Skip to content

Fix YAML document separator in operator RBAC #255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2025
Merged

Fix YAML document separator in operator RBAC #255

merged 1 commit into from
Jul 14, 2025

Conversation

m1kola
Copy link
Contributor

@m1kola m1kola commented Jul 14, 2025
edited
Loading

Summary

Helm doesn't render webhook ClusterRole if clustermongodbroles RBAC is not rendered due to operator.enableClusterMongoDBRoles being set to false.

Proof of Work

Testing with the following commands:

  1. clustermongodbroles RBAC is disabled.

    helm template --show-only \
      templates/operator-roles.yaml \
      ./helm_chart \
      --namespace mongodb \
      --set operator.enableClusterMongoDBRoles=false \
      | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("webhook")))'

  2. clustermongodbroles RBAC is enabled.

    helm template --show-only \
      templates/operator-roles.yaml \
      ./helm_chart \
      --namespace mongodb \
      --set operator.enableClusterMongoDBRoles=true \
      | yq 'select((.kind == "ClusterRoleBinding" or .kind == "ClusterRole") and (.metadata.name | contains("webhook")))'

Before

  1. clustermongodbroles RBAC is disabled.

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-mongodb-webhook
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. clustermongodbroles RBAC is enabled.

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook
rules:
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - create
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-mongodb-webhook
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

After

  1. clustermongodbroles RBAC is disabled.

    ---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook
rules:
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - create
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-mongodb-webhook
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

  2. clustermongodbroles RBAC is enabled.

    # Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook
rules:
  - apiGroups:
      - "admissionregistration.k8s.io"
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - create
      - update
      - delete
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - delete
---
# Source: mongodb-kubernetes/templates/operator-roles.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: mongodb-kubernetes-operator-mongodb-webhook-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: mongodb-kubernetes-operator-mongodb-webhook
subjects:
  - kind: ServiceAccount
    name: mongodb-kubernetes-operator
    namespace: mongodb

Checklist

  • Have you linked a jira ticket and/or is the ticket in the title?
  • Have you checked whether your jira ticket required DOCSP changes?
  • Have you checked for release_note changes?

Reminder (Please remove this when merging)

  • Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible
  • Our Short Guide for PRs: Link
  • Remember the following Communication Standards - use comment prefixes for clarity:
    • blocking: Must be addressed before approval.
    • follow-up: Can be addressed in a later PR or ticket.
    • q: Clarifying question.
    • nit: Non-blocking suggestions.
    • note: Side-note, non-actionable. Example: Praise
    • --> no prefix is considered a question

@m1kola
Fix YAML document separator in operator RBAC
509de8c 
Helm doesn't render webhook `ClusterRole` if
`clustermongodbroles` RBAC is not rendered due to
`operator.enableClusterMongoDBRoles` being set to `false`.
@m1kola m1kola marked this pull request as ready for review July 14, 2025 08:46
@m1kola m1kola requested a review from a team as a code owner July 14, 2025 08:46
@m1kola m1kola requested review from MaciejKaras and anandsyncs July 14, 2025 08:46
@m1kola m1kola merged commit 7f580ac into mongodb:master Jul 14, 2025
35 checks passed
@m1kola m1kola deleted the fix_yaml_delimiters branch July 14, 2025 10:17
This was referenced Jul 14, 2025
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaciejKaras MaciejKaras MaciejKaras approved these changes

@anandsyncs anandsyncs anandsyncs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m1kola @MaciejKaras @anandsyncs