feat: ssh key secret namespace

Author: vknabel

main.go

@@ -52,6 +52,7 @@ func main() {
 		shootTokenSecret        string
 		shootTokenPath          string
 		sshKeySecret            string
+		sshKeySecretNamespace   string
 		namespace               string
 		gracefulShutdownTimeout time.Duration
 		reconcileInterval       time.Duration
@@ -72,7 +73,7 @@ func main() {
 	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager")
-	flag.StringVar(&namespace, "namespace", "default", "the namespace this controller is running")
+	flag.StringVar(&namespace, "namespace", "", "the namespace this controller is running")
 	flag.DurationVar(&reconcileInterval, "reconcile-interval", 10*time.Minute, "duration after which a resource is getting reconciled at minimum")
 	flag.DurationVar(&firewallHealthTimeout, "firewall-health-timeout", 20*time.Minute, "duration after a created firewall not getting ready is considered dead")
 	flag.DurationVar(&createTimeout, "create-timeout", 10*time.Minute, "duration after which a firewall in the creation phase will be recreated")
@@ -88,10 +89,15 @@ func main() {
 	flag.StringVar(&shootKubeconfigSecret, "shoot-kubeconfig-secret-name", "", "the secret name of the generic kubeconfig for shoot access")
 	flag.StringVar(&shootTokenSecret, "shoot-token-secret-name", "", "the secret name of the token for shoot access")
 	flag.StringVar(&sshKeySecret, "ssh-key-secret-name", "", "the secret name of the ssh key for machine access")
+	flag.StringVar(&sshKeySecretNamespace, "ssh-key-secret-namespace", "", "the secret name of the ssh key for machine access")
 	flag.StringVar(&shootTokenPath, "shoot-token-path", "", "the path where to store the token file for shoot access")
 
 	flag.Parse()
 
+	if sshKeySecretNamespace == "" {
+		sshKeySecretNamespace = namespace
+	}
+
 	slogHandler, err := controllers.NewLogger(logLevel)
 	if err != nil {
 		ctrl.Log.WithName("setup").Error(err, "unable to parse log level")
@@ -110,7 +116,7 @@ func main() {
 		log.Fatalf("unable to create metal client %v", err)
 	}
 
-	seedMgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+	mgrConfig := ctrl.Options{
 		Scheme: scheme,
 		Metrics: server.Options{
 			BindAddress: metricsAddr,
@@ -129,7 +135,16 @@ func main() {
 		LeaderElection:          enableLeaderElection,
 		LeaderElectionID:        "firewall-controller-manager-leader-election",
 		GracefulShutdownTimeout: &gracefulShutdownTimeout,
-	})
+	}
+
+	if namespace != "" {
+		l.Info("running in dedicated namespace only", "namespace", namespace)
+		mgrConfig.Cache.DefaultNamespaces = map[string]cache.Config{
+			namespace: {},
+		}
+	}
+
+	seedMgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), mgrConfig)
 	if err != nil {
 		log.Fatalf("unable to setup firewall-controller-manager %v", err)
 	}
@@ -196,7 +211,7 @@ func main() {
 		//     secret for this controller and expose the access secrets through the firewall
 		//     status resource, which can be read by the firewall-controller
 		//   - the firewall-controller can then create a client from these secrets but
-		//     it has to contiuously update the token file because the token will expire
+		//     it has to continuously update the token file because the token will expire
 		//   - we can re-use the same approach for this controller as well and do not have
 		//     to do any additional mounts for the deployment of the controller
 		//
@@ -247,7 +262,7 @@ func main() {
 		ShootAPIServerURL:     shootApiURL,
 		ShootAccess:           externalShootAccess,
 		SSHKeySecretName:      sshKeySecret,
-		SSHKeySecretNamespace: namespace,
+		SSHKeySecretNamespace: sshKeySecretNamespace,
 		ShootAccessHelper:     internalShootAccessHelper,
 		Metal:                 mclient,
 		ClusterTag:            fmt.Sprintf("%s=%s", tag.ClusterID, clusterID),