feat: Allow to restrict the CRs watched according to their labels

deploy/helm/grafana-operator/README.md

@@ -104,5 +104,6 @@ It's easier to just manage this configuration outside of the operator.
 | serviceMonitor.targetLabels | list | `[]` | Set of labels to transfer from the Kubernetes Service onto the target |
 | serviceMonitor.telemetryPath | string | `"/metrics"` | Set path to metrics path |
 | tolerations | list | `[]` | pod tolerations |
+| watchLabelSelectors | string | `""` | Sets the `WATCH_LABEL_SELECTORS` environment variable, if defines which CRs are watched according to thei labels. By default, the operator watches all CRs. To make it watch only a subset of CRs, define the variable as a *Set-based requirement* See also: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
 | watchNamespaceSelector | string | `""` | Sets the `WATCH_NAMESPACE_SELECTOR` environment variable, it defines which namespaces the operator should be listening for based on a namespace label (e.g. `"environment: dev"`). By default, the operator watches all namespaces. To make it watch only its own namespace, check out `namespaceScope` option instead. |
 | watchNamespaces | string | `""` | Sets the `WATCH_NAMESPACE` environment variable, it defines which namespaces the operator should be listening for (e.g. `"grafana, foo"`). By default, the operator watches all namespaces. To make it watch only its own namespace, check out `namespaceScope` option instead. |

deploy/helm/grafana-operator/templates/deployment.yaml

@@ -51,6 +51,12 @@ spec:
               {{ else }}
               value: {{quote .Values.watchNamespaceSelector }}
               {{- end }}
+            - name: WATCH_LABEL_SELECTORS
+              {{- if and .Values.watchLabelSelectors (eq .Values.watchLabelSelectors "") }}
+              value: ""
+              {{ else }}
+              value: {{quote .Values.watchLabelSelectors }}
+              {{- end }}
             {{- with .Values.env }}
               {{- toYaml . | nindent 12 }}
             {{- end }}

deploy/helm/grafana-operator/values.yaml

@@ -15,6 +15,13 @@ watchNamespaces: ""
 # By default, the operator watches all namespaces. To make it watch only its own namespace, check out `namespaceScope` option instead.
 watchNamespaceSelector: ""
 
+# -- Sets the `WATCH_LABEL_SELECTORS` environment variable,
+# it defines which CRs are watched according to their labels.
+# By default, the operator watches all CRs. To make it watch only a subset of CRs, define the variable as a *stringified label selector*.
+# See also: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+watchLabelSelectors: ""
+# watchLabelSelectors: "partition in (customerA, customerB),environment!=qa"
+
 # -- Determines if the target cluster is OpenShift. Additional rbac permissions for routes will be added on OpenShift
 isOpenShift: false
 

main.go

@@ -19,6 +19,7 @@
 import (
 	"context"
 	"flag"
+	"fmt"
 	"os"
 	"os/signal"
 	"strings"
@@ -65,6 +66,10 @@
 	// eg: "environment: dev"
 	// If empty or undefined, the operator will run in cluster scope.
 	watchNamespaceEnvSelector = "WATCH_NAMESPACE_SELECTOR"
+	// watchLabelSelectorsEnvVar is the constant for env variable WATCH_LABEL_SELECTORS which specifies the resources to watch according to their labels.
+	// eg: 'partition in (customerA, customerB),environment!=qa'
+	// If empty of undefined, the operator will watch all CRs.
+	watchLabelSelectorsEnvVar = "WATCH_LABEL_SELECTORS"
 )
 
 var (
@@ -81,7 +86,7 @@
 	//+kubebuilder:scaffold:scheme
 }
 
 func main() {
 	var metricsAddr string
 	var enableLeaderElection bool
 	var probeAddr string
@@ -105,6 +110,7 @@
 
 	watchNamespace, _ := os.LookupEnv(watchNamespaceEnvVar)
 	watchNamespaceSelector, _ := os.LookupEnv(watchNamespaceEnvSelector)
+	watchLabelSelectors, _ := os.LookupEnv(watchLabelSelectorsEnvVar)
 
 	controllerOptions := ctrl.Options{
 		Scheme: scheme,
@@ -120,6 +126,18 @@
 		PprofBindAddress:       pprofAddr,
 	}
 
+	var labelSelectors labels.Selector
+	var err error
+	if watchLabelSelectors != "" {
+		labelSelectors, err = labels.Parse(watchLabelSelectors)
+		if err != nil {
+			setupLog.Error(err, fmt.Sprintf("unable to parse %s", watchLabelSelectorsEnvVar))
+			os.Exit(1) //nolint
+		}
+	} else {
+		labelSelectors = labels.Everything() // Match any labels
+	}
+
 	getNamespaceConfig := func(namespaces string) map[string]cache.Config {
 		defaultNamespaces := map[string]cache.Config{}
 		for _, v := range strings.Split(namespaces, ",") {
@@ -128,7 +146,7 @@
 			// this is the default behavior of the operator on v5, if you require finer grained control over this
 			// please file an issue in the grafana-operator/grafana-operator GH project
 			defaultNamespaces[v] = cache.Config{
-				LabelSelector:         labels.Everything(), // Match any labels
+				LabelSelector:         labelSelectors,
 				FieldSelector:         fields.Everything(), // Match any fields
 				Transform:             nil,
 				UnsafeDisableDeepCopy: nil,
@@ -156,7 +174,7 @@
 			// this is the default behavior of the operator on v5, if you require finer grained control over this
 			// please file an issue in the grafana-operator/grafana-operator GH project
 			defaultNamespaces[v.Name] = cache.Config{
-				LabelSelector:         labels.Everything(), // Match any labels
+				LabelSelector:         labelSelectors,
 				FieldSelector:         fields.Everything(), // Match any fields
 				Transform:             nil,
 				UnsafeDisableDeepCopy: nil,
@@ -180,6 +198,7 @@
 
 	case watchNamespace == "" && watchNamespaceSelector == "":
 		// cluster scoped
+		controllerOptions.Cache.DefaultLabelSelector = labelSelectors
 		setupLog.Info("operator running in cluster scoped mode")
 	}