Skip to content

Add namespaces to different levels of deployable kustomizations #1475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
friegger wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add namespaces to different levels of deployable kustomizations #1475

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,20 +228,20 @@ docker-push: ## Push docker image with the manager.
.PHONY: install
install: manifests kustomize ## Install API server & API services into the K8s cluster specified in ~/.kube/config. This requires APISERVER_IMG to be available for the cluster.
cd config/apiserver/server && $(KUSTOMIZE) edit set image apiserver=${APISERVER_IMG}
kubectl apply -k config/apiserver/default
kubectl apply -k config/apiserver/standalone

.PHONY: uninstall
uninstall: manifests kustomize ## Uninstall API server & API services from the K8s cluster specified in ~/.kube/config.
kubectl delete -k config/apiserver/default
kubectl delete -k config/apiserver/standalone
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid deleting the shared namespace from single-component teardown targets.

uninstall and undeploy now delete standalone kustomizations that include ironcore-system. If both components are installed independently, removing one can delete the namespace and tear down the other component unexpectedly.

Use delete targets that exclude the Namespace (or split namespace lifecycle into a separate explicit target).

Also applies to: 244-244

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 235, The uninstall/undeploy Makefile targets currently run
"kubectl delete -k config/apiserver/standalone" (and a similar line at the other
occurrence) which deletes the shared ironcore-system Namespace; change these
targets to avoid removing the Namespace by either pointing to a kustomize
overlay that excludes the Namespace resource or by splitting namespace lifecycle
into a separate explicit target (e.g., "uninstall-namespace") and having
uninstall/undeploy call only component-specific deletions; update the lines
containing "kubectl delete -k config/apiserver/standalone" (and the second
similar delete) to use the non-namespace overlay or remove the Namespace
deletion so removing one component won’t tear down the other.


.PHONY: deploy
deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/controller/manager && $(KUSTOMIZE) edit set image controller=${CONTROLLER_IMG}
kubectl apply -k config/controller/default
kubectl apply -k config/controller/standalone

.PHONY: undeploy
undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
kubectl delete -k config/controller/default
kubectl delete -k config/controller/standalone

##@ Kind Deployment plumbing

Expand Down
2 changes: 1 addition & 1 deletion config/apiserver/kind/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../default
- ../standalone

patchesStrategicMerge:
- patch-apiserver.yaml
7 changes: 0 additions & 7 deletions config/apiserver/server/server.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: apiserver
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
12 changes: 12 additions & 0 deletions config/apiserver/standalone-etcdless/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# Standalone install of the ironcore apiserver against an external etcd
# (no in-cluster etcd StatefulSet): same content as config/apiserver/etcdless
# plus the ironcore-system Namespace.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../etcdless
- ../../namespaces/ironcore-system
13 changes: 13 additions & 0 deletions config/apiserver/standalone/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# Standalone install of the ironcore apiserver (with the bundled etcd
# StatefulSet): same content as config/apiserver/default plus the
# ironcore-system Namespace. Use this when deploying the apiserver without
# the controller manager.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../default
- ../../namespaces/ironcore-system
2 changes: 1 addition & 1 deletion config/controller/kind/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../default
- ../standalone

patchesStrategicMerge:
- patch-manager.yaml
7 changes: 0 additions & 7 deletions config/controller/manager/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
name: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down
14 changes: 14 additions & 0 deletions config/controller/standalone/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# Standalone install of the ironcore controller manager: same content as
# config/controller/default plus the ironcore-system Namespace. Use this when
# deploying the controller without the apiserver. The combined config/default
# install references the Namespace kustomization directly, not via this
# wrapper.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ../default
- ../../namespaces/ironcore-system
8 changes: 0 additions & 8 deletions config/default/apiserver/kustomization.yaml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions config/default/apiserver/remove-namespace.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/default/controller/kustomization.yaml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions config/default/controller/remove-namespace.yaml
View file
Open in desktop

This file was deleted.

12 changes: 9 additions & 3 deletions config/default/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# Combined install: apiserver (with bundled etcd) + controller manager.
# Both bases are namespace-free; the namespace kustomization is referenced
# directly here. This replaces the previous remove-namespace.yaml patch dance.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
- apiserver
- controller
- ../apiserver/default
- ../controller/default
- ../namespaces/ironcore-system
6 changes: 0 additions & 6 deletions config/default/namespace.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/etcdless/apiserver/kustomization.yaml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions config/etcdless/apiserver/remove-namespace.yaml
View file
Open in desktop

This file was deleted.

8 changes: 0 additions & 8 deletions config/etcdless/controller/kustomization.yaml
View file
Open in desktop

This file was deleted.

5 changes: 0 additions & 5 deletions config/etcdless/controller/remove-namespace.yaml
View file
Open in desktop

This file was deleted.

12 changes: 9 additions & 3 deletions config/etcdless/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,13 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# Combined install with an external etcd (no in-cluster etcd StatefulSet):
# apiserver/etcdless + controller manager. Same shape as config/default but
# pulls the etcdless apiserver base.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
- apiserver
- controller
- ../apiserver/etcdless
- ../controller/default
- ../namespaces/ironcore-system
6 changes: 0 additions & 6 deletions config/etcdless/namespace.yaml
View file
Open in desktop

This file was deleted.

5 changes: 5 additions & 0 deletions config/namespaces/ironcore-system/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- namespace.yaml
10 changes: 10 additions & 0 deletions config/namespaces/ironcore-system/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# SPDX-FileCopyrightText: 2026 SAP SE or an SAP affiliate company and IronCore contributors
# SPDX-License-Identifier: Apache-2.0

# The namespace where the ironcore apiserver and controller manager run.
apiVersion: v1
kind: Namespace
metadata:
name: ironcore-system
labels:
control-plane: apiserver-controller
2 changes: 1 addition & 1 deletion hack/validate-kustomize.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ normal="$(tput sgr0)"

for kustomization in "$BASEDIR"/../config/*/**/kustomization.yaml; do
path="$(dirname "$kustomization")"
dir="$(realpath --relative-to "$BASEDIR"/.. "$path")"
dir="${path#$BASEDIR/../}"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant lines (including neighbors) around the referenced line
echo "== hack/validate-kustomize.sh (lines 1-40) =="
nl -ba hack/validate-kustomize.sh | sed -n '1,40p'

echo "== hack/validate-kustomize.sh: occurrences of BASEDIR and path#"$'\n'"BASEDIR =="
rg -n 'BASEDIR|path#\$\{?BASEDIR\}?|path#\$\BASEDIR|dir="\$\{path#\$\BASEDIR/.*\}"' hack/validate-kustomize.sh || true

Repository: ironcore-dev/ironcore

Length of output: 172

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== hack/validate-kustomize.sh (lines 1-60) =="
awk 'NR>=1 && NR<=60 {printf "%4d\t%s\n", NR, $0}' hack/validate-kustomize.sh

echo "== BASEDIR definitions/usages =="
rg -n 'BASEDIR|path#\$\{?BASEDIR\}?|dir="\$\{path#\$\{?BASEDIR\}?/.*"' hack/validate-kustomize.sh || true

Repository: ironcore-dev/ironcore

Length of output: 1059

Quote BASEDIR in the ${path#...} pattern to avoid globbing edge cases.

At Line 15, dir="${path#$BASEDIR/../}" uses prefix removal with a pattern; since BASEDIR is derived from filesystem paths (pwd), it could contain glob metacharacters, changing how stripping behaves. Quote the BASEDIR portion so it’s treated literally.

Proposed fix 
-  dir="${path#$BASEDIR/../}"
+  dir="${path#"$BASEDIR"/../}"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
dir="${path#$BASEDIR/../}"
dir="${path#"$BASEDIR"/../}"
🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 15-15: Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.

(SC2295)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/validate-kustomize.sh` at line 15, The prefix-removal pattern
dir="${path#$BASEDIR/../}" can misbehave if BASEDIR contains glob
meta-characters; update the pattern to quote BASEDIR inside the parameter
expansion so the prefix is treated literally (i.e. use the variable name BASEDIR
within the ${path#...} expression in a quoted form) — modify the occurrence of
${path#$BASEDIR/../} to use a quoted BASEDIR in the pattern so dir assignment is
robust against globbing.

echo "${bold}Validating $dir${normal}"
if ! kustomize_output="$(kustomize build "$path" 2>&1)"; then
echo "${red}Kustomize build $dir failed:"
Expand Down