From bbda87b3c8fea9c57da13132c4b100343cee3d05 Mon Sep 17 00:00:00 2001
From: Louis Taylor <louis@kragniz.eu>
Date: Wed, 9 Jan 2019 17:50:28 +0000
Subject: [PATCH] Add --namespace flag

Signed-off-by: Louis Taylor <louis@kragniz.eu>
---
 cmd/controller/app/BUILD.bazel            |  1 +
 cmd/controller/app/controller.go          | 14 +++++++++++---
 cmd/controller/app/options/options.go     |  6 ++++++
 pkg/controller/certificates/controller.go | 11 +++++++----
 pkg/controller/context.go                 |  4 ++++
 5 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/cmd/controller/app/BUILD.bazel b/cmd/controller/app/BUILD.bazel
index 316468e2e..2195e0f94 100644
--- a/cmd/controller/app/BUILD.bazel
+++ b/cmd/controller/app/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
         "//pkg/client/clientset/versioned/scheme:go_default_library",
         "//pkg/client/informers/externalversions:go_default_library",
         "//pkg/controller:go_default_library",
+        "//pkg/controller/clusterissuers:go_default_library",
         "//pkg/issuer/acme/dns/util:go_default_library",
         "//pkg/metrics:go_default_library",
         "//pkg/util:go_default_library",
diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
index 8710a35a1..574930241 100644
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@@ -23,7 +23,7 @@ import (
 	"time"
 
 	"github.com/golang/glog"
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
@@ -39,6 +39,7 @@ import (
 	intscheme "github.com/jetstack/cert-manager/pkg/client/clientset/versioned/scheme"
 	informers "github.com/jetstack/cert-manager/pkg/client/informers/externalversions"
 	"github.com/jetstack/cert-manager/pkg/controller"
+	"github.com/jetstack/cert-manager/pkg/controller/clusterissuers"
 	dnsutil "github.com/jetstack/cert-manager/pkg/issuer/acme/dns/util"
 	"github.com/jetstack/cert-manager/pkg/metrics"
 	"github.com/jetstack/cert-manager/pkg/util"
@@ -69,6 +70,12 @@ func Run(opts *options.ControllerOptions, stopCh <-chan struct{}) {
 				continue
 			}
 
+			// don't run clusterissuers controller if scoped to a single namespace
+			if ctx.Namespace != "" && n == clusterissuers.ControllerName {
+				glog.Infof("Skipping ClusterIssuer controller as cert-manager is scoped to a single namespace")
+				continue
+			}
+
 			wg.Add(1)
 			go func(n string, fn controller.Interface) {
 				defer wg.Done()
@@ -163,14 +170,15 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 	eventBroadcaster.StartRecordingToSink(&corev1.EventSinkImpl{Interface: cl.CoreV1().Events("")})
 	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: controllerAgentName})
 
-	sharedInformerFactory := informers.NewSharedInformerFactory(intcl, time.Second*30)
-	kubeSharedInformerFactory := kubeinformers.NewSharedInformerFactory(cl, time.Second*30)
+	sharedInformerFactory := informers.NewFilteredSharedInformerFactory(intcl, time.Second*30, opts.Namespace, nil)
+	kubeSharedInformerFactory := kubeinformers.NewFilteredSharedInformerFactory(cl, time.Second*30, opts.Namespace, nil)
 	return &controller.Context{
 		Client:                    cl,
 		CMClient:                  intcl,
 		Recorder:                  recorder,
 		KubeSharedInformerFactory: kubeSharedInformerFactory,
 		SharedInformerFactory:     sharedInformerFactory,
+		Namespace:                 opts.Namespace,
 		ACMEOptions: controller.ACMEOptions{
 			HTTP01SolverImage:                 opts.ACMEHTTP01SolverImage,
 			HTTP01SolverResourceRequestCPU:    HTTP01SolverResourceRequestCPU,
diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go
index 9058a116c..f01fa4540 100644
--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@@ -36,6 +36,7 @@ import (
 type ControllerOptions struct {
 	APIServerHost            string
 	ClusterResourceNamespace string
+	Namespace                string
 
 	LeaderElect                 bool
 	LeaderElectionNamespace     string
@@ -71,6 +72,7 @@ type ControllerOptions struct {
 const (
 	defaultAPIServerHost            = ""
 	defaultClusterResourceNamespace = "kube-system"
+	defaultNamespace                = ""
 
 	defaultLeaderElect                 = true
 	defaultLeaderElectionNamespace     = "kube-system"
@@ -112,6 +114,7 @@ func NewControllerOptions() *ControllerOptions {
 	return &ControllerOptions{
 		APIServerHost:                      defaultAPIServerHost,
 		ClusterResourceNamespace:           defaultClusterResourceNamespace,
+		Namespace:                          defaultNamespace,
 		LeaderElect:                        defaultLeaderElect,
 		LeaderElectionNamespace:            defaultLeaderElectionNamespace,
 		LeaderElectionLeaseDuration:        defaultLeaderElectionLeaseDuration,
@@ -138,6 +141,9 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ClusterResourceNamespace, "cluster-resource-namespace", defaultClusterResourceNamespace, ""+
 		"Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. "+
 		"This must be specified if ClusterIssuers are enabled.")
+	fs.StringVar(&s.Namespace, "namespace", defaultNamespace, ""+
+		"If set, this limits the scope of cert-manager to a single namespace. "+
+		"If not specified, all namespaces will be watched")
 	fs.BoolVar(&s.LeaderElect, "leader-elect", true, ""+
 		"If true, cert-manager will perform leader election between instances to ensure no more "+
 		"than one instance of cert-manager operates at a time")
diff --git a/pkg/controller/certificates/controller.go b/pkg/controller/certificates/controller.go
index 1ef3344bf..e614b772d 100644
--- a/pkg/controller/certificates/controller.go
+++ b/pkg/controller/certificates/controller.go
@@ -77,10 +77,13 @@ func New(ctx *controllerpkg.Context) *Controller {
 	ctrl.issuerLister = issuerInformer.Lister()
 	ctrl.syncedFuncs = append(ctrl.syncedFuncs, issuerInformer.Informer().HasSynced)
 
-	clusterIssuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().ClusterIssuers()
-	clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
-	ctrl.clusterIssuerLister = clusterIssuerInformer.Lister()
-	ctrl.syncedFuncs = append(ctrl.syncedFuncs, clusterIssuerInformer.Informer().HasSynced)
+	// if scoped to a single namespace
+	if ctx.Namespace == "" {
+		clusterIssuerInformer := ctrl.SharedInformerFactory.Certmanager().V1alpha1().ClusterIssuers()
+		clusterIssuerInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleGenericIssuer})
+		ctrl.clusterIssuerLister = clusterIssuerInformer.Lister()
+		ctrl.syncedFuncs = append(ctrl.syncedFuncs, clusterIssuerInformer.Informer().HasSynced)
+	}
 
 	secretsInformer := ctrl.KubeSharedInformerFactory.Core().V1().Secrets()
 	secretsInformer.Informer().AddEventHandler(&controllerpkg.BlockingEventHandler{WorkFunc: ctrl.handleSecretResource})
diff --git a/pkg/controller/context.go b/pkg/controller/context.go
index d5788587b..3c00262f7 100644
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@@ -47,6 +47,10 @@ type Context struct {
 	// instances
 	SharedInformerFactory informers.SharedInformerFactory
 
+	// Namespace is the namespace to operate within.
+	// If unset, operates on all namespaces
+	Namespace string
+
 	IssuerOptions
 	ACMEOptions
 	IngressShimOptions