edgelesssys · davidweisse · Nov 18, 2025
diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
@@ -111,7 +111,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 	}
 	defer os.Remove(extraFile.Name())
 
-	fileMap, err := extractTargets(paths, extraFile, log)
+	fileMap, coordinatorNamespace, err := extractTargets(paths, extraFile, log)
 	closeErr := extraFile.Close()
 	if err != nil {
 		return fmt.Errorf("extracting targets: %w", err)
@@ -153,7 +153,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("get runtime handler: %w", err)
 	}
 
-	if err := patchTargets(fileMap, flags.imageReplacementsFile, runtimeHandler, flags); err != nil {
+	if err := patchTargets(fileMap, flags.imageReplacementsFile, runtimeHandler, coordinatorNamespace, flags); err != nil {
 		return fmt.Errorf("patch targets: %w", err)
 	}
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Patched targets")
@@ -285,6 +285,19 @@ func isCCWorkload(resource any) (ret bool) {
 	return ret
 }
 
+func isCoordinator(resource any) bool {
+	r, ok := resource.(*applyappsv1.StatefulSetApplyConfiguration)
+	if ok &&
+		r.Spec != nil &&
+		r.Spec.Template != nil &&
+		r.Spec.Template.ObjectMetaApplyConfiguration != nil &&
+		r.Spec.Template.Annotations != nil &&
+		r.Spec.Template.Annotations[contrastRoleAnnotationKey] == string(manifest.RoleCoordinator) {
+		return true
+	}
+	return false
+}
+
 func runVerifiers(fileMap map[string][]*unstructured.Unstructured, verifiers []verifier.Verifier) error {
 	var findings error
 	for _, v := range verifiers {
@@ -330,9 +343,10 @@ func findYamlFiles(args []string) ([]string, error) {
 	return paths, nil
 }
 
-func extractTargets(paths []string, configFile io.Writer, logger *slog.Logger) (map[string][]*unstructured.Unstructured, error) {
+func extractTargets(paths []string, configFile io.Writer, logger *slog.Logger) (map[string][]*unstructured.Unstructured, string, error) {
 	var extraResources []*unstructured.Unstructured
 	fileMap := make(map[string][]*unstructured.Unstructured)
+	var coordinatorNamespace string
 
 	for _, path := range paths {
 		data, err := os.ReadFile(path)
@@ -356,24 +370,30 @@ func extractTargets(paths []string, configFile io.Writer, logger *slog.Logger) (
 				logger.Warn("Could not convert resource into ApplyConfiguration", "path", path, "err", err)
 			} else if isCCWorkload(applyConfig) {
 				containsCC = true
+				if isCoordinator(applyConfig) {
+					r, ok := applyConfig.(*applyappsv1.StatefulSetApplyConfiguration)
+					if ok && r.ObjectMetaApplyConfiguration != nil && r.Namespace != nil {
+						coordinatorNamespace = *r.Namespace
+					}
+				}
 			}
 		}
 		if !containsCC {
 			delete(fileMap, path)
 		}
 	}
 	if len(fileMap) == 0 {
-		return nil, fmt.Errorf("no .yml/.yaml files with 'contrast-cc' runtime found")
+		return nil, "", fmt.Errorf("no .yml/.yaml files with 'contrast-cc' runtime found")
 	}
 
 	extraData, err := kuberesource.EncodeUnstructured(extraResources)
 	if err != nil {
-		return nil, fmt.Errorf("encoding configmaps/secrets: %w", err)
+		return nil, "", fmt.Errorf("encoding configmaps/secrets: %w", err)
 	}
 	if _, err := configFile.Write(extraData); err != nil {
-		return nil, fmt.Errorf("writing configmaps/secrets to temp file: %w", err)
+		return nil, "", fmt.Errorf("writing configmaps/secrets to temp file: %w", err)
 	}
-	return fileMap, nil
+	return fileMap, coordinatorNamespace, nil
 }
 
 func generatePolicies(ctx context.Context, flags *generateFlags, fileMap map[string][]*unstructured.Unstructured, extraPath string, logger *slog.Logger) error {
@@ -418,7 +438,7 @@ func generatePolicies(ctx context.Context, flags *generateFlags, fileMap map[str
 	})
 }
 
-func patchTargets(fileMap map[string][]*unstructured.Unstructured, imageReplacementsFile, runtimeHandler string, flags *generateFlags) error {
+func patchTargets(fileMap map[string][]*unstructured.Unstructured, imageReplacementsFile, runtimeHandler, coordinatorNamespace string, flags *generateFlags) error {
 	var replacements map[string]string
 	var err error
 	if imageReplacementsFile != "" {
@@ -445,7 +465,7 @@ func patchTargets(fileMap map[string][]*unstructured.Unstructured, imageReplacem
 			}
 		}
 		if !flags.skipInitializer {
-			if err := injectInitializer(res); err != nil {
+			if err := injectInitializer(res, coordinatorNamespace); err != nil {
 				return nil, fmt.Errorf("injecting Initializer: %w", err)
 			}
 		}
@@ -467,30 +487,22 @@ func patchTargets(fileMap map[string][]*unstructured.Unstructured, imageReplacem
 	})
 }
 
-func injectInitializer(resource any) error {
-	r, ok := resource.(*applyappsv1.StatefulSetApplyConfiguration)
-	if ok &&
-		r.Spec != nil &&
-		r.Spec.Template != nil &&
-		r.Spec.Template.ObjectMetaApplyConfiguration != nil &&
-		r.Spec.Template.Annotations != nil &&
-		r.Spec.Template.Annotations[contrastRoleAnnotationKey] == "coordinator" {
+func injectInitializer(resource any, coordinatorNamespace string) error {
+	if isCoordinator(resource) {
 		return nil
 	}
-	if _, err := kuberesource.AddInitializer(resource, kuberesource.Initializer()); err != nil {
+	if coordinatorNamespace == "" {
+		coordinatorNamespace = "default"
+	}
+	coordinatorHost := fmt.Sprintf("coordinator-ready.%s", coordinatorNamespace)
+	if _, err := kuberesource.AddInitializer(resource, kuberesource.Initializer(coordinatorHost)); err != nil {
 		return err
 	}
 	return nil
 }
 
 func injectServiceMesh(resource any) error {
-	r, ok := resource.(*applyappsv1.StatefulSetApplyConfiguration)
-	if ok &&
-		r.Spec != nil &&
-		r.Spec.Template != nil &&
-		r.Spec.Template.ObjectMetaApplyConfiguration != nil &&
-		r.Spec.Template.Annotations != nil &&
-		r.Spec.Template.Annotations[contrastRoleAnnotationKey] == string(manifest.RoleCoordinator) {
+	if isCoordinator(resource) {
 		return nil
 	}
 	if _, err := kuberesource.AddServiceMesh(resource, kuberesource.ServiceMeshProxy()); err != nil {

diff --git a/cli/cmd/generate_test.go b/cli/cmd/generate_test.go
@@ -16,7 +16,7 @@ func TestStatefulSetInjections(t *testing.T) {
 	resources := []any{statefulSet()}
 
 	t.Run("injectInitializer", func(t *testing.T) {
-		require.NoError(t, injectInitializer(resources))
+		require.NoError(t, injectInitializer(resources, "coordinator-namespace"))
 	})
 
 	t.Run("injectServiceMesh", func(t *testing.T) {

diff --git a/cli/cmd/set.go b/cli/cmd/set.go
@@ -92,7 +92,7 @@ func runSet(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("finding yaml files: %w", err)
 	}
 
-	fileMap, err := extractTargets(paths, io.Discard, log)
+	fileMap, _, err := extractTargets(paths, io.Discard, log)
 	if err != nil {
 		return fmt.Errorf("extracting targets from yaml files: %w", err)
 	}

diff --git a/internal/kuberesource/mutators_test.go b/internal/kuberesource/mutators_test.go
@@ -60,8 +60,9 @@ func TestPatchNamespaces(t *testing.T) {
 }
 
 func TestAddInitializer(t *testing.T) {
-	expectedInitializerContainerName := *Initializer().Name
-	expectedInitializerVolumeMountName := *Initializer().VolumeMounts[0].Name
+	initializer := Initializer("coordinator-ready.default")
+	expectedInitializerContainerName := *initializer.Name
+	expectedInitializerVolumeMountName := *initializer.VolumeMounts[0].Name
 	for _, tc := range []struct {
 		name      string
 		d         *applyappsv1.DeploymentApplyConfiguration
@@ -85,7 +86,7 @@ func TestAddInitializer(t *testing.T) {
 					WithTemplate(applycorev1.PodTemplateSpec().
 						WithSpec(applycorev1.PodSpec().
 							WithContainers(applycorev1.Container()).
-							WithInitContainers(Initializer()).
+							WithInitContainers(initializer).
 							WithRuntimeClassName("contrast-cc"),
 						))),
 			wantError: false,
@@ -99,7 +100,7 @@ func TestAddInitializer(t *testing.T) {
 							WithContainers(applycorev1.Container()).
 							WithRuntimeClassName("contrast-cc").
 							WithVolumes(Volume().
-								WithName(*Initializer().VolumeMounts[0].Name).
+								WithName(*initializer.VolumeMounts[0].Name).
 								WithEmptyDir(EmptyDirVolumeSource().Inner()),
 							),
 						))),
@@ -114,7 +115,7 @@ func TestAddInitializer(t *testing.T) {
 							WithContainers(applycorev1.Container()).
 							WithRuntimeClassName("contrast-cc").
 							WithVolumes(Volume().
-								WithName(*Initializer().VolumeMounts[0].Name).
+								WithName(*initializer.VolumeMounts[0].Name).
 								WithConfigMap(Volume().ConfigMap),
 							),
 						))),
@@ -232,7 +233,7 @@ func TestAddInitializer(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			require := require.New(t)
 
-			_, err := AddInitializer(tc.d, Initializer())
+			_, err := AddInitializer(tc.d, initializer)
 			if tc.wantError {
 				require.Error(err)
 				return

diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go
@@ -421,14 +421,14 @@ func PortForwarderForService(svc *applycorev1.ServiceApplyConfiguration) (*apply
 }
 
 // Initializer creates a new InitializerConfig.
-func Initializer() *applycorev1.ContainerApplyConfiguration {
+func Initializer(coordinatorHost string) *applycorev1.ContainerApplyConfiguration {
 	return applycorev1.Container().
 		WithName("contrast-initializer").
 		WithImage("ghcr.io/edgelesssys/contrast/initializer:latest").
 		WithResources(ResourceRequirements().
 			WithMemoryRequest(50),
 		).
-		WithEnv(NewEnvVar("COORDINATOR_HOST", "coordinator-ready")).
+		WithEnv(NewEnvVar("COORDINATOR_HOST", coordinatorHost)).
 		WithVolumeMounts(VolumeMount().
 			WithName("contrast-secrets").
 			WithMountPath("/contrast"),