Split operator roles into smaller templates

Author: m1kola

.githooks/pre-commit

@@ -33,7 +33,10 @@ function generate_standalone_yaml() {
   mkdir -p "${charttmpdir}"
 
   FILES=(
-    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-webhook.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator-sa.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator.yaml"
@@ -57,7 +60,9 @@ function generate_standalone_yaml() {
   # update kustomize files for OLM bundle with files generated for openshift
   cp "${charttmpdir}/mongodb-kubernetes/templates/operator.yaml" config/manager/manager.yaml
   cp "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml" config/rbac/database-roles.yaml
-  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles.yaml" config/rbac/operator-roles.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml" config/rbac/operator-roles-base.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml" config/rbac/operator-roles-clustermongodbroles.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml" config/rbac/operator-roles-telemetry.yaml
 
   # generate multi-cluster public example
   rm -rf "${charttmpdir:?}"/*

config/rbac/kustomization.yaml

@@ -3,7 +3,9 @@ kind: Kustomization
 
 resources:
   - database-roles.yaml
-  - operator-roles.yaml
+  - operator-roles-base.yaml
+  - operator-roles-clustermongodbroles.yaml
+  - operator-roles-telemetry.yaml
 
 # we have to remove service account namespace from RoleBinding as OLM is not overriding it
 patchesJson6902:
@@ -13,4 +15,3 @@ patchesJson6902:
       kind: RoleBinding
       name: mongodb-kubernetes-appdb
     path: database-roles-patch-namespace.yaml
-

config/rbac/operator-roles.yaml renamed to config/rbac/operator-roles-base.yaml

@@ -1,75 +1,5 @@
 ---
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
-rules:
-  - apiGroups:
-      - mongodb.com
-    verbs:
-      - '*'
-    resources:
-      - clustermongodbroles
----
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
-# Additional ClusterRole for clusterVersionDetection
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-cluster-telemetry
-rules:
-  # Non-resource URL permissions
-  - nonResourceURLs:
-      - "/version"
-    verbs:
-      - get
-  # Cluster-scoped resource permissions
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-    resourceNames:
-      - kube-system
-    verbs:
-      - get
-  - apiGroups:
-      - ''
-    resources:
-      - nodes
-    verbs:
-      - list
----
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
-subjects:
-  - kind: ServiceAccount
-    name: mongodb-kubernetes-operator
-    namespace: mongodb
----
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
-# ClusterRoleBinding for clusterVersionDetection
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: mongodb-kubernetes-operator-cluster-telemetry
-subjects:
-  - kind: ServiceAccount
-    name: mongodb-kubernetes-operator
-    namespace: mongodb
----
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
+# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -162,7 +92,7 @@ rules:
       - patch
       - update
 ---
-# Source: mongodb-kubernetes/templates/operator-roles.yaml
+# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

config/rbac/operator-roles-clustermongodbroles.yaml

@@ -0,0 +1,27 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+---
+# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb

config/rbac/operator-roles-telemetry.yaml

@@ -0,0 +1,43 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
+# Additional ClusterRole for clusterVersionDetection
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-cluster-telemetry
+rules:
+  # Non-resource URL permissions
+  - nonResourceURLs:
+      - "/version"
+    verbs:
+      - get
+  # Cluster-scoped resource permissions
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    resourceNames:
+      - kube-system
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - list
+---
+# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
+# ClusterRoleBinding for clusterVersionDetection
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-cluster-telemetry
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb

helm_chart/templates/operator-roles-base.yaml

@@ -0,0 +1,145 @@
+{{ if .Values.operator.createOperatorServiceAccount }}
+{{- $watchNamespace := include "mongodb-kubernetes-operator.namespace" . | list }}
+{{- if .Values.operator.watchNamespace }}
+{{- $watchNamespace = regexSplit "," .Values.operator.watchNamespace -1 }}
+{{- $watchNamespace = concat $watchNamespace (include "mongodb-kubernetes-operator.namespace" . | list) | uniq }}
+{{- end }}
+
+{{- $roleScope := "Role" -}}
+{{- if or (gt (len $watchNamespace) 1) (eq (first $watchNamespace) "*") }}
+{{- $roleScope = "ClusterRole" }}
+{{- end }}
+---
+kind: {{ $roleScope }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.operator.name }}
+{{- if eq $roleScope "Role" }}
+  namespace: {{ include "mongodb-kubernetes-operator.namespace" . }}
+{{- end }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - delete
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+      - deletecollection
+  - apiGroups:
+      - mongodbcommunity.mongodb.com
+    resources:
+      - mongodbcommunity
+      - mongodbcommunity/status
+      - mongodbcommunity/spec
+      - mongodbcommunity/finalizers
+    verbs:
+      - '*'
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - mongodb
+      - mongodb/finalizers
+      - mongodbusers
+      - mongodbusers/finalizers
+      - opsmanagers
+      - opsmanagers/finalizers
+      - mongodbmulticluster
+      - mongodbmulticluster/finalizers
+      - mongodbsearch
+      - mongodbsearch/finalizers
+    {{- if .Values.subresourceEnabled }}
+      - mongodb/status
+      - mongodbusers/status
+      - opsmanagers/status
+      - mongodbmulticluster/status
+      - mongodbsearch/status
+    {{- end }}
+{{- if eq $roleScope "ClusterRole" }}
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - watch
+{{- end}}
+{{ if .Values.operator.enablePVCResize }}
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
+{{- end}}
+{{- range $idx, $namespace := $watchNamespace }}
+
+{{- $namespaceBlock := "" }}
+{{- if not (eq $namespace "*") }}
+{{- $namespaceBlock = printf "namespace: %s" $namespace }}
+{{- end }}
+
+---
+{{- if eq $namespace "*" }}
+kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $.Values.operator.name }}
+  {{ $namespaceBlock }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ $roleScope }}
+  name: {{ $.Values.operator.name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $.Values.operator.name }}
+    namespace: {{ include "mongodb-kubernetes-operator.namespace" $ }}
+{{- end }}
+
+{{- end }}

helm_chart/templates/operator-roles-clustermongodbroles.yaml

@@ -0,0 +1,30 @@
+{{ if .Values.operator.createOperatorServiceAccount }}
+{{- if .Values.operator.enableClusterMongoDBRoles }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.operator.name }}
+    namespace: {{ include "mongodb-kubernetes-operator.namespace" . }}
+
+{{- end }}{{/* if .Values.operator.enableClusterMongoDBRoles */}}
+{{- end }}{{/* if .Values.operator.createOperatorServiceAccount */}}