fix: default operator watchNamespaces to release namespace#617
Open
devfreddy-langchain wants to merge 2 commits intolangchain-ai:mainfrom
Open
Conversation
When watchNamespaces is unset, the operator previously watched all namespaces cluster-wide, causing unintended cross-namespace reconciliation in multi-dataplane and shared cluster deployments (e.g. support #18149). Now defaults to the release namespace at the template level (since .Release.Namespace is not available in values.yaml). Cluster-wide watching via ClusterRole/ClusterRoleBinding has been removed in favor of explicit namespace configuration — set watchNamespaces to a comma-separated list to watch additional namespaces beyond the release namespace. Affects both langsmith and langgraph-dataplane charts.
Condense two-line comment to a single line and replace "watch additional namespaces" (which implies additive behavior) with "setting this overrides that default entirely" to accurately reflect template logic.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
watchNamespacesis unset (the default), the operator watches all namespaces cluster-wide. In multi-dataplane and shared cluster deployments, this causes unintended cross-namespace reconciliation (ref: support #18149).Solution
Default
WATCH_NAMESPACEto.Release.Namespaceat the template level (since.Release.Namespaceis not available invalues.yaml). This makes cluster-wide watching an explicit opt-in rather than a silent default.Changes
langgraph-dataplane:
deployment.yaml: Chain defaults forWATCH_NAMESPACE:config.watchNamespaces>operator.watchNamespaces>.Release.Namespacerbac.yaml: Replaceif/elsestructure with computed$effectiveWatchNamespacesvariable; remove ClusterRole/ClusterRoleBinding fallbackvalues.yaml: Add comments documenting default behavior and precedencelangsmith:
deployment.yaml: DefaultWATCH_NAMESPACEto.Release.Namespacewhenoperator.watchNamespacesis emptyrbac.yaml: Same structural change as langgraph-dataplane; remove ClusterRole/ClusterRoleBinding fallbackvalues.yaml: Add comment documenting default behaviorBreaking change: customers who never set
watchNamespaceswatchNamespacesClusterRole+ClusterRoleBinding(cluster-wide operator scope)Role+RoleBindingscoped to.Release.NamespaceonlyImpact scenarios
Operator stops managing LGP resources in other namespaces. If a customer deployed LGP resources in namespaces other than the release namespace without explicitly configuring
watchNamespaces, the operator will silently stop reconciling those resources after upgrade. Existing deployments won't be deleted, but they'll become unmanaged orphans.Helm deletes the ClusterRole/ClusterRoleBinding on upgrade. Helm tracks managed resources and will remove
ClusterRole/ClusterRoleBindingduringhelm upgradesince they no longer appear in the rendered templates. This is automatic and correct, but it's a meaningful permissions reduction that happens immediately.No obvious failure signal. The operator won't crash; it'll just have a narrower watch scope. Customers might not notice until they try to create or update an LGP in another namespace and nothing happens.
Who is NOT affected
Customers who explicitly set
watchNamespacesalready had namespace-scopedRole/RoleBindingresources. No change in behavior or RBAC type for them.Recommended mitigations
watchNamespacesto a comma-separated list of all namespaces they use before or during upgradewatchAllNamespaces: trueescape hatch is worth adding back (re-enables the ClusterRole path explicitly)