feat: support cnpg operator namespace-restricted installation

.github/actions/deploy-cluster/action.yml

@@ -0,0 +1,27 @@
+name: Deploy a CNPG Cluster
+description: Deploys a CNPG Cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the Cluster will be deployed'
+    required: false
+    default: 'default'
+runs:
+  using: composite
+  steps:
+    - name: Deploy a cluster
+      shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+      run: |
+        cat <<EOF | kubectl apply -f -
+        # Example of PostgreSQL cluster
+        apiVersion: postgresql.cnpg.io/v1
+        kind: Cluster
+        metadata:
+          name: cluster-example
+          namespace: $NAMESPACE
+        spec:
+          instances: 3
+          storage:
+            size: 1Gi
+        EOF

.github/actions/deploy-operator/action.yml

@@ -1,16 +1,29 @@
 name: Deploy the CNPG Operator
 description: Deploys the CNPG Operator to a Kubernetes cluster
+inputs:
+  namespace:
+    description: 'The name of the namespace where the operator will be deployed'
+    required: false
+    default: 'cnpg-system'
+  cluster-wide:
+    description: 'If the operator should be deployed cluster-wide or in single-namespace mode'
+    required: false
+    default: 'true'
 runs:
   using: composite
   steps:
     - name: Deploy the operator
       shell: bash
+      env:
+        NAMESPACE: ${{ inputs.namespace }}
+        CLUSTER_WIDE: ${{ inputs.cluster-wide }}
       run:
         helm dependency update charts/cloudnative-pg
 
         helm upgrade
         --install 
-        --namespace cnpg-system
+        --namespace $NAMESPACE
         --create-namespace
+        --set config.clusterWide=$CLUSTER_WIDE
         --wait
         cnpg charts/cloudnative-pg

.github/actions/verify-cluster-ready/action.yml

@@ -5,6 +5,10 @@ inputs:
     description: The name of the cluster to verify
     required: true
     default: database-cluster
+  namespace:
+    description: 'The name of the namespace where the Cluster is deployed'
+    required: false
+    default: 'default'
   ready-instances:
     description: The amount of ready instances to wait for
     required: true
@@ -15,15 +19,19 @@ runs:
   steps:
     - name: Wait for the cluster to become ready
       shell: bash
+      env:
+        CLUSTER_NAME: ${{ inputs.cluster-name }}
+        NAMESPACE: ${{ inputs.namespace }}
+        EXPECTED_READY_INSTANCES: ${{ inputs.ready-instances }}
       run: |
         ITER=0
         while true; do
           if [[ $ITER -ge 300 ]]; then
             echo "Cluster not ready"
             exit 1
           fi
-          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io ${INPUT_CLUSTER_NAME} -o jsonpath='{.status.readyInstances}')
-          if [[ "$READY_INSTANCES" == ${INPUT_READY_INSTANCES} ]]; then
+          READY_INSTANCES=$(kubectl get clusters.postgresql.cnpg.io $CLUSTER_NAME -n $NAMESPACE -o jsonpath='{.status.readyInstances}')
+          if [[ "$READY_INSTANCES" == "$EXPECTED_READY_INSTANCES" ]]; then
             echo "Cluster up and running"
             break
           fi

.github/workflows/tests-operator.yml

@@ -7,6 +7,7 @@ on:
 
 jobs:
   deploy_operator:
+    name: Deploy the operator in cluster-wide mode
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -21,21 +22,52 @@ jobs:
         uses: ./.github/actions/deploy-operator
 
       - name: Deploy a cluster
-        run: |
-          cat <<EOF | kubectl apply -f -
-          # Example of PostgreSQL cluster
-          apiVersion: postgresql.cnpg.io/v1
-          kind: Cluster
-          metadata:
-            name: cluster-example
-          spec:
-            instances: 3
-            storage:
-             size: 1Gi
-          EOF
+        uses: ./.github/actions/deploy-cluster
 
       - name: Verify that the cluster is ready
         uses: ./.github/actions/verify-cluster-ready
         with:
           cluster-name: cluster-example
-          ready-instances: 3
+          ready-instances: '3'
+
+  deploy_operator_single_namespace:
+    name: Deploy the operator in single-namespace mode
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          fetch-depth: 0
+
+      - name: Setup kind
+        uses: ./.github/actions/setup-kind
+
+      - name: Deploy the operator
+        uses: ./.github/actions/deploy-operator
+        with:
+          namespace: 'single-install'
+          cluster-wide: 'false'
+
+      - name: Deploy a cluster
+        uses: ./.github/actions/deploy-cluster
+        with:
+          namespace: 'single-install'
+
+      - name: Verify that the cluster is ready
+        uses: ./.github/actions/verify-cluster-ready
+        with:
+          namespace: 'single-install'
+          cluster-name: 'cluster-example'
+          ready-instances: '3'
+
+      - name: Create a separate namespace
+        run: kubectl create ns test-ignore
+
+      - name: Deploy a cluster in 'test-ignore'
+        uses: ./.github/actions/deploy-cluster
+        with:
+          namespace: 'test-ignore'
+
+      - name: Verify the cluster in 'test-ignore' is being ignored
+        run: |
+          kubectl -n test-ignore get pods 2>&1 >/dev/null | grep 'No resources found'

README.md

@@ -24,6 +24,30 @@ helm upgrade --install cnpg \
   cnpg/cloudnative-pg
 ```
 
+#### Single namespace installation
+
+It is possible to limit the operator's capabilities to solely the namespace in
+which it has been installed. With this restriction, the cluster-level
+permissions required by the operator will be substantially reduced, and
+the security profile of the installation will be enhanced.
+
+You can install the operator in single-namespace mode by setting the
+`config.clusterWide` flag to false, as in the following example:
+
+```console
+helm upgrade --install cnpg \
+  --namespace cnpg-system \
+  --create-namespace \
+  --set config.clusterWide=false \
+  cnpg/cloudnative-pg
+```
+
+**IMPORTANT**: the single-namespace installation mode can't coexist
+with the cluster-wide operator. Otherwise there would be collisions when
+managing the resources in the namespace watched by the single-namespace
+operator.
+It is up to the user to ensure there is no collision between operators.
+
 Refer to the [Operator Chart documentation](charts/cloudnative-pg/README.md) for advanced configuration and monitoring.
 
 ## Cluster chart

charts/cloudnative-pg/README.md

@@ -30,7 +30,8 @@ CloudNativePG Operator Helm Chart
 | additionalEnv | list | `[]` | Array containing extra environment variables which can be templated. For example:  - name: RELEASE_NAME    value: "{{ .Release.Name }}"  - name: MY_VAR    value: "mySpecialKey" |
 | affinity | object | `{}` | Affinity for the operator to be installed. |
 | commonAnnotations | object | `{}` | Annotations to be added to all other resources. |
-| config | object | `{"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
+| config | object | `{"clusterWide":true,"create":true,"data":{},"name":"cnpg-controller-manager-config","secret":false}` | Operator configuration. |
+| config.clusterWide | bool | `true` | This option determines if the operator is responsible for observing events across the entire Kubernetes cluster or if its focus should be narrowed down to the specific namespace within which it has been deployed. |
 | config.create | bool | `true` | Specifies whether the secret should be created. |
 | config.data | object | `{}` | The content of the configmap/secret, see https://cloudnative-pg.io/documentation/current/operator_conf/#available-options for all the available options. |
 | config.name | string | `"cnpg-controller-manager-config"` | The name of the configmap/secret to use. |

charts/cloudnative-pg/templates/NOTES.txt

@@ -1,18 +1,21 @@
 
 CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
-You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+You can now create a PostgreSQL cluster with 3 nodes as follows:
 
 cat <<EOF | kubectl apply -f -
 # Example of PostgreSQL cluster
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
   name: cluster-example
+  {{if not .Values.config.clusterWide  -}}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
 spec:
   instances: 3
   storage:
     size: 1Gi
 EOF
 
-kubectl get cluster
+kubectl get -A cluster