Feature Request: Connect/Operator DO_NOT_WATCH_NAMESPACE

Greetings Everyone!

I would like to request a feature on the Connect/Operator Kubernetes Service. I try to be brief and will shortly describe the definition of this feature and the reasoning behind it.

Definition:

DO_NOT_WATCH_NAMESPACE will hold a list of namespaces which should NOT be processed for onepassworditems. Simply put and inverted WATCH_NAMESPACE function.

Reasoning:

I'm working on a Kubernetes environment for developers and wanted to integrate cert-manger with it. Since the cert issuer configuration needs a secret for credentials of the issuer I planed to put these information into a separated OnePassword-Vault to which developers don't have access.  I further created a new Token with access to this specific vault and installed a dedicated operator to watch only the cert-manager namespace. With a setup like this I'm able to use the same cluster wide connector with different vault access credentials per namespace.

This setup works but the "default" operator will also try to create the secret of the cert-manager onepassworditem which fails because its token can't access the developer-vault.

I could redeploy the "default" operator and configure the WATCH_NAMESPACE list but imagine having hundreds of namespace and need to maintain this list in the operator configuration.

Therefore I like to see an "exclude these namespaces" feature for the operator which I would only need for special solutions like the one I described.

Thank you

Stefan Eichberger 

 p.s.: If there is already a proper solution for this kind of setup please tell me , I couldn't find it.