Add helper for namespace handling, fix rbac for watchNamespaces

[rasebo]

After #1322 I figured there's a better way in which the namespace key can be populated, in the sense that it might be a good idea to include a helper so that a namespaceOverride value can also be provided. Quotes were also removed, as they weren't really necessary.

I also found a bug in rbac handling, where Roles and RoleBinding objects were being deployed to the namespace where grafana-operator was running instead of the ones defined in the watchNamespaces field. This would lead to grafana-operator not having access to said namespaces.

Added basic comments in the values.yaml file for the Override values.

Fixes: #1323

[rasebo]

This is what gets generated now with

helm template --namespace testnamespace --release-name testrelease --set watchNamespaces='one\,two\,three' grafana-operator/ > output.json

---
# Source: grafana-operator/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: testrelease-grafana-operator
  namespace: testnamespace
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: true
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: one
  name: testrelease-grafana-operator
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - configmaps
      - persistentvolumeclaims
      - secrets
      - serviceaccounts
      - services
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - route.openshift.io
    resources:
      - routes
      - routes/custom-host
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: two
  name: testrelease-grafana-operator
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - configmaps
      - persistentvolumeclaims
      - secrets
      - serviceaccounts
      - services
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - route.openshift.io
    resources:
      - routes
      - routes/custom-host
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: three
  name: testrelease-grafana-operator
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - configmaps
      - persistentvolumeclaims
      - secrets
      - serviceaccounts
      - services
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - get
      - list
      - patch
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadashboards/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanadatasources/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanafolders/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/finalizers
    verbs:
      - update
  - apiGroups:
      - grafana.integreatly.org
    resources:
      - grafanas/status
    verbs:
      - get
      - patch
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - route.openshift.io
    resources:
      - routes
      - routes/custom-host
    verbs:
      - create
      - delete
      - get
      - list
      - update
      - watch
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testrelease-grafana-operator
  namespace: one
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
subjects:
  - kind: ServiceAccount
    name: testrelease-grafana-operator
    namespace: testnamespace
roleRef:
  kind: Role
  name: testrelease-grafana-operator
  apiGroup: rbac.authorization.k8s.io
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testrelease-grafana-operator
  namespace: two
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
subjects:
  - kind: ServiceAccount
    name: testrelease-grafana-operator
    namespace: testnamespace
roleRef:
  kind: Role
  name: testrelease-grafana-operator
  apiGroup: rbac.authorization.k8s.io
---
# Source: grafana-operator/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: testrelease-grafana-operator
  namespace: three
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
subjects:
  - kind: ServiceAccount
    name: testrelease-grafana-operator
    namespace: testnamespace
roleRef:
  kind: Role
  name: testrelease-grafana-operator
  apiGroup: rbac.authorization.k8s.io
---
# Source: grafana-operator/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: testrelease-grafana-operator-metrics-service
  namespace: testnamespace
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  ports:
    - port: 9090
      targetPort: metrics
      protocol: TCP
      name: metrics
  selector:
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
---
# Source: grafana-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: testrelease-grafana-operator
  namespace: testnamespace
  labels:
    helm.sh/chart: grafana-operator-0.1.3
    app.kubernetes.io/name: grafana-operator
    app.kubernetes.io/instance: testrelease
    app.kubernetes.io/version: "v5.5.2"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: grafana-operator
      app.kubernetes.io/instance: testrelease
  template:
    metadata:
      labels:
        app.kubernetes.io/name: grafana-operator
        app.kubernetes.io/instance: testrelease
    spec:
      serviceAccountName: testrelease-grafana-operator
      containers:
        - name: grafana-operator
          securityContext:
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
          image: "ghcr.io/grafana-operator/grafana-operator:v5.5.2"
          imagePullPolicy: IfNotPresent
          env:
            - name: WATCH_NAMESPACE
              value: one,two,three
          args:
            - --health-probe-bind-address=:8081
            - --metrics-bind-address=0.0.0.0:9090
          volumeMounts:
            - name: dashboards-dir
              mountPath: /tmp/dashboards
          ports:
            - containerPort: 9090
              name: metrics
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8081
          readinessProbe:
            httpGet:
              path: /readyz
              port: 8081
      volumes:
        - name: dashboards-dir
          emptyDir: {}

[CLAassistant]

All committers have signed the CLA.

[weisdd]

@rasebo thanks for the PR!
Could you, please, explain what's the use-case for namespaceOverride? - Normally, manifests are deployed to the same namespace as a helm release, not sure why would you want to keep them separate.

Also, I think it'd be useful to update description of namespaceScope in values.yaml to clarify that the operator would watch the same namespace it's deployed to only if watchNamespaces is not defined.

[weisdd]

Fixes: #1323

[rasebo]

I am considering deploying grafana-operator and GrafanaDashboard, and/or GrafanaDatasource objects in different namespaces, using the same helm chart. For example, grafana-operator gets deployed into grafana-operator and the objects in the grafana-objects namespace.

Functionally, this can go both ways, either having the chart namespace set as grafana-operator and then specifying an override for the objects, or the other way around. There's always the scenario where we can split these two in two different charts and handle them in a totally separate fashion or a bunch of other approaches.

Honestly I am not 100% sure that this is a wise approach, but I figured it wouldn't hurt to have the flexibility to customise this.

[weisdd]

@rasebo Do I understand correctly that you want to create an umbrella chart where you would specify ours as a dependency?

[rasebo]

Sorry for taking so long to respond, got down with a nasty virus. Yep, we're using this as a subchart.

[weisdd]

To me, the code looks fine.
@NissesSenap Could you also take a look at it?

[NissesSenap]

Sorry for the delay with the review.
LGTM