feat: support cnpg operator namespace-restricted installation

Co-authored-by: Leonardo Cecchi <[email protected]> Co-authored-by: Jaime Silvela <[email protected]> Co-authored-by: Jonathan Gonzalez V. <[email protected]> Signed-off-by: Niccolò Fei <[email protected]>
cloudnative-pg · Oct 30, 2024 · b5279e2 · b5279e2
1 parent 3c5dd5d
commit b5279e2
Show file tree

Hide file tree

Showing 12 changed files with 419 additions and 221 deletions.
diff --git a/.github/actions/deploy-cluster/action.yml b/.github/actions/deploy-cluster/action.yml
@@ -0,0 +1,27 @@
+name: Deploy a CNPG Cluster
+description: Deploys a CNPG Cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the Cluster will be deployed'
+    required: false
+    default: 'default'
+runs:
+  using: composite
+  steps:
+    - name: Deploy a cluster
+      shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+      run: |
+        cat <<EOF | kubectl apply -f -
+        # Example of PostgreSQL cluster
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cluster-example
+          namespace: $NAMESPACE
+        spec:
+          instances: 3
+          storage:
+            size: 1Gi
+        EOF
diff --git a/.github/actions/deploy-operator/action.yml b/.github/actions/deploy-operator/action.yml
@@ -1,16 +1,29 @@
 name: Deploy the CNPG Operator
 description: Deploys the CNPG Operator to a Kubernetes cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the operator will be deployed'
+    required: false
+    default: 'cnpg-system'
+  cluster-wide:
+    description: 'If the operator should be deployed cluster-wide or in single-namespace mode'
+    required: false
+    default: 'true'
 runs:
   using: composite
   steps:
     - name: Deploy the operator
       shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+        CLUSTER_WIDE: ${{ inputs.cluster-wide }}
       run:
         helm dependency update charts/cloudnative-pg
 
         helm upgrade
         --install 
-        --namespace cnpg-system
+        --namespace $NAMESPACE
         --create-namespace
+        --set config.clusterWide=$CLUSTER_WIDE
         --wait
         cnpg charts/cloudnative-pg
diff --git a/.github/actions/verify-cluster-ready/action.yml b/.github/actions/verify-cluster-ready/action.yml
@@ -5,6 +5,10 @@ inputs:
     description: The name of the cluster to verify
     required: true
     default: database-cluster
+  namespace:
+    description: 'The name of the namespace where the Cluster is deployed'
+    required: false
+    default: 'default'
   ready-instances:
     description: The amount of ready instances to wait for
     required: true
@@ -15,15 +19,19 @@ runs:
   steps:
     - name: Wait for the cluster to become ready
       shell: bash
+      env:
+        CLUSTER_NAME: ${{ inputs.cluster-name }}
+        NAMESPACE: ${{ inputs.namespace }}
+        EXPECTED_READY_INSTANCES: ${{ inputs.ready-instances }}
       run: |
         ITER=0
         while true; do
           if [[ $ITER -ge 300 ]]; then
             echo "Cluster not ready"
             exit 1
           fi
-          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io ${INPUT_CLUSTER_NAME} -o jsonpath='{.status.readyInstances}')
-          if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
+          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io $CLUSTER_NAME -n $NAMESPACE -o jsonpath='{.status.readyInstances}')
+          if [[ "$READY_INSTANCES" == "$EXPECTED_READY_INSTANCES" ]]; then
             echo "Cluster up and running"
             break
           fi

diff --git a/.github/workflows/tests-operator.yml b/.github/workflows/tests-operator.yml
@@ -7,6 +7,7 @@ on:
 
 jobs:
   deploy_operator:
+    name: Deploy the operator in cluster-wide mode
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -21,21 +22,40 @@ jobs:
         uses: ./.github/actions/deploy-operator
 
       - name: Deploy a cluster
-        run: |
-          cat <<EOF | kubectl apply -f -
-          # Example of PostgreSQL cluster
-          apiVersion: postgresql.cnpg.io/v1
-          kind: Cluster
-          metadata:
-            name: cluster-example
-          spec:
-            instances: 3
-            storage:
-             size: 1Gi
-          EOF
+        uses: ./.github/actions/deploy-cluster
 
       - name: Verify that the cluster is ready
         uses: ./.github/actions/verify-cluster-ready
         with:
           cluster-name: cluster-example
-          ready-instances: 3
+          ready-instances: '3'
+
+  deploy_operator_single_namespace:
+    name: Deploy the operator in single-namespace mode
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup kind
+        uses: ./.github/actions/setup-kind
+
+      - name: Deploy the operator
+        uses: ./.github/actions/deploy-operator
+        with:
+          namespace: 'single-install'
+          cluster-wide: 'false'
+
+      - name: Deploy a cluster
+        uses: ./.github/actions/deploy-cluster
+        with:
+          namespace: 'single-install'
+
+      - name: Verify that the cluster is ready
+        uses: ./.github/actions/verify-cluster-ready
+        with:
+          namespace: 'single-install'
+          cluster-name: 'cluster-example'
+          ready-instances: '3'
diff --git a/README.md b/README.md
@@ -24,6 +24,30 @@ helm upgrade --install cnpg \
   cnpg/cloudnative-pg
 ```
 
+#### Single namespace installation
+
+It is possible to limit the operator's capabilities to solely the namespace in
+which it has been installed. With this restriction, the cluster-level
+permissions required by the operator will be substantially reduced, and
+the security profile of the installation will be enhanced.
+
+You can install the operator in single-namespace mode by setting the
+`config.clusterWide` flag to false, as in the following example:
+
+```console
+helm upgrade --install cnpg \
+  --namespace cnpg-system \
+  --create-namespace \
+  --set config.clusterWide=false \
+  cnpg/cloudnative-pg
+```
+
+**IMPORTANT**: the single-namespace installation mode can't coexist
+with the cluster-wide operator. Otherwise there would be collisions when
+managing the resources in the namespace watched by the single-namespace
+operator.
+It is up to the user to ensure there is no collision between operators.
+
 Refer to the [Operator Chart documentation](charts/cloudnative-pg/README.md) for advanced configuration and monitoring.
 
 ## Cluster chart

diff --git a/charts/cloudnative-pg/templates/NOTES.txt b/charts/cloudnative-pg/templates/NOTES.txt
@@ -1,18 +1,21 @@
 
 CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
-You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+You can now create a PostgreSQL cluster with 3 nodes as follows:
 
 cat <<EOF | kubectl apply -f -
 # Example of PostgreSQL cluster
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
   name: cluster-example
+  {{if not .Values.config.clusterWide  -}}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
 spec:
   instances: 3
   storage:
     size: 1Gi
 EOF
 
-kubectl get cluster
+kubectl get -A cluster