From 606eacd4529e9486450c4897f05d465ede434f2b Mon Sep 17 00:00:00 2001
From: David Losert <david.losert@gmx.de>
Date: Thu, 21 May 2020 12:32:55 +0200
Subject: [PATCH] Added config to make operator watch in arbitrary namespaces

Signed-off-by: David Losert <david.losert@gmx.de>
---
 charts/jaeger-operator/Chart.yaml             |  2 +-
 charts/jaeger-operator/README.md              |  3 ++-
 .../jaeger-operator/templates/deployment.yaml |  2 ++
 .../templates/role-binding.yaml               | 21 +++++++++++++++++++
 charts/jaeger-operator/templates/role.yaml    |  2 +-
 charts/jaeger-operator/values.yaml            |  2 ++
 6 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/charts/jaeger-operator/Chart.yaml b/charts/jaeger-operator/Chart.yaml
index 4f4e87de..9f838fe5 100644
--- a/charts/jaeger-operator/Chart.yaml
+++ b/charts/jaeger-operator/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 description: jaeger-operator Helm chart for Kubernetes
 name: jaeger-operator
-version: 2.14.2
+version: 2.15.0
 appVersion: 1.17.1
 home: https://www.jaegertracing.io/
 icon: https://www.jaegertracing.io/img/jaeger-icon-reverse-color.svg
diff --git a/charts/jaeger-operator/README.md b/charts/jaeger-operator/README.md
index acdcfeca..d32fdce6 100644
--- a/charts/jaeger-operator/README.md
+++ b/charts/jaeger-operator/README.md
@@ -59,7 +59,8 @@ The following table lists the configurable parameters of the jaeger-operator cha
 | `rbac.create`           | All required roles and rolebindings will be created                                                         | `true`                          |
 | `serviceAccount.create` | Service account to use                                                                                      | `true`                          |
 | `rbac.pspEnabled`       | Pod security policy for pod will be created and included in rbac role                                       | `false`                         |
-| `rbac.clusterRole`      | ClusterRole will be used by operator ServiceAccount                                                         | `false`                         |
+| `rbac.clusterRole`      | ClusterRole will be used with ClusterRoleBinding by operator ServiceAccount to watch all namespaces         | `false`                         |
+| `rbac.watchNamespaces`  | ClusterRole will be used with RoleBindings in all specified namespaces by operator ServiceAccount           | `[]`                            |
 | `serviceAccount.name`   | Service account name to use. If not set and create is true, a name is generated using the fullname template | `nil`                           |
 | `resources`             | K8s pod resources                                                                                           | `None`                          |
 | `nodeSelector`          | Node labels for pod assignment                                                                              | `{}`                            |
diff --git a/charts/jaeger-operator/templates/deployment.yaml b/charts/jaeger-operator/templates/deployment.yaml
index d388dfcb..0512d7d1 100644
--- a/charts/jaeger-operator/templates/deployment.yaml
+++ b/charts/jaeger-operator/templates/deployment.yaml
@@ -40,6 +40,8 @@ spec:
             - name: WATCH_NAMESPACE
               {{- if .Values.rbac.clusterRole }}
               value: ""
+              {{- else if .Values.rbac.watchNamespaces }}
+              value: {{ join "," .Values.rbac.watchNamespaces | quote }}
               {{- else }}
               valueFrom:
                 fieldRef:
diff --git a/charts/jaeger-operator/templates/role-binding.yaml b/charts/jaeger-operator/templates/role-binding.yaml
index 533f828b..d688aec9 100644
--- a/charts/jaeger-operator/templates/role-binding.yaml
+++ b/charts/jaeger-operator/templates/role-binding.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.rbac.create }}
+{{- if not .Values.rbac.watchNamespaces }}
 kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -14,4 +15,24 @@ roleRef:
   kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}Role
   name: {{ include "jaeger-operator.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
+{{- else }}
+{{- range .Values.rbac.watchNamespaces }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "jaeger-operator.fullname" $ }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+{{ include "jaeger-operator.labels" $ | indent 4 }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ . }}
+  name: {{ include "jaeger-operator.serviceAccountName" $ }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "jaeger-operator.fullname" $ }}
+  apiGroup: rbac.authorization.k8s.io
+---
+{{- end -}}
+{{- end -}}
 {{- end }}
diff --git a/charts/jaeger-operator/templates/role.yaml b/charts/jaeger-operator/templates/role.yaml
index 1ce9d99f..5955da1c 100644
--- a/charts/jaeger-operator/templates/role.yaml
+++ b/charts/jaeger-operator/templates/role.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.rbac.create }}
-kind: {{ if .Values.rbac.clusterRole }}Cluster{{ end }}Role
+kind: {{ if or .Values.rbac.clusterRole .Values.rbac.watchNamespaces }}Cluster{{ end }}Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ include "jaeger-operator.fullname" . }}
diff --git a/charts/jaeger-operator/values.yaml b/charts/jaeger-operator/values.yaml
index 4d3fda47..99d5833f 100644
--- a/charts/jaeger-operator/values.yaml
+++ b/charts/jaeger-operator/values.yaml
@@ -20,6 +20,8 @@ rbac:
   create: true
   pspEnabled: false
   clusterRole: false
+  # Specifies arbitrary namespaces to be watched
+  watchNamespaces: []
 
 serviceAccount:
   # Specifies whether a ServiceAccount should be created