Is webhook validation possible for eck running in single namespace

If you install ECK in a Kubernetes namespace (not cluster wide) can you use the webhook validator?

I installed everything (eck 1.1) in a single namespace and it seems to run fine but when I attempt to enable webhook validation I run into errors.

If I run

./elastic-operator manager --enable-webhook 

i get: "unable to setup and fill the webhook certificates" error:"resource name may not be empty"
If I run

./elastic-operator manager --manage-webhook-certs

i get: error:"secrets is forbidden. User system:serviceaccount:mynamespace:mycloud cannot list resource secrets in the api group at the cluster scope.

I noticed the elastic-webhook-server-cert isn't in my namespace. Do I need to manually create this? Are there instructions for doing this in a single namespace?

I noticed the webhook template is in the all-in-one directory and not in the namespace directory. Does that imply you can't do webhook validations if installed in the namespace?

Also I see the operator template in namespace doesn't open a port for the validating server but all-in-one does so I guess it seems you can't validate your submissions when installing in a namespace. Is this correct?

Hey @data_smith, sorry about that we're currently thinking about making it easier for everyone to customize ECK manifest for deployments in a single namespace. It's work in progress, see this issue.

You will likely have to customize the namespace manifest to create the elastic-webhook-server-cert secret in the right namespace. You also indeed need to override the operator StatefulSet manifest to open the webhook port (9443), similar to how done in the all-in-one manifest.

Ok. Thanks for the info.

For anyone curious. I copied what was in the all-in-one statefulset over to the namespace statefulset (create empty cert, mount it, open port, etc). Then I got an error about access to validatingwebhookconfiguration. I got the api group and resource from that error and created a cluster role that gives access to that and then i created a clusterrolebinding to bind that cluster role with the eck service account. I did this on a private network and can't easily move it over to the internet but maybe the description will help you.