From be2afb01fceeae3c669537bb5e8ac5b0633aa118 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:46:27 +0200 Subject: [PATCH 1/8] add unit test --- helm_chart/templates/operator-roles-webhook.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index 96f6b0e65..befa2f131 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -1,12 +1,13 @@ {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}} {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} -{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "mongodb-kubernetes-operator-mongodb-webhook") }} +{{- $webhookClusterRoleName := printf "%s-%s-webhook" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{.Values.operator.baseName}}-operator-mongodb-webhook + name: {{ $webhookClusterRoleName }} rules: - apiGroups: - "admissionregistration.k8s.io" @@ -38,7 +39,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{.Values.operator.baseName}}-operator-mongodb-webhook + name: {{ $webhookClusterRoleName }} subjects: - kind: ServiceAccount name: {{ .Values.operator.name }} From dcc2ec2a3e0ca8f5ced2078f2559fbddc48c9fb1 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:48:34 +0200 Subject: [PATCH 2/8] add unit test --- .evergreen-functions.yml | 10 ++++ .evergreen.yml | 6 +++ Makefile | 13 +++++- .../tests/webhook_clusterrole_test.yaml | 46 +++++++++++++++++++ 4 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 helm_chart/tests/webhook_clusterrole_test.yaml diff --git a/.evergreen-functions.yml b/.evergreen-functions.yml index 5c7636210..9e5178213 100644 --- a/.evergreen-functions.yml +++ b/.evergreen-functions.yml @@ -725,6 +725,16 @@ functions: make test-race - command: gotest.parse_files params: + + test_helm_unit: + - command: shell.exec + type: test + params: + shell: bash + working_dir: src/github.com/mongodb/mongodb-kubernetes + script: | + source .generated/context.export.env + make helm-tests files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_python_unit: diff --git a/.evergreen.yml b/.evergreen.yml index b1ab8a9bf..a5596eb2d 100644 --- a/.evergreen.yml +++ b/.evergreen.yml @@ -275,6 +275,11 @@ tasks: commands: - func: "test_python_unit" + - name: unit_tests_helm + tags: [ "unit_tests" ] + commands: + - func: "test_helm_unit" + - name: sbom_tests tags: [ "unit_tests" ] # The SBOM tests run only on commit builds. Running this on patches might cause false-positive failures @@ -665,6 +670,7 @@ task_groups: - lint_repo - unit_tests_golang - unit_tests_python + - unit_tests_helm - sbom_tests - name: gke_code_snippets_task_group diff --git a/Makefile b/Makefile index 3f93a611e..cecfd6c5a 100644 --- a/Makefile +++ b/Makefile @@ -300,8 +300,17 @@ test-race: generate fmt vet manifests golang-tests-race test: generate fmt vet manifests golang-tests -# all-tests will run golang and python tests without race (used locally) -all-tests: test python-tests +# helm-tests will run helm chart unit tests +helm-tests: ## Run helm chart unit tests + @echo "Running helm chart unit tests..." + @if ! helm plugin list | grep -q unittest; then \ + echo "Installing helm-unittest plugin..."; \ + helm plugin install https://github.com/helm-unittest/helm-unittest; \ + fi + helm unittest helm_chart --color + +# all-tests will run golang, python, and helm tests without race (used locally) +all-tests: test python-tests helm-tests # Build manager binary manager: generate fmt vet diff --git a/helm_chart/tests/webhook_clusterrole_test.yaml b/helm_chart/tests/webhook_clusterrole_test.yaml new file mode 100644 index 000000000..b95e5298c --- /dev/null +++ b/helm_chart/tests/webhook_clusterrole_test.yaml @@ -0,0 +1,46 @@ +suite: test webhook consistent clusterrole and binding namecomm +templates: + - operator-roles-webhook.yaml +tests: + - it: should have consistent ClusterRole and ClusterRoleBinding names + set: + operator.webhook.registerConfiguration: true + operator.webhook.installClusterRole: true + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ClusterRole + documentIndex: 0 + - isKind: + of: ClusterRoleBinding + documentIndex: 1 + # The key fix: both should use the same dynamic name + - equal: + path: metadata.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook + documentIndex: 0 + - equal: + path: roleRef.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook + documentIndex: 1 + + # Test that different installations get unique names (prevents conflicts) + - it: should create unique names per installation + set: + operator.name: my-operator + operator.namespace: custom-ns + operator.webhook.registerConfiguration: true + operator.webhook.installClusterRole: true + release: + namespace: custom-ns + asserts: + # Verify the naming pattern: {operator.name}-{namespace}-webhook + - equal: + path: metadata.name + value: my-operator-custom-ns-webhook + documentIndex: 0 + - equal: + path: roleRef.name + value: my-operator-custom-ns-webhook + documentIndex: 1 From c51782a2ea93050c6411c95310811b4e68d8627d Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Mon, 1 Sep 2025 20:54:19 +0200 Subject: [PATCH 3/8] add unit test --- .evergreen-functions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.evergreen-functions.yml b/.evergreen-functions.yml index 9e5178213..f5eb2094e 100644 --- a/.evergreen-functions.yml +++ b/.evergreen-functions.yml @@ -725,6 +725,7 @@ functions: make test-race - command: gotest.parse_files params: + files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_helm_unit: - command: shell.exec @@ -735,7 +736,6 @@ functions: script: | source .generated/context.export.env make helm-tests - files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ] test_python_unit: - command: shell.exec From b13fdd0776c5ba31d0198facd94a5e3bcac103ac Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 11:44:18 +0200 Subject: [PATCH 4/8] add explicit cr and crb --- .../templates/operator-roles-webhook.yaml | 5 +++-- .../tests/webhook_clusterrole_test.yaml | 20 ++++++++++++------- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index befa2f131..3bd95ffd1 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -1,7 +1,8 @@ {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}} {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} -{{- $webhookClusterRoleName := printf "%s-%s-webhook" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- $webhookClusterRoleName := printf "%s-%s-webhook-cr" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} +{{- $webhookClusterRoleBindingName := printf "%s-%s-webhook-crb" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} {{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole @@ -35,7 +36,7 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-webhook-binding + name: {{ $webhookClusterRoleBindingName }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/helm_chart/tests/webhook_clusterrole_test.yaml b/helm_chart/tests/webhook_clusterrole_test.yaml index b95e5298c..62b8ce46a 100644 --- a/helm_chart/tests/webhook_clusterrole_test.yaml +++ b/helm_chart/tests/webhook_clusterrole_test.yaml @@ -1,4 +1,4 @@ -suite: test webhook consistent clusterrole and binding namecomm +suite: test webhook consistent clusterrole and binding templates: - operator-roles-webhook.yaml tests: @@ -15,14 +15,17 @@ tests: - isKind: of: ClusterRoleBinding documentIndex: 1 - # The key fix: both should use the same dynamic name - equal: path: metadata.name - value: mongodb-kubernetes-operator-NAMESPACE-webhook + value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr documentIndex: 0 + - equal: + path: metadata.name + value: mongodb-kubernetes-operator-NAMESPACE-webhook-crb + documentIndex: 1 - equal: path: roleRef.name - value: mongodb-kubernetes-operator-NAMESPACE-webhook + value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr documentIndex: 1 # Test that different installations get unique names (prevents conflicts) @@ -35,12 +38,15 @@ tests: release: namespace: custom-ns asserts: - # Verify the naming pattern: {operator.name}-{namespace}-webhook - equal: path: metadata.name - value: my-operator-custom-ns-webhook + value: my-operator-custom-ns-webhook-cr documentIndex: 0 + - equal: + path: metadata.name + value: my-operator-custom-ns-webhook-crb + documentIndex: 1 - equal: path: roleRef.name - value: my-operator-custom-ns-webhook + value: my-operator-custom-ns-webhook-cr documentIndex: 1 From 26431a5e0474209b7e8d633b8f04607a602069bd Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 11:48:44 +0200 Subject: [PATCH 5/8] add explicit cr and crb --- helm_chart/templates/operator-roles-webhook.yaml | 2 -- public/mongodb-kubernetes-multi-cluster.yaml | 6 +++--- public/mongodb-kubernetes-openshift.yaml | 6 +++--- public/mongodb-kubernetes.yaml | 6 +++--- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/helm_chart/templates/operator-roles-webhook.yaml b/helm_chart/templates/operator-roles-webhook.yaml index 3bd95ffd1..1809846a9 100644 --- a/helm_chart/templates/operator-roles-webhook.yaml +++ b/helm_chart/templates/operator-roles-webhook.yaml @@ -3,7 +3,6 @@ {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }} {{- $webhookClusterRoleName := printf "%s-%s-webhook-cr" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} {{- $webhookClusterRoleBindingName := printf "%s-%s-webhook-crb" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }} -{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -30,7 +29,6 @@ rules: - create - update - delete -{{- end }} --- kind: ClusterRoleBinding diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml index c28306670..74bf8af0f 100644 --- a/public/mongodb-kubernetes-multi-cluster.yaml +++ b/public/mongodb-kubernetes-multi-cluster.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-binding + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator-multi-cluster diff --git a/public/mongodb-kubernetes-openshift.yaml b/public/mongodb-kubernetes-openshift.yaml index 54fa8b396..e557f73c9 100644 --- a/public/mongodb-kubernetes-openshift.yaml +++ b/public/mongodb-kubernetes-openshift.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook-binding + name: mongodb-kubernetes-operator-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml index f3c727ad6..73baa2fa9 100644 --- a/public/mongodb-kubernetes.yaml +++ b/public/mongodb-kubernetes.yaml @@ -203,7 +203,7 @@ subjects: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr rules: - apiGroups: - "admissionregistration.k8s.io" @@ -230,11 +230,11 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: mongodb-kubernetes-operator-mongodb-webhook-binding + name: mongodb-kubernetes-operator-mongodb-webhook-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: mongodb-kubernetes-operator-mongodb-webhook + name: mongodb-kubernetes-operator-mongodb-webhook-cr subjects: - kind: ServiceAccount name: mongodb-kubernetes-operator From 6a322f36320f1b4a3c1190c86c815699f1a7105d Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 17:09:26 +0200 Subject: [PATCH 6/8] remove comment --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cecfd6c5a..77f866d2b 100644 --- a/Makefile +++ b/Makefile @@ -301,7 +301,7 @@ test-race: generate fmt vet manifests golang-tests-race test: generate fmt vet manifests golang-tests # helm-tests will run helm chart unit tests -helm-tests: ## Run helm chart unit tests +helm-tests: @echo "Running helm chart unit tests..." @if ! helm plugin list | grep -q unittest; then \ echo "Installing helm-unittest plugin..."; \ From 75cdd52faca85d2806b20fe0a2c028fac74f95ab Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 17:13:33 +0200 Subject: [PATCH 7/8] add changelog --- changelog/20250902_fix_helm_chart_webhook_per_namespace.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 changelog/20250902_fix_helm_chart_webhook_per_namespace.md diff --git a/changelog/20250902_fix_helm_chart_webhook_per_namespace.md b/changelog/20250902_fix_helm_chart_webhook_per_namespace.md new file mode 100644 index 000000000..7190842fc --- /dev/null +++ b/changelog/20250902_fix_helm_chart_webhook_per_namespace.md @@ -0,0 +1,7 @@ +--- +title: helm chart - webhook per namespace +kind: fix +date: 2025-09-02 +--- + +* Changes webhook ClusterRole and ClusterRoleBinding default names to include the namespace. This ensures that multiple operator installations in different namespaces don't conflict with each other. From 96c2679db2bea35546cffe886bd2253e7b342437 Mon Sep 17 00:00:00 2001 From: Nam Nguyen Date: Tue, 2 Sep 2025 17:25:55 +0200 Subject: [PATCH 8/8] Update changelog/20250902_fix_helm_chart_webhook_per_namespace.md Co-authored-by: Vivek Singh --- changelog/20250902_fix_helm_chart_webhook_per_namespace.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/20250902_fix_helm_chart_webhook_per_namespace.md b/changelog/20250902_fix_helm_chart_webhook_per_namespace.md index 7190842fc..d47ed1394 100644 --- a/changelog/20250902_fix_helm_chart_webhook_per_namespace.md +++ b/changelog/20250902_fix_helm_chart_webhook_per_namespace.md @@ -4,4 +4,4 @@ kind: fix date: 2025-09-02 --- -* Changes webhook ClusterRole and ClusterRoleBinding default names to include the namespace. This ensures that multiple operator installations in different namespaces don't conflict with each other. +* Changed webhook ClusterRole and ClusterRoleBinding default names to include the namespace. This ensures that multiple operator installations in different namespaces don't conflict with each other.