When deploying multiple CloudNativePG operators in single-namespace mode on the same cluster, the
MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources collide because they use hardcoded names
(cnpg-mutating-webhook-configuration and cnpg-validating-webhook-configuration). This makes it impossible to run
isolated operator instances per team/namespace without webhook conflicts.
Add a config.namespacedWebhooks Helm value (default false) that, when set to true:
- Appends - to the webhook configuration resource names (e.g.
cnpg-mutating-webhook-configuration-cnpg-team-a)
- Sets the ENABLE_WEBHOOK_NAMESPACE_SUFFIX environment variable on the operator deployment so it can locate its own
webhook configurations at runtime
- Adds a namespaceSelector with kubernetes.io/metadata.name: to each webhook entry, ensuring each
operator's webhooks only intercept resources in its own namespace
Alternatives that have been considered:
- Using fullnameOverride to differentiate releases — this doesn't help because webhook configuration names are
hardcoded independently of the Helm release name.
- Manually patching webhook names post-install — fragile and breaks on upgrades.
- Disabling webhooks entirely for some instances — loses admission validation.
Additional context
This corresponds to the operator-side change in cloudnative-pg/cloudnative-pg#10420 that introduces the
ENABLE_WEBHOOK_NAMESPACE_SUFFIX configuration parameter. The ClusterRole and ClusterRoleBinding already use {{ include
"cloudnative-pg.fullname" . }} and are unique per release, so they don't require changes.
When deploying multiple CloudNativePG operators in single-namespace mode on the same cluster, the
MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources collide because they use hardcoded names
(cnpg-mutating-webhook-configuration and cnpg-validating-webhook-configuration). This makes it impossible to run
isolated operator instances per team/namespace without webhook conflicts.
Add a config.namespacedWebhooks Helm value (default false) that, when set to true:
cnpg-mutating-webhook-configuration-cnpg-team-a)
webhook configurations at runtime
operator's webhooks only intercept resources in its own namespace
Alternatives that have been considered:
hardcoded independently of the Helm release name.
Additional context
This corresponds to the operator-side change in cloudnative-pg/cloudnative-pg#10420 that introduces the
ENABLE_WEBHOOK_NAMESPACE_SUFFIX configuration parameter. The ClusterRole and ClusterRoleBinding already use {{ include
"cloudnative-pg.fullname" . }} and are unique per release, so they don't require changes.