limit manager to cerberus namespace

controllers/accesstoken_controller.go

@@ -44,7 +44,7 @@ type AccessTokenReconciler struct {
 func (r *AccessTokenReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = log.FromContext(ctx)
 
-	err := r.Cache.UpdateCache(r.Client, ctx, req.Namespace, r.ReadOnly)
+	err := r.Cache.UpdateCache(r.Client, ctx, r.ReadOnly)
 
 	return ctrl.Result{}, err
 }

controllers/cache.go

@@ -7,5 +7,5 @@ import (
 )
 
 type ProcessCache interface {
-	UpdateCache(client.Client, context.Context, string, bool) error
+	UpdateCache(client.Client, context.Context, bool) error
 }

controllers/webservice_controller.go

@@ -44,7 +44,7 @@ type WebServiceReconciler struct {
 func (r *WebServiceReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = log.FromContext(ctx)
 
-	err := r.Cache.UpdateCache(r.Client, ctx, req.Namespace, r.ReadOnly)
+	err := r.Cache.UpdateCache(r.Client, ctx, r.ReadOnly)
 
 	return ctrl.Result{}, err
 }

controllers/webserviceaccessbinding_controller.go

@@ -44,7 +44,7 @@ type WebserviceAccessBindingReconciler struct {
 func (r *WebserviceAccessBindingReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = log.FromContext(ctx)
 
-	err := r.Cache.UpdateCache(r.Client, ctx, req.Namespace, r.ReadOnly)
+	err := r.Cache.UpdateCache(r.Client, ctx, r.ReadOnly)
 
 	return ctrl.Result{}, err
 }

main.go

@@ -28,6 +28,8 @@ import (
 
 	"google.golang.org/grpc"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
+	"k8s.io/client-go/rest"
+	controllercache "sigs.k8s.io/controller-runtime/pkg/cache"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -136,7 +138,13 @@ func setupManager(
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "f5d1781e.snappcloud.io",
-		// Namespace:              "cerberus-operator-system",
+		// limit Manager to cerberus namespace
+		NewCache: func(config *rest.Config, opts controllercache.Options) (controllercache.Cache, error) {
+			opts.DefaultNamespaces = map[string]controllercache.Config{
+				"cerberus-operator-system":{},
+			}
+			return controllercache.New(config, opts)
+		}, 
 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily
 		// when the Manager ends. This requires the binary to immediately end when the
 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly

pkg/auth/authenticator.go

@@ -131,7 +131,7 @@ const (
 
 // UpdateCache will accuire a lock on other UpdateCaches and will start to recreate
 // the entire AccessCache and WebserviceCaches (which contains all authentication informations)
-func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, namespace string, readOnly bool) error {
+func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOnly bool) error {
 	cacheUpdateCount.Inc()
 	cacheUpdateStartTime := time.Now()
 	defer func() {
@@ -173,7 +173,6 @@ func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, namesp
 	// TODO find cleaner way to select
 	err = c.List(ctx, secrets,
 		// client.MatchingLabels{"cerberus.snappcloud.io/secret": "true"},
-		client.InNamespace(namespace),
 		listOpts,
 	)
 	fetchObjectListLatency.With(KindLabel(MetricsKindSecret)).Observe(time.Since(t).Seconds())