Skip to content

feat(operator): scope leader election to release namespace#2244

Open
slariviere wants to merge 1 commit intomicrosoft:mainfrom
slariviere:feat/operator-lease-namespace
Open

feat(operator): scope leader election to release namespace#2244
slariviere wants to merge 1 commit intomicrosoft:mainfrom
slariviere:feat/operator-lease-namespace

Conversation

@slariviere
Copy link
Copy Markdown
Contributor

@slariviere slariviere commented Apr 23, 2026

Description

Scopes the retina operator's leader election lease to the Helm release namespace instead of the hardcoded kube-system, and tightens the associated RBAC from a ClusterRole to a namespaced Role.

  • Moved lease permissions from ClusterRole (cluster-wide) to a namespaced Role, scoped to the release namespace
  • Removed hardcoded kube-system, auto-detected from the service account token or overridable via --leader-election-namespace / operator.leaderElectionNamespace Helm value
  • Exposed operator.replicas as a Helm value instead of being hardcoded to 1

Checklist

  • I have read the contributing documentation.
  • I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
  • I have correctly attributed the author(s) of the code.
  • I have tested the changes locally.
  • I have followed the project's style guidelines.
  • I have updated the documentation, if necessary.
  • I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

Auto-detect namespace

$ kubectl get deployment retina-operator -n retina -o jsonpath='{.spec.template.spec.containers[0].command} {.spec.template.spec.containers[0].args}'
["/retina-operator"] ["manage-cilium-crds","--config-dir","/retina"]

$ kubectl get lease -n retina
NAME                            HOLDER                                        AGE
cilium-operator-resource-lock   retina-operator-5bd64cd844-pvtx5-RoZyYjqChk   34m

$ kubectl logs -n retina -l control-plane=retina-operator | grep cilium-operator-resource-lock
time=2026-04-23T14:44:29.087032142Z level=info msg="\"Attempting to acquire leader lease...\" lock=\"retina/cilium-operator-resource-lock\"" subsys=klog

Using leaderElectionNamespace

$ kubectl get deployment retina-operator -n retina -o jsonpath='{.spec.template.spec.containers[0].command} {.spec.template.spec.containers[0].args}'
["/retina-operator"] ["manage-cilium-crds","--config-dir","/retina","--leader-election-namespace=default"]%

$ kubectl get lease -n default cilium-operator-resource-lock
NAME                            HOLDER                                        AGE
cilium-operator-resource-lock   retina-operator-6dcbffc9ff-wxzjf-fTSjiOELPU   38s

$ kubectl logs -n retina -l control-plane=retina-operator | grep cilium-operator-resource-lock
time=2026-04-23T15:53:05.300510151Z level=info msg="\"Attempting to acquire leader lease...\" lock=\"default/cilium-operator-resource-lock\"" subsys=klog

Additional Notes

Add any additional notes or context about the pull request here.

Please refer to the CONTRIBUTING.md file for more information on how to contribute to this project.

@slariviere slariviere requested a review from a team as a code owner April 23, 2026 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikeZappa87 MikeZappa87 Awaiting requested review from MikeZappa87 MikeZappa87 is a code owner automatically assigned from microsoft/retina

@carlotaarvela carlotaarvela Awaiting requested review from carlotaarvela carlotaarvela is a code owner automatically assigned from microsoft/retina

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@slariviere