace: ""
 
+  ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces.
+  watchSecretNamespace: ""
+
   ## Enable the custom resources.
   enableCustomResources: true
 

docs/content/installation/installation-with-helm.md

@@ -185,6 +185,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |``controller.ingressClass`` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx |
 |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false |
 |``controller.watchNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchNamespace="default\,nginx-ingress"``. | "" |
+|``controller.watchSecretNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchSecretNamespace="default\,nginx-ingress"``. | "" |
 |``controller.enableCustomResources`` | Enable the custom resources. | true |
 |``controller.enablePreviewPolicies`` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false |
 |``controller.enableOIDC`` | Enable OIDC policies. | false |

internal/k8s/controller.go

@@ -150,6 +150,7 @@ type LoadBalancerController struct {
 	leaderElectionLockName        string
 	resync                        time.Duration
 	namespaceList                 []string
+	secretNamespaceList           []string
 	controllerNamespace           string
 	wildcardTLSSecret             string
 	areCustomResourcesEnabled     bool
@@ -184,6 +185,7 @@ type NewLoadBalancerControllerInput struct {
 	RestConfig                   *rest.Config
 	ResyncPeriod                 time.Duration
 	Namespace                    []string
+	SecretNamespace              []string
 	NginxConfigurator            *configs.Configurator
 	DefaultServerSecret          string
 	AppProtectEnabled            bool
@@ -234,6 +236,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 		leaderElectionLockName:       input.LeaderElectionLockName,
 		resync:                       input.ResyncPeriod,
 		namespaceList:                input.Namespace,
+		secretNamespaceList:          input.SecretNamespace,
 		controllerNamespace:          input.ControllerNamespace,
 		wildcardTLSSecret:            input.WildcardTLSSecret,
 		areCustomResourcesEnabled:    input.AreCustomResourcesEnabled,
@@ -297,7 +300,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 	}
 
 	// Creating a separate informer for secrets.
-	for _, ns := range lbc.namespaceList {
+	for _, ns := range lbc.secretNamespaceList {
 		lbc.secretInformerFactory = append(lbc.secretInformerFactory, informers.NewSharedInformerFactoryWithOptions(lbc.client, input.ResyncPeriod, informers.WithNamespace(ns), informers.WithTweakListOptions(secretsTweakListOptionsFunc)))
 	}