Add namespace exclusion for watchers

[komapa]

The reflector watches all ConfigMaps and Secrets across every namespace in the cluster. In large clusters with thousands of ConfigMaps, this creates massive event volume — the vast majority of which are for resources with no reflector annotations. This unnecessary traffic saturates the internal bounded channel (256 slots) and can contribute to silent stalls.

This PR adds a new excludedNamespaces configuration option that accepts comma-separated glob patterns. Events from matching namespaces are dropped before entering the bounded channel, eliminating noise at the earliest possible point.

[github-actions]

Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[komapa]

@winromulus would love to get this reviewed/merged if possible

[winromulus]

Thanks for tackling this — the bounded-channel pressure in large clusters is a real operational pain point, and filtering at the producer side before the channel is the right layer to catch it.

A few observations from reading through, mostly small refinements plus one larger ask around test coverage.

What works well

• Good choice of filter location — dropping events before WriteAsync means the channel never sees the noise.
• Logging is thoughtful: patterns at session start, excluded count at session close when non-zero. Useful operational signal.
• IOptionsMonitor.CurrentValue captured at session start matches how WatcherTimeout already behaves — consistent with the existing pattern.
• Helm wiring is complete across both deployment.yaml and cron.yaml, values.yaml has an explanatory comment, README table updated.
• Regex.Escape before replacing \* / \? is the correct glob-to-regex translation; RegexOptions.Compiled is appropriate for a per-event matcher.

Main ask: tests

The feature currently has no coverage. Given the integration suite already uses Testcontainers.K3s with a clean builder pattern (see MirroringIntegrationTests.AutoReflect_To_AllowedNamespaces), this feels like a good candidate for:

• A unit-level test of the glob parser/matcher covering edge cases like empty strings, whitespace, * alone, multiple patterns, ? wildcards, and namespace names containing regex metacharacters. ParseGlobPatterns and IsNamespaceExcluded are private static in the base class today — extracting them to a small GlobMatcher helper would make them trivially testable and slightly more reusable.
• An integration test mirroring the shape of AutoReflect_To_AllowedNamespaces: set ES_Reflector__Watcher__ExcludedNamespaces=excluded-*, create a source in an excluded namespace and verify no mirrors appear; create one in an allowed namespace and verify they do.

Without coverage, a future well-meaning simplification of the escape sequence could silently change ? matching or similar.

Scope clarification worth adding to the docs

One thing an operator might reasonably misread: this setting drops watch events originating in the listed namespaces, but it doesn't stop auto-reflection from creating mirrors into them — target-side filtering still runs off the source's reflection-auto-namespaces annotation. A sentence in the README covering that distinction would head off confusion.

On NamespaceWatcher

Since V1Namespace is cluster-scoped, item.Metadata.NamespaceProperty is null for namespace events and the filter short-circuits. That's actually correct — you want NamespaceWatcher to keep seeing events so auto-reflection fires on new namespace creation — just flagging it so the interaction is explicit in the review record.

Smaller notes left inline. Overall a focused, well-scoped change solving a concrete problem.

---

Thanks again for the contribution — this is clearly solving a real-world pain point, and I appreciate the care taken with the Helm wiring and observability. Happy to merge once the items above are addressed.

[komapa]

Thank you so much for the detailed review and directions.

I have to admit, I used quite a lot of AI for the unit/integration tests so please take a closer look there:

❯ dotnet test tests/ES.Kubernetes.Reflector.Tests/ES.Kubernetes.Reflector.Tests.csproj --no-build -verbosity:minimal 2>&1
[xUnit.net 00:00:00.00] xUnit.net VSTest Adapter v3.1.5+1b188a7b0a (64-bit .NET 10.0.5)
[xUnit.net 00:00:00.14]   Discovering: ES.Kubernetes.Reflector.Tests
[xUnit.net 00:00:00.25]   Discovered:  ES.Kubernetes.Reflector.Tests
[xUnit.net 00:00:00.36]   Starting:    ES.Kubernetes.Reflector.Tests
[xUnit.net 00:00:28.48]   Finished:    ES.Kubernetes.Reflector.Tests (ID = 'e0bea2b0f8b2c51a4d44fa5fcb5344e51fd55832d3ed1872674304864c6cfc26')
  ES.Kubernetes.Reflector.Tests test net10.0 succeeded (28.9s)

Test summary: total: 27, failed: 0, succeeded: 27, skipped: 0, duration: 28.9s
Build succeeded in 29.0s

[winromulus]

Really appreciate the engagement here — this is a clean, well-tested response. Walked through each of the earlier asks against the current code:

• Drop redundant .Where → GlobMatcher.ParseGlobPatterns uses only Split(RemoveEmptyEntries | TrimEntries).Select(...). ✓
• README wording → now "exclude from reflection processing." ✓
• Case sensitivity → patterns normalized to lowercase at parse time. ✓
• NamespaceWatcher no-op comment → clear 3-line explanation inline. ✓
• Extract to helper class → GlobMatcher with a clean static surface. ✓
• Unit tests → 19 tests in GlobMatcherTests with good coverage; the metacharacter cases (ns.special as literal, ns[1] with brackets) are the ones that would catch a future refactor breaking the escape-before-substitute order. Nice.
• Integration test → ExcludedNamespacesIntegrationTests with its own fixture wiring. ✓

On the AI-assisted tests: honest take — the unit tests are genuinely solid, especially the metacharacter edge cases. The integration test is functionally correct with one structural observation left inline.

Three small things, none blocking — all covered inline. Otherwise this is in really good shape.

[winromulus]

Heads up — the channel-buffer bump (256 → 1024) just landed on main as part of e6ba44f (same commit that closed #624 earlier today). That touches the same area of WatcherBackgroundService.cs you're editing, which is where the conflict is coming from. On rebase, take the 1024 value from main and keep your exclusion-filter additions around it — nothing else should collide.

[komapa]

Really appreciate the engagement here — this is a clean, well-tested response. Walked through each of the earlier asks against the current code:

• Drop redundant .Where → GlobMatcher.ParseGlobPatterns uses only Split(RemoveEmptyEntries | TrimEntries).Select(...). ✓
• README wording → now "exclude from reflection processing." ✓
• Case sensitivity → patterns normalized to lowercase at parse time. ✓
• NamespaceWatcher no-op comment → clear 3-line explanation inline. ✓
• Extract to helper class → GlobMatcher with a clean static surface. ✓
• Unit tests → 19 tests in GlobMatcherTests with good coverage; the metacharacter cases (ns.special as literal, ns[1] with brackets) are the ones that would catch a future refactor breaking the escape-before-substitute order. Nice.
• Integration test → ExcludedNamespacesIntegrationTests with its own fixture wiring. ✓

On the AI-assisted tests: honest take — the unit tests are genuinely solid, especially the metacharacter edge cases. The integration test is functionally correct with one structural observation left inline.

Three small things, none blocking — all covered inline. Otherwise this is in really good shape.

I believe all the latest requests have been addressed now. 🙇🏼

[winromulus]

Thanks for sticking with this through the back-and-forth — really appreciate the responsiveness on every piece of feedback.

The expanded integration test landed exactly where I was hoping, and I particularly like that the second test reads like inline documentation for the source-vs-target distinction. The unit tests on the regex metacharacter cases are great too — exactly the kind of thing that'll catch a well-meaning future refactor breaking the escape order.

Approving. Thanks again for solving a real operational pain point for folks running this at scale.