Skip to content

Fix YAML document separator in operator RBAC #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2025
Merged

Fix YAML document separator in operator RBAC #254

merged 1 commit into from
Jul 14, 2025

Conversation

m1kola
Copy link
Contributor

@m1kola m1kola commented Jul 11, 2025

Summary

Helm doesn't render telemetry ClusterRole if webhook RBAC is not rendered due to one of the conditions.

Proof of Work

Testing with the following commands:

  1. Webhook RBAC disabled

    helm template --show-only \
  templates/operator-roles.yaml \
  ./helm_chart \
  --namespace mongodb \
  --set operator.webhook.registerConfiguration=false \
  --set operator.telemetry.enabled=true \
  --set operator.telemetry.installClusterRole=true \
  | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("telemetry")))'

  2. Webhook RBAC enabled

    helm template --show-only \
  templates/operator-roles.yaml \
  ./helm_chart \
  --namespace mongodb \
  --set operator.webhook.registerConfiguration=true \
  --set operator.telemetry.enabled=true \
  --set operator.telemetry.installClusterRole=true \
  | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("telemetry")))'

Before

  1. Webhook RBAC disabled

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. Webhook RBAC enabled

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# Additional ClusterRole for clusterVersionDetection
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-cluster-telemetry
rules:
  # Non-resource URL permissions
  - nonResourceURLs:
      - "/version"
    verbs:
      - get
  # Cluster-scoped resource permissions
  - apiGroups:
      - ''
    resources:
      - namespaces
    resourceNames:
      - kube-system
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - list
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

After

  1. Webhook RBAC disabled

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# Additional ClusterRole for clusterVersionDetection
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-cluster-telemetry
rules:
  # Non-resource URL permissions
  - nonResourceURLs:
      - "/version"
    verbs:
      - get
  # Cluster-scoped resource permissions
  - apiGroups:
      - ''
    resources:
      - namespaces
    resourceNames:
      - kube-system
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - list
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. Webhook RBAC enabled

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
# Additional ClusterRole for clusterVersionDetection
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-cluster-telemetry
rules:
  # Non-resource URL permissions
  - nonResourceURLs:
      - "/version"
    verbs:
      - get
  # Cluster-scoped resource permissions
  - apiGroups:
      - ''
    resources:
      - namespaces
    resourceNames:
      - kube-system
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - list
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
# ClusterRoleBinding for clusterVersionDetection
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-cluster-telemetry
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you checked for release_note changes?

Reminder (Please remove this when merging)

  • Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible
  • Our Short Guide for PRs: Link
  • Remember the following Communication Standards - use comment prefixes for clarity:
    • blocking: Must be addressed before approval.
    • follow-up: Can be addressed in a later PR or ticket.
    • q: Clarifying question.
    • nit: Non-blocking suggestions.
    • note: Side-note, non-actionable. Example: Praise
    • --> no prefix is considered a question

@m1kola m1kola requested a review from a team as a code owner July 11, 2025 16:06
@m1kola
Fix YAML document separator in operator RBAC
c195aea 
Helm doesn't render telemetry `ClusterRole` if
webhook RBAC is not rendered due to one of the
conditions.
@m1kola m1kola force-pushed the fix_yaml_delimiters branch from f491fd2 to c195aea Compare July 12, 2025 17:40
@m1kola m1kola merged commit e63fe32 into mongodb:master Jul 14, 2025
35 checks passed
@m1kola m1kola mentioned this pull request Jul 14, 2025
Merged
3 tasks
@m1kola m1kola deleted the fix_yaml_delimiters branch July 14, 2025 08:41
@m1kola m1kola mentioned this pull request Jul 14, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaciejKaras MaciejKaras MaciejKaras approved these changes

@mircea-cosbuc mircea-cosbuc mircea-cosbuc approved these changes

@fealebenpae fealebenpae Awaiting requested review from fealebenpae fealebenpae is a code owner automatically assigned from mongodb/kubernetes-hosted

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m1kola @MaciejKaras @mircea-cosbuc