Use TA config for setting namespaces to watch

Signed-off-by: Charlie Le <[email protected]>

Author: CharlieTLe

.chloggen/namespace-ta.yaml

@@ -6,7 +6,7 @@ component: target allocator
 
 # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
 note: |
-  Add support for `WATCH_NAMESPACE` environment variable in the target allocator.
+  Add support for watch specific namespace(s) in the target allocator.
 
 # One or more tracking issues related to the change
 issues: [3086]
@@ -15,4 +15,4 @@ issues: [3086]
 # These lines will be padded with 2 spaces and then inserted directly into the document.
 # Use pipe (|) for multiline entries.
 subtext: |
-  This variable can be set to an empty string to watch all namespaces, or to a comma-separated list of namespaces to watch.
+  This flag can be set to an empty string to watch all namespaces (default) or to a comma-separated list of namespaces to watch.

apis/v1beta1/targetallocator_types.go

@@ -12,6 +12,9 @@ type TargetAllocatorPrometheusCR struct {
 	// Enabled indicates whether to use a PrometheusOperator custom resources as targets or not.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
+	// WatchNamespace to look for Prometheus CRs. If not set, all namespaces are used which requires a ClusterRole for listing all namespaces.
+	// +optional
+	WatchNamespace string `json:"watchNamespace,omitempty"`
 	// Default interval between consecutive scrapes. Intervals set in ServiceMonitors and PodMonitors override it.
 	//Equivalent to the same setting on the Prometheus CR.
 	//

bundle/community/manifests/opentelemetry.io_opentelemetrycollectors.yaml

@@ -7999,6 +7999,8 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
+                      watchNamespace:
+                        type: string
                     type: object
                   replicas:
                     format: int32

bundle/community/manifests/opentelemetry.io_targetallocators.yaml

@@ -2367,6 +2367,8 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
+                  watchNamespace:
+                    type: string
                 type: object
               replicas:
                 format: int32

bundle/openshift/manifests/opentelemetry.io_opentelemetrycollectors.yaml

@@ -7999,6 +7999,8 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
+                      watchNamespace:
+                        type: string
                     type: object
                   replicas:
                     format: int32

bundle/openshift/manifests/opentelemetry.io_targetallocators.yaml

@@ -2367,6 +2367,8 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
+                  watchNamespace:
+                    type: string
                 type: object
               replicas:
                 format: int32

cmd/otel-allocator/README.md

@@ -258,8 +258,8 @@ rules:
 
 #### Namespace-scoped RBAC
 
-If you want to have the TargetAllocator watch a specific namespace, you can set the WATCH_NAMESPACE environment variable
-in the TargetAllocator's deployment. This is useful if you want to restrict the TargetAllocator to only watch Prometheus
+If you want to have the TargetAllocator watch a specific namespace, you can set the watchNamespace field 
+in the TargetAllocator's prometheusCR configuration. This is useful if you want to restrict the TargetAllocator to only watch Prometheus
 CRs in a specific namespace, and not have cluster-wide access.
 
 ```yaml
@@ -268,13 +268,11 @@ CRs in a specific namespace, and not have cluster-wide access.
     serviceAccount: opentelemetry-targetallocator-sa
     prometheusCR:
       enabled: true
-    env:
-      - name: WATCH_NAMESPACE
-        value: "foo"
+      watchNamespace: foo
 ```
 
 In this case, you will need to create a Role and RoleBinding instead of a ClusterRole and ClusterRoleBinding. The Role
-and RoleBinding should be created in the namespace specified in the WATCH_NAMESPACE environment variable.
+and RoleBinding should be created in the namespace specified by the watchNamespace field.
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1

cmd/otel-allocator/internal/config/config.go

@@ -52,6 +52,7 @@ type Config struct {
 
 type PrometheusCRConfig struct {
 	Enabled                         bool                  `yaml:"enabled,omitempty"`
+	WatchNamespace                  string                `yaml:"watch_namespace,omitempty"`
 	PodMonitorSelector              *metav1.LabelSelector `yaml:"pod_monitor_selector,omitempty"`
 	PodMonitorNamespaceSelector     *metav1.LabelSelector `yaml:"pod_monitor_namespace_selector,omitempty"`
 	ServiceMonitorSelector          *metav1.LabelSelector `yaml:"service_monitor_selector,omitempty"`

cmd/otel-allocator/internal/watcher/promOperator.go

@@ -54,18 +54,15 @@ func NewPrometheusCRWatcher(ctx context.Context, logger logr.Logger, cfg allocat
 		return nil, err
 	}
 
-	// Check env var for WATCH_NAMESPACE and use it if its set, else use v1.NamespaceAll
-	// This is to allow the operator to watch only a specific namespace
-	watchNamespace, found := os.LookupEnv("WATCH_NAMESPACE")
 	allowList := map[string]struct{}{}
-	if found {
-		logger.Info("watching namespace(s)", "namespaces", watchNamespace)
-		for _, ns := range strings.Split(watchNamespace, ",") {
+	if cfg.PrometheusCR.WatchNamespace != "" {
+		logger.Info("watching namespace(s)", "namespaces", cfg.PrometheusCR.WatchNamespace)
+		for _, ns := range strings.Split(cfg.PrometheusCR.WatchNamespace, ",") {
 			allowList[ns] = struct{}{}
 		}
 	} else {
+		logger.Info("cfg.PrometheusCR.WatchNamespace is unset, watching all namespaces")
 		allowList = map[string]struct{}{v1.NamespaceAll: {}}
-		logger.Info("the env var WATCH_NAMESPACE isn't set, watching all namespaces")
 	}
 
 	factory := informers.NewMonitoringInformerFactories(allowList, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces

config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml

@@ -7985,6 +7985,8 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
+                      watchNamespace:
+                        type: string
                     type: object
                   replicas:
                     format: int32

config/crd/bases/opentelemetry.io_targetallocators.yaml

@@ -2364,6 +2364,8 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
+                  watchNamespace:
+                    type: string
                 type: object
               replicas:
                 format: int32

internal/manifests/targetallocator/configmap.go

@@ -94,6 +94,8 @@ func ConfigMap(params Params) (*corev1.ConfigMap, error) {
 			prometheusCRConfig["scrape_interval"] = taSpec.PrometheusCR.ScrapeInterval.Duration
 		}
 
+		prometheusCRConfig["watch_namespace"] = taSpec.PrometheusCR.WatchNamespace
+
 		prometheusCRConfig["service_monitor_selector"] = taSpec.PrometheusCR.ServiceMonitorSelector
 
 		prometheusCRConfig["pod_monitor_selector"] = taSpec.PrometheusCR.PodMonitorSelector

tests/e2e-targetallocator/targetallocator-namespace/resources/otelcol.yaml

@@ -7,6 +7,7 @@ spec:
     "zap-log-level": "debug"
   prometheusCR:
     enabled: true
+    watchNamespace: ($namespace)
     scrapeInterval: 1s
     scrapeConfigSelector: {}
     probeSelector: {}
@@ -16,9 +17,6 @@ spec:
     metrics:
       disablePrometheusAnnotations: true
       enableMetrics: true
-  env:
-    - name: WATCH_NAMESPACE
-      value: "($namespace)"
   serviceAccount: ta
 ---
 apiVersion: opentelemetry.io/v1beta1