feat: Restrict to namespace from the controller level

Signed-off-by: Lukas Wöhrl <[email protected]>
cert-manager · Feb 16, 2023 · 842a3ab · 842a3ab
1 parent b282951
commit 842a3ab
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/charts/aws-pca-issuer/values.yaml b/charts/aws-pca-issuer/values.yaml
@@ -31,7 +31,6 @@ service:
   type: ClusterIP
   port: 8080
 
-
 # Options for configuring a target ServiceAccount with the role to approve
 # all awspca.cert-manager.io requests.
 approverRole:

diff --git a/main.go b/main.go
@@ -53,6 +53,7 @@ func init() {
 
 func main() {
 	var metricsAddr string
+	var restrictToNamespace string
 	var enableLeaderElection bool
 	var probeAddr string
 	var disableApprovedCheck bool
@@ -64,6 +65,8 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false,
 		"Disables waiting for CertificateRequests to have an approved condition before signing.")
+	flag.StringVar(&restrictToNamespace, "restrict-to-namespace", os.Getenv("RESTRICT_TO_NAMESPACE"), 
+		"Restrict the controller to only process CertificateRequests in a specific namespace.")
 
 	opts := zap.Options{
 		Development: false,
@@ -80,6 +83,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "b858308c.awspca.cert-manager.io",
+		Namespace:              restrictToNamespace,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")