support watch namespaces matched namespace selector (#7472)

skip caching namespaces at cluster scope if only watching single namespace

add --watch-namespace-selector in user guide

add e2e test

charts/ingress-nginx/templates/_params.tpl

@@ -18,6 +18,9 @@
 {{- if .Values.controller.scope.enabled }}
 - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
 {{- end }}
+{{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
+- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
+{{- end }}
 {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
 - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
 {{- end }}

charts/ingress-nginx/templates/clusterrole.yaml

@@ -20,6 +20,9 @@ rules:
       - nodes
       - pods
       - secrets
+{{- if not .Values.controller.scope.enabled }}
+      - namespaces
+{{- end}}
     verbs:
       - list
       - watch

charts/ingress-nginx/values.yaml

@@ -137,6 +137,9 @@ controller:
   scope:
     enabled: false
     namespace: ""   # defaults to $(POD_NAMESPACE)
+    # When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
+    #   only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
+    namespaceSelector: ""
 
   ## Allows customization of the configmap / nginx-configmap namespace
   ##