Let Watcher and Api run namespace scoped

[manuelwallrapp]

Hi

We would like to run a watcher and api namespace scoped. So each of our Tekton namspaces should have it's own watcher and api which then write into its own DB. I don't see that I can configure the watcher namespace scoped. I can try to reduce the cluster role to a namespace scoped role which allows the serviceaccount to see only namespace resources. Is that today possible, if not I write a feature request.

Best regards

Manu

[adambkaplan]

Are you treating each namespace as a "tenant", and therefore need to segregate the data?

In theory the controllers can be configured to watch a specific namespace. It is certainly worth writing a feature request so you can explain your use case further. The community can then discuss if this is technically feasible and/or maintainable.

[manuelwallrapp]

We plan to run in each namespace it's own Tekton-Results Api and Watcher instance with it's own Schema. Each project has it's own build namespace, therefore it's own Buildlogs, and PipelineRuns. That's why we want to separate all. So I know from Java Fabric8 Api that I can scope the Api to the namespace. That is actually all we need. Have a setting to scope the Watcher to the namespace only. The Rest we will do our self. Role and Binding of the service account and so on.

I will write a feature request and maybe try to implement that setting even ourselves.

[adambkaplan]

Following up on this - thank you @manuelwallrapp for submitting #417 and implementing it with #419!

Closing this discussion as "done" ✔️