Summary
Today the DocumentDB operator cannot be deployed multiple times in the same Kubernetes cluster (e.g., one instance per namespace for multi-tenant scenarios). This is primarily blocked by an upstream limitation in CloudNative-PG (CNPG), which we ship as a Helm subchart. This issue tracks the work to lift that limitation once the upstream fix is available, and to audit our own webhook configurations for the same problem.
Context
The DocumentDB operator depends on CNPG as a Helm subchart. CNPG creates cluster-scoped MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources with hardcoded names. When multiple operator instances are deployed in the same cluster, these resources collide and prevent a per-namespace deployment pattern.
Upstream fix
- CNPG PR cloudnative-pg/cloudnative-pg#10420 "feat: make webhook configuration names configurable" by @maxlengdell.
- Adds an
ENABLE_WEBHOOK_NAMESPACE_SUFFIX config that suffixes the webhook name with the operator''s namespace.
- Settable via env var or operator ConfigMap/Secret (mirrors the existing
OPERATOR_NAMESPACE / WATCH_NAMESPACE pattern).
- Closes CNPG issue #10405.
- Status as of this issue: opened 2026-04-07, still OPEN, last updated 2026-04-16 (~2 months without merge).
Plan
Primary path (preferred)
Once CNPG #10420 merges and a CNPG release ships with ENABLE_WEBHOOK_NAMESPACE_SUFFIX:
- Bump our CNPG subchart dependency to the release containing the fix.
- Surface a values knob in our Helm chart so users can enable the namespace-suffixed webhook names.
- Apply analogous handling on the DocumentDB operator side if our own webhooks have the same cluster-scoped naming-collision problem (see acceptance criteria).
Fallback path
If CNPG #10420 stalls for an extended period (e.g., another 2+ months with no merge), evaluate either:
- (a) carrying a patched CNPG fork as our subchart, or
- (b) shipping our own CNPG build that embeds the patch,
until upstream merges.
Acceptance Criteria
Additional Context
Summary
Today the DocumentDB operator cannot be deployed multiple times in the same Kubernetes cluster (e.g., one instance per namespace for multi-tenant scenarios). This is primarily blocked by an upstream limitation in CloudNative-PG (CNPG), which we ship as a Helm subchart. This issue tracks the work to lift that limitation once the upstream fix is available, and to audit our own webhook configurations for the same problem.
Context
The DocumentDB operator depends on CNPG as a Helm subchart. CNPG creates cluster-scoped
MutatingWebhookConfigurationandValidatingWebhookConfigurationresources with hardcoded names. When multiple operator instances are deployed in the same cluster, these resources collide and prevent a per-namespace deployment pattern.Upstream fix
ENABLE_WEBHOOK_NAMESPACE_SUFFIXconfig that suffixes the webhook name with the operator''s namespace.OPERATOR_NAMESPACE/WATCH_NAMESPACEpattern).Plan
Primary path (preferred)
Once CNPG #10420 merges and a CNPG release ships with
ENABLE_WEBHOOK_NAMESPACE_SUFFIX:Fallback path
If CNPG #10420 stalls for an extended period (e.g., another 2+ months with no merge), evaluate either:
until upstream merges.
Acceptance Criteria
ValidatingWebhookConfigurationadded in 0.3.0 for DocumentDB CR validation) for the same cluster-scoped naming-collision problem and fix on our side analogously.docs/operator-public-documentation/preview/.Additional Context
enhancement,dependency,cnpg(onlyenhancementapplied;dependency/cnpgnot present on the repo).