Allow specification of a list of namespaces for the operator to watch #106
Comments
|
can you describe the use case you are trying to address? |
|
I have a central namespace in which I store externally-defined tls certs/keys as secrets w/cert-utils-operator annotations. I use kyverno resource generation w/sync (https://kyverno.io/policies/other/sync_secrets/) to clone and rename these secrets into multiple Currently, both kyverno and the cert-utils-operator are watching and mutating these secrets in the central source namespace and all the target workload namespaces. It is inefficient for the cert-utils-operator to watch the secrets that get cloned/synced to the target namespaces. Furthermore, it seems that management of these secrets in both the source and target namespaces by the cert-utils-operator is causing kyverno to thrash as it attempts to sync these secrets. I would like to configure the cert-utils-operator to only watch and mutate secrets in the central source namespace as an optimization and also to minimize any potential conflicts with kyverno resource generation. |
|
can you share one of these secrets, just the annotations. I'd like to get a better idea of what is happening. |
|
My secret is as follows: |
I would like to limit the set of namespaces that the operator is watching. This should be configurable when deploying the operator.
The text was updated successfully, but these errors were encountered: