Merge pull request #599 from aledbf/force-isolation

Add flag to force namespace isolation

core/pkg/ingress/controller/controller.go

@@ -119,6 +119,9 @@ type Configuration struct {
 	IngressClass   string
 	Namespace      string
 	ConfigMapName  string
+
+	ForceNamespaceIsolation bool
+
 	// optional
 	TCPConfigMapName string
 	// optional
@@ -246,6 +249,11 @@ func newIngressController(config *Configuration) *GenericController {
 		},
 	}
 
+	watchNs := api.NamespaceAll
+	if ic.cfg.ForceNamespaceIsolation && ic.cfg.Namespace != api.NamespaceAll {
+		watchNs = ic.cfg.Namespace
+	}
+
 	ic.ingLister.Store, ic.ingController = cache.NewInformer(
 		cache.NewListWatchFromClient(ic.cfg.Client.Extensions().RESTClient(), "ingresses", ic.cfg.Namespace, fields.Everything()),
 		&extensions.Ingress{}, ic.cfg.ResyncPeriod, ingEventHandler)
@@ -255,11 +263,11 @@ func newIngressController(config *Configuration) *GenericController {
 		&api.Endpoints{}, ic.cfg.ResyncPeriod, eventHandler)
 
 	ic.secrLister.Store, ic.secrController = cache.NewInformer(
-		cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "secrets", api.NamespaceAll, fields.Everything()),
+		cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "secrets", watchNs, fields.Everything()),
 		&api.Secret{}, ic.cfg.ResyncPeriod, secrEventHandler)
 
 	ic.mapLister.Store, ic.mapController = cache.NewInformer(
-		cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "configmaps", api.NamespaceAll, fields.Everything()),
+		cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "configmaps", watchNs, fields.Everything()),
 		&api.ConfigMap{}, ic.cfg.ResyncPeriod, mapEventHandler)
 
 	ic.svcLister.Store, ic.svcController = cache.NewInformer(

core/pkg/ingress/controller/launch.go

@@ -85,6 +85,10 @@ func NewIngressController(backend ingress.Controller) *GenericController {
 		ingress controller should update the Ingress status IP/hostname. Default is true`)
 
 		electionID = flags.String("election-id", "ingress-controller-leader", `Election id to use for status update.`)
+
+		forceIsolation = flags.Bool("force-namespace-isolation", false,
+			`Force namespace isolation. This flag is required to avoid the reference of secrets or 
+		configmaps located in a different namespace than the specified in the flag --watch-namespace.`)
 	)
 
 	flags.AddGoFlagSet(flag.CommandLine)
@@ -144,21 +148,22 @@ func NewIngressController(backend ingress.Controller) *GenericController {
 	}
 
 	config := &Configuration{
-		UpdateStatus:          *updateStatus,
+		UpdateStatus:            *updateStatus,
-		ElectionID:            *electionID,
+		ElectionID:              *electionID,
-		Client:                kubeClient,
+		Client:                  kubeClient,
-		ResyncPeriod:          *resyncPeriod,
+		ResyncPeriod:            *resyncPeriod,
-		DefaultService:        *defaultSvc,
+		DefaultService:          *defaultSvc,
-		IngressClass:          *ingressClass,
+		IngressClass:            *ingressClass,
-		DefaultIngressClass:   backend.DefaultIngressClass(),
+		DefaultIngressClass:     backend.DefaultIngressClass(),
-		Namespace:             *watchNamespace,
+		Namespace:               *watchNamespace,
-		ConfigMapName:         *configMap,
+		ConfigMapName:           *configMap,
-		TCPConfigMapName:      *tcpConfigMapName,
+		TCPConfigMapName:        *tcpConfigMapName,
-		UDPConfigMapName:      *udpConfigMapName,
+		UDPConfigMapName:        *udpConfigMapName,
-		DefaultSSLCertificate: *defSSLCertificate,
+		DefaultSSLCertificate:   *defSSLCertificate,
-		DefaultHealthzURL:     *defHealthzURL,
+		DefaultHealthzURL:       *defHealthzURL,
-		PublishService:        *publishSvc,
+		PublishService:          *publishSvc,
-		Backend:               backend,
+		Backend:                 backend,
+		ForceNamespaceIsolation: *forceIsolation,
 	}
 
 	ic := newIngressController(config)