From cd5762b1087a38387647e4fc8b64cdb4a19326d9 Mon Sep 17 00:00:00 2001
From: Jonathan Knight <jk@thegridman.com>
Date: Mon, 9 Sep 2024 17:20:17 +0300
Subject: [PATCH] Allow additional labels and annotations to be specified for
 the WKA service.

---
 .github/workflows/k8s-matrix.yaml             |  13 +-
 Makefile                                      |   8 +-
 api/v1/coherence_types.go                     |  10 ++
 api/v1/coherenceresourcespec_types.go         |  14 +++
 api/v1/create_job_wka_services_test.go        | 119 +++++++++++++++++-
 api/v1/create_wka_services_test.go            | 117 +++++++++++++++++
 api/v1/zz_generated.deepcopy.go               |  14 +++
 docs/about/04_coherence_spec.adoc             |   2 +
 docs/coherence/070_wka.adoc                   |  40 ++++++
 docs/other/041_global_labels.adoc             |  52 +++++++-
 .../templates/deployment.yaml                 |   5 +-
 pkg/operator/operator.go                      |  10 ++
 pkg/rest/rest.go                              |  62 ++++-----
 13 files changed, 426 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/k8s-matrix.yaml b/.github/workflows/k8s-matrix.yaml
index 71c31033..1113b511 100644
--- a/.github/workflows/k8s-matrix.yaml
+++ b/.github/workflows/k8s-matrix.yaml
@@ -40,6 +40,7 @@ jobs:
       fail-fast: false
       matrix:
         matrixName:
+          - v1.31
           - v1.30
           - v1.29
           - v1.28
@@ -47,20 +48,24 @@ jobs:
           - v1.26
           - v1.25
         include:
+          - matrixName: v1.31
+            k8s: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865
+            kindCommand: kind-calico
+            runNetTests: true
           - matrixName: v1.30
-            k8s: kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e
+            k8s: kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.29
-            k8s: kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8
+            k8s: kindest/node:v1.29.8@sha256:d46b7aa29567e93b27f7531d258c372e829d7224b25e3fc6ffdefed12476d3aa
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.28
-            k8s: kindest/node:v1.28.9@sha256:dca54bc6a6079dd34699d53d7d4ffa2e853e46a20cd12d619a09207e35300bd0
+            k8s: kindest/node:v1.28.13@sha256:45d319897776e11167e4698f6b14938eb4d52eb381d9e3d7a9086c16c69a8110
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.27
-            k8s: kindest/node:v1.27.13@sha256:17439fa5b32290e3ead39ead1250dca1d822d94a10d26f1981756cd51b24b9d8
+            k8s: kindest/node:v1.27.17@sha256:3fd82731af34efe19cd54ea5c25e882985bafa2c9baefe14f8deab1737d9fabe
             kindCommand: kind-calico
             runNetTests: true
           - matrixName: v1.26
diff --git a/Makefile b/Makefile
index 4ccaef99..b6dcd7c1 100644
--- a/Makefile
+++ b/Makefile
@@ -32,7 +32,7 @@ COMPATIBLE_SELECTOR ?= control-plane=coherence
 # The GitHub project URL
 PROJECT_URL = https://github.com/oracle/coherence-operator
 
-KUBERNETES_DOC_VERSION=v1.29
+KUBERNETES_DOC_VERSION=v1.30
 
 # ----------------------------------------------------------------------------------------------------------------------
 # The Coherence image to use for deployments that do not specify an image
@@ -1569,7 +1569,7 @@ create-ssl-secrets: $(BUILD_OUTPUT)/certs
 ##@ KinD
 
 KIND_CLUSTER   ?= operator
-KIND_IMAGE     ?= "kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e"
+KIND_IMAGE     ?= "kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865"
 CALICO_TIMEOUT ?= 300s
 
 # ----------------------------------------------------------------------------------------------------------------------
@@ -1829,7 +1829,7 @@ tanzu-install: ## Install the Coherence Operator package into Tanzu
 # ======================================================================================================================
 ##@ Miscellaneous
 
-TRIVY_IMAGE=ghcr.io/aquasecurity/trivy:0.51.2
+TRIVY_IMAGE=ghcr.io/aquasecurity/trivy:0.54.1
 .PHONY: trivy-scan
 trivy-scan: $(BUILD_TARGETS)/build-operator ## Scan the Operator image using Trivy
 	docker pull $(TRIVY_IMAGE)
@@ -1848,7 +1848,7 @@ controller-gen: $(TOOLS_BIN)/controller-gen ## Download controller-gen locally i
 
 $(TOOLS_BIN)/controller-gen:
 	@echo "Downloading controller-gen"
-	test -s $(TOOLS_BIN)/controller-gen || GOBIN=$(TOOLS_BIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.15.0
+	test -s $(TOOLS_BIN)/controller-gen || GOBIN=$(TOOLS_BIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.2
 	ls -al $(TOOLS_BIN)
 
 # ----------------------------------------------------------------------------------------------------------------------
diff --git a/api/v1/coherence_types.go b/api/v1/coherence_types.go
index 7a231d87..8516274a 100644
--- a/api/v1/coherence_types.go
+++ b/api/v1/coherence_types.go
@@ -589,6 +589,16 @@ type CoherenceWKASpec struct {
 	// +listType=atomic
 	// +optional
 	Addresses []string `json:"addresses,omitempty"`
+
+	// Labels is a map of optional additional labels to apply to the WKA Service.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+	// +optional
+	Labels map[string]string `json:"labels,omitempty" protobuf:"bytes,11,rep,name=labels"`
+
+	// Annotations is a map of optional additional labels to apply to the WKA Service.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,12,rep,name=annotations"`
 }
 
 // ----- CoherenceTracingSpec struct ----------------------------------------
diff --git a/api/v1/coherenceresourcespec_types.go b/api/v1/coherenceresourcespec_types.go
index f4164f01..75e4f0c3 100644
--- a/api/v1/coherenceresourcespec_types.go
+++ b/api/v1/coherenceresourcespec_types.go
@@ -523,6 +523,20 @@ func (in *CoherenceResourceSpec) CreateWKAService(deployment CoherenceResource)
 	}
 	ann["service.alpha.kubernetes.io/tolerate-unready-endpoints"] = "true"
 
+	if in != nil {
+		cohSpec := in.Coherence
+		if cohSpec != nil {
+			if cohSpec.WKA != nil {
+				for k, v := range cohSpec.WKA.Labels {
+					labels[k] = v
+				}
+				for k, v := range cohSpec.WKA.Annotations {
+					ann[k] = v
+				}
+			}
+		}
+	}
+
 	svc := &corev1.Service{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace:   deployment.GetNamespace(),
diff --git a/api/v1/create_job_wka_services_test.go b/api/v1/create_job_wka_services_test.go
index e74d96f8..4c937f05 100644
--- a/api/v1/create_job_wka_services_test.go
+++ b/api/v1/create_job_wka_services_test.go
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Oracle and/or its affiliates.
+ * Copyright (c) 2023, 2024, Oracle and/or its affiliates.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -198,6 +198,123 @@ func TestCreateWKAServiceForJobWithClusterName(t *testing.T) {
 	assertWKAServiceForJob(t, deployment, expected)
 }
 
+func TestCreateWKAServiceForJobWithAdditionalLabels(t *testing.T) {
+	extraLabels := make(map[string]string)
+	extraLabels["one"] = "label-one"
+	extraLabels["two"] = "label-two"
+
+	// Create the test deployment
+	deployment := &coh.CoherenceJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test",
+		},
+		Spec: coh.CoherenceJobResourceSpec{
+			CoherenceResourceSpec: coh.CoherenceResourceSpec{
+				Coherence: &coh.CoherenceSpec{
+					WKA: &coh.CoherenceWKASpec{
+						Labels: extraLabels,
+					},
+				},
+			},
+			Cluster: "test-cluster",
+		},
+	}
+
+	// create the expected WKA service
+	labels := deployment.CreateCommonLabels()
+	labels[coh.LabelCoherenceCluster] = "test-cluster"
+	labels[coh.LabelComponent] = coh.LabelComponentWKA
+	labels["one"] = "label-one"
+	labels["two"] = "label-two"
+
+	// The selector for the service (match all Pods with the same cluster label)
+	selector := make(map[string]string)
+	selector[coh.LabelCoherenceCluster] = "test-cluster"
+	selector[coh.LabelComponent] = coh.LabelComponentCoherencePod
+	selector[coh.LabelCoherenceWKAMember] = "true"
+
+	expected := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test-wka",
+			Labels:    labels,
+			Annotations: map[string]string{
+				"service.alpha.kubernetes.io/tolerate-unready-endpoints": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: corev1.ClusterIPNone,
+			// Pods must be part of the WKA service even if not ready
+			PublishNotReadyAddresses: true,
+			Ports:                    getDefaultServicePorts(),
+			Selector:                 selector,
+		},
+	}
+
+	// assert that the Services are as expected
+	assertWKAServiceForJob(t, deployment, expected)
+}
+
+func TestCreateWKAServiceForJobWithAdditionalAnnotations(t *testing.T) {
+	extraAnnotations := make(map[string]string)
+	extraAnnotations["one"] = "label-one"
+	extraAnnotations["two"] = "label-two"
+
+	// Create the test deployment
+	deployment := &coh.CoherenceJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test",
+		},
+		Spec: coh.CoherenceJobResourceSpec{
+			CoherenceResourceSpec: coh.CoherenceResourceSpec{
+				Coherence: &coh.CoherenceSpec{
+					WKA: &coh.CoherenceWKASpec{
+						Annotations: extraAnnotations,
+					},
+				},
+			},
+			Cluster: "test-cluster",
+		},
+	}
+
+	// create the expected WKA service
+	labels := deployment.CreateCommonLabels()
+	labels[coh.LabelCoherenceCluster] = "test-cluster"
+	labels[coh.LabelComponent] = coh.LabelComponentWKA
+
+	ann := make(map[string]string)
+	ann["service.alpha.kubernetes.io/tolerate-unready-endpoints"] = "true"
+	ann["one"] = "label-one"
+	ann["two"] = "label-two"
+
+	// The selector for the service (match all Pods with the same cluster label)
+	selector := make(map[string]string)
+	selector[coh.LabelCoherenceCluster] = "test-cluster"
+	selector[coh.LabelComponent] = coh.LabelComponentCoherencePod
+	selector[coh.LabelCoherenceWKAMember] = "true"
+
+	expected := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace:   "test-ns",
+			Name:        "test-wka",
+			Labels:      labels,
+			Annotations: ann,
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: corev1.ClusterIPNone,
+			// Pods must be part of the WKA service even if not ready
+			PublishNotReadyAddresses: true,
+			Ports:                    getDefaultServicePorts(),
+			Selector:                 selector,
+		},
+	}
+
+	// assert that the Services are as expected
+	assertWKAServiceForJob(t, deployment, expected)
+}
+
 func assertWKAServiceForJob(t *testing.T, deployment *coh.CoherenceJob, expected *corev1.Service) {
 	g := NewGomegaWithT(t)
 
diff --git a/api/v1/create_wka_services_test.go b/api/v1/create_wka_services_test.go
index 72514f62..3e7dd306 100644
--- a/api/v1/create_wka_services_test.go
+++ b/api/v1/create_wka_services_test.go
@@ -200,6 +200,123 @@ func TestCreateWKAServiceForDeploymentWithClusterName(t *testing.T) {
 	assertWKAService(t, deployment, expected)
 }
 
+func TestCreateWKAServiceForDeploymentWithAdditionalLabels(t *testing.T) {
+	extraLabels := make(map[string]string)
+	extraLabels["one"] = "label-one"
+	extraLabels["two"] = "label-two"
+
+	// Create the test deployment
+	deployment := &coh.Coherence{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test",
+		},
+		Spec: coh.CoherenceStatefulSetResourceSpec{
+			CoherenceResourceSpec: coh.CoherenceResourceSpec{
+				Coherence: &coh.CoherenceSpec{
+					WKA: &coh.CoherenceWKASpec{
+						Labels: extraLabels,
+					},
+				},
+			},
+			Cluster: ptr.To("test-cluster"),
+		},
+	}
+
+	// create the expected WKA service
+	labels := deployment.CreateCommonLabels()
+	labels[coh.LabelCoherenceCluster] = "test-cluster"
+	labels[coh.LabelComponent] = coh.LabelComponentWKA
+	labels["one"] = "label-one"
+	labels["two"] = "label-two"
+
+	// The selector for the service (match all Pods with the same cluster label)
+	selector := make(map[string]string)
+	selector[coh.LabelCoherenceCluster] = "test-cluster"
+	selector[coh.LabelComponent] = coh.LabelComponentCoherencePod
+	selector[coh.LabelCoherenceWKAMember] = "true"
+
+	expected := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test-wka",
+			Labels:    labels,
+			Annotations: map[string]string{
+				"service.alpha.kubernetes.io/tolerate-unready-endpoints": "true",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: corev1.ClusterIPNone,
+			// Pods must be part of the WKA service even if not ready
+			PublishNotReadyAddresses: true,
+			Ports:                    getDefaultServicePorts(),
+			Selector:                 selector,
+		},
+	}
+
+	// assert that the Services are as expected
+	assertWKAService(t, deployment, expected)
+}
+
+func TestCreateWKAServiceForDeploymentWithAdditionalAnnotations(t *testing.T) {
+	extraAnnotations := make(map[string]string)
+	extraAnnotations["one"] = "label-one"
+	extraAnnotations["two"] = "label-two"
+
+	// Create the test deployment
+	deployment := &coh.Coherence{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "test-ns",
+			Name:      "test",
+		},
+		Spec: coh.CoherenceStatefulSetResourceSpec{
+			CoherenceResourceSpec: coh.CoherenceResourceSpec{
+				Coherence: &coh.CoherenceSpec{
+					WKA: &coh.CoherenceWKASpec{
+						Annotations: extraAnnotations,
+					},
+				},
+			},
+			Cluster: ptr.To("test-cluster"),
+		},
+	}
+
+	// create the expected WKA service
+	labels := deployment.CreateCommonLabels()
+	labels[coh.LabelCoherenceCluster] = "test-cluster"
+	labels[coh.LabelComponent] = coh.LabelComponentWKA
+
+	ann := make(map[string]string)
+	ann["service.alpha.kubernetes.io/tolerate-unready-endpoints"] = "true"
+	ann["one"] = "label-one"
+	ann["two"] = "label-two"
+
+	// The selector for the service (match all Pods with the same cluster label)
+	selector := make(map[string]string)
+	selector[coh.LabelCoherenceCluster] = "test-cluster"
+	selector[coh.LabelComponent] = coh.LabelComponentCoherencePod
+	selector[coh.LabelCoherenceWKAMember] = "true"
+
+	expected := &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace:   "test-ns",
+			Name:        "test-wka",
+			Labels:      labels,
+			Annotations: ann,
+		},
+		Spec: corev1.ServiceSpec{
+			ClusterIP: corev1.ClusterIPNone,
+			// Pods must be part of the WKA service even if not ready
+			PublishNotReadyAddresses: true,
+			Ports:                    getDefaultServicePorts(),
+			Selector:                 selector,
+		},
+	}
+
+	// assert that the Services are as expected
+	assertWKAService(t, deployment, expected)
+}
+
 func assertWKAService(t *testing.T, deployment *coh.Coherence, expected *corev1.Service) {
 	g := NewGomegaWithT(t)
 
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
index 44fb6886..5a74af02 100644
--- a/api/v1/zz_generated.deepcopy.go
+++ b/api/v1/zz_generated.deepcopy.go
@@ -947,6 +947,20 @@ func (in *CoherenceWKASpec) DeepCopyInto(out *CoherenceWKASpec) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CoherenceWKASpec.
diff --git a/docs/about/04_coherence_spec.adoc b/docs/about/04_coherence_spec.adoc
index c6400243..e4e51a37 100644
--- a/docs/about/04_coherence_spec.adoc
+++ b/docs/about/04_coherence_spec.adoc
@@ -275,6 +275,8 @@ CoherenceWKASpec configures Coherence well-known-addressing to use an existing C
 m| deployment | The name of the existing Coherence deployment to use for WKA. m| string | true
 m| namespace | The optional namespace of the existing Coherence deployment to use for WKA if different from this deployment's namespace. m| string | false
 m| addresses | A list of addresses to be used for WKA. If this field is set, the WKA property for the Coherence cluster will be set using this value and the other WKA fields will be ignored. m| []string | false
+m| labels | Labels is a map of optional additional labels to apply to the WKA Service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ m| map[string]string | false
+m| annotations | Annotations is a map of optional additional labels to apply to the WKA Service. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ m| map[string]string | false
 |===
 
 <<Table of Contents,Back to TOC>>
diff --git a/docs/coherence/070_wka.adoc b/docs/coherence/070_wka.adoc
index b9efdd8e..f17e6371 100644
--- a/docs/coherence/070_wka.adoc
+++ b/docs/coherence/070_wka.adoc
@@ -133,6 +133,46 @@ would time-out causing K8s to restart them but this would not be a desirable way
 The start-up order can be controlled by configuring the deployment's `startQuorum` list, as described in the documentation
 section on <<docs/ordering/010_overview.adoc,deployment start-up ordering>>.
 
+== WKA Service Labels and Annotations
+
+The Coherence Operator creates the Kubernetes Service to be used for WKA and correctly configures its ports and selectors.
+To add additional labels or annotations to this service, they can be specified in the `spec.coherence.wka.labels` and
+`spec.coherence.wka.annotations` fields in the yaml.
+
+For example, to add the label `one: "value-one"` to the `spec.coherence.wka.labels` field can be set as shown below:
+
+[source,yaml]
+.test-cluster.yaml
+----
+apiVersion: coherence.oracle.com/v1
+kind: Coherence
+metadata:
+  name: test-cluster
+spec:
+  cluster: `my-cluster`
+  coherence:
+    wka:
+      labels:
+        one: "value-one"
+----
+
+For example, to add the annotation `one: "value-one"` to the `spec.coherence.wka.annotations` field can be set as shown below:
+
+[source,yaml]
+.test-cluster.yaml
+----
+apiVersion: coherence.oracle.com/v1
+kind: Coherence
+metadata:
+  name: test-cluster
+spec:
+  cluster: `my-cluster`
+  coherence:
+    wka:
+      annotations:
+        one: "value-one"
+----
+
 
 == Multi-Namespace Clusters
 
diff --git a/docs/other/041_global_labels.adoc b/docs/other/041_global_labels.adoc
index dbc7eb1c..01edf7aa 100644
--- a/docs/other/041_global_labels.adoc
+++ b/docs/other/041_global_labels.adoc
@@ -20,7 +20,7 @@ Operator, including all Coherence clusters and related resources
 
 == Specify Global Labels for a Coherence Resource
 
-The `Coherence` CRD contains a `global` field that allows global labels and annotations to be specified.
+The `Coherence` CRD contains a `global` field that allows global labels to be specified.
 
 [source,yaml]
 ----
@@ -66,7 +66,55 @@ the `Coherence` deployment except for the Pods. The Operator uses the `spec.labe
 so in this case the Pod labels will be `one=pod-label-one` from the `spec.labels` field and `two=labl-two` from the global
 labels.
 
-== Specify Global Labels when Installing the Operator
+== Specify Global Annotations for a Coherence Resource
+
+The `Coherence` CRD contains a `global` field that allows global annotations to be specified.
+
+[source,yaml]
+----
+apiVersion: coherence.oracle.com/v1
+kind: Coherence
+metadata:
+  name: storage
+spec:
+  replicas: 3
+  global:
+    annotations:
+      one: "annotation-one"
+      two: "annotation-two"
+----
+
+If the yaml above is applied to Kubernetes, then every resource the Operator creates for the `storage` Coherence
+deployment, it will add the two annotations, `one=annotation-one` and `two=annotation-two`. This includes the `StatefulSet`,
+the `Pods`, any `Service` such as the stateful set service, the WKA service, etc.
+
+If any of the annotations in the `global` section are also in the Pod annotations section or for the Services for exposed ports,
+those annotations will take precedence.
+
+For example
+
+[source,yaml]
+----
+apiVersion: coherence.oracle.com/v1
+kind: Coherence
+metadata:
+  name: storage
+spec:
+  replicas: 3
+  annotations:
+    one: "pod-annotation-one"
+  global:
+    annotations:
+      one: "annotation-one"
+      two: "annotation-one"
+----
+
+In the yaml above, the global annotation `one=annotation-one` and `two=labl-two` will be applied to every resource created for
+the `Coherence` deployment except for the Pods. The Operator uses the `spec.annotations` field to define Pods specific annotations,
+so in this case the Pod annotations will be `one=pod-annotation-one` from the `spec.annotations` field and `two=labl-two` from the global
+annotations.
+
+== Specify Global Labels and Annotations when Installing the Operator
 
 The Operator `runner` binary has various command line flags that can be specified on its command line.
 Two of these flags when starting the Operator are:
diff --git a/helm-charts/coherence-operator/templates/deployment.yaml b/helm-charts/coherence-operator/templates/deployment.yaml
index e6e4315d..f15377d7 100644
--- a/helm-charts/coherence-operator/templates/deployment.yaml
+++ b/helm-charts/coherence-operator/templates/deployment.yaml
@@ -148,6 +148,9 @@ spec:
         args:
         - operator
         - --enable-leader-election
+{{- if and (eq .Values.clusterRoles false) (eq .Values.nodeRoles false) }}
+        - --node-lookup-enabled=false
+{{- end }}
 {{- if (eq .Values.clusterRoles false) }}
         - --enable-webhook=false
         - --install-crd=false
@@ -155,6 +158,7 @@ spec:
 {{- if (eq .Values.webhooks false) }}
         - --enable-webhook=false
 {{- end }}
+{{- end }}
 {{- if (eq .Values.allowCoherenceJobs false) }}
         - --install-job-crd=false
 {{- end }}
@@ -162,7 +166,6 @@ spec:
 {{- range $k, $v := .Values.globalLabels }}
         - --global-label={{ $k }}={{ $v }}
 {{- end }}
-{{- end }}
 {{- if (.Values.globalAnnotations) }}
 {{- range $k, $v := .Values.globalAnnotations }}
         - --global-annotation={{ $k }}={{ $v }}
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
index f454e7dd..ff526b91 100644
--- a/pkg/operator/operator.go
+++ b/pkg/operator/operator.go
@@ -64,6 +64,7 @@ const (
 	FlagMetricsAddress        = "metrics-addr"
 	FlagMutatingWebhookName   = "mutating-webhook-name"
 	FlagOperatorNamespace     = "operator-namespace"
+	FlagNodeLookupEnabled     = "node-lookup-enabled"
 	FlagRackLabel             = "rack-label"
 	FlagRestHost              = "rest-host"
 	FlagRestPort              = "rest-port"
@@ -182,6 +183,11 @@ func SetupFlags(cmd *cobra.Command, v *viper.Viper) {
 		DefaultMutatingWebhookName,
 		"Name of the Kubernetes ValidatingWebhookConfiguration resource. Only used when enable-webhook is true.",
 	)
+	cmd.Flags().Bool(
+		FlagNodeLookupEnabled,
+		true,
+		"The Operator is allowed to lookup information about kubernetes nodes",
+	)
 	cmd.Flags().String(
 		FlagOperatorNamespace,
 		"operator-test",
@@ -382,6 +388,10 @@ func GetCACertRotateBefore() time.Duration {
 	return GetViper().GetDuration(FlagCACertRotateBefore)
 }
 
+func IsNodeLookupEnabled() bool {
+	return GetViper().GetBool(FlagNodeLookupEnabled)
+}
+
 func GetWebhookServiceDNSNames() []string {
 	var dns []string
 	s := GetViper().GetString(FlagWebhookService)
diff --git a/pkg/rest/rest.go b/pkg/rest/rest.go
index 128e3cda..199196d4 100644
--- a/pkg/rest/rest.go
+++ b/pkg/rest/rest.go
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2023, Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2024, Oracle and/or its affiliates.
  * Licensed under the Universal Permissive License v 1.0 as shown at
  * http://oss.oracle.com/licenses/upl.
  */
@@ -213,6 +213,7 @@ func (s server) getLabelForNode(labels, prefixLabels []string, w http.ResponseWr
 	var value string
 	labelUsed := "<None>"
 	var prefixUsed = "<None>"
+	var err error
 
 	path := r.URL.Path
 	// strip off any trailing slash
@@ -223,41 +224,46 @@ func (s server) getLabelForNode(labels, prefixLabels []string, w http.ResponseWr
 	pos := strings.LastIndex(path, "/")
 	name := r.URL.Path[1+pos:]
 
-	node, err := s.client.CoreV1().Nodes().Get(context.TODO(), name, metav1.GetOptions{})
-
-	if err == nil {
-		var ok bool
-
-		queryLabel := r.URL.Query().Get("nodeLabel")
-		if queryLabel == "" {
-			prefixValue := ""
-			for _, label := range prefixLabels {
-				if prefix, ok := node.Labels[label]; ok && prefix != "" {
-					labelUsed = label
-					prefixValue = prefix + "-"
-					break
+	if operator.IsNodeLookupEnabled() {
+		node, err := s.client.CoreV1().Nodes().Get(context.TODO(), name, metav1.GetOptions{})
+
+		if err == nil {
+			var ok bool
+
+			queryLabel := r.URL.Query().Get("nodeLabel")
+			if queryLabel == "" {
+				prefixValue := ""
+				for _, label := range prefixLabels {
+					if prefix, ok := node.Labels[label]; ok && prefix != "" {
+						labelUsed = label
+						prefixValue = prefix + "-"
+						break
+					}
 				}
-			}
 
-			for _, label := range labels {
-				if value, ok = node.Labels[label]; ok && value != "" {
-					labelUsed = label
-					value = prefixValue + value
-					break
+				for _, label := range labels {
+					if value, ok = node.Labels[label]; ok && value != "" {
+						labelUsed = label
+						value = prefixValue + value
+						break
+					}
 				}
+			} else {
+				value = node.Labels[queryLabel]
+				labelUsed = queryLabel
 			}
 		} else {
-			value = node.Labels[queryLabel]
-			labelUsed = queryLabel
+			if apierrors.IsNotFound(err) {
+				log.Info("GET query for node labels - NotFound", "node", name, "label", labelUsed, "prefix", prefixUsed, "value", value, "remoteAddress", r.RemoteAddr)
+			} else {
+				log.Error(err, "GET query for node labels - Error", "node", name, "label", labelUsed, "prefix", prefixUsed, "value", value, "remoteAddress", r.RemoteAddr)
+			}
+			value = ""
+			labelUsed = ""
 		}
 	} else {
-		if apierrors.IsNotFound(err) {
-			log.Info("GET query for node labels - NotFound", "node", name, "label", labelUsed, "prefix", prefixUsed, "value", value, "remoteAddress", r.RemoteAddr)
-		} else {
-			log.Error(err, "GET query for node labels - Error", "node", name, "label", labelUsed, "prefix", prefixUsed, "value", value, "remoteAddress", r.RemoteAddr)
-		}
+		log.Info("Node labels lookup disabled", "node", name, "label", labelUsed, "prefix", prefixUsed, "value", value, "remoteAddress", r.RemoteAddr)
 		value = ""
-		labelUsed = ""
 	}
 
 	w.WriteHeader(http.StatusOK)