Validations

Author: lucian-tosa

config/rbac/operator-roles.yaml

@@ -1,5 +1,20 @@
 ---
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+      - clustermongodbroles/finalizers
+      - clustermongodbroles/status
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
 ---
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole
@@ -29,6 +44,20 @@ rules:
       - list
 ---
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
 # ClusterRoleBinding for clusterVersionDetection
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

config/rbac/role.yaml

@@ -41,6 +41,14 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+  - mongodb.com
+  resources:
+  - clustermongodbroles
+  - clustermongodbroles/finalizers
+  - clustermongodbroles/status
+  verbs:
+  - '*'
 - apiGroups:
   - mongodbcommunity.mongodb.com
   resources:

helm_chart/templates/operator-roles.yaml

@@ -142,6 +142,36 @@ subjects:
     namespace: {{ include "mongodb-kubernetes-operator.namespace" $ }}
 {{- end }}
 
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+      - clustermongodbroles/finalizers
+    {{- if .Values.subresourceEnabled }}
+      - clustermongodbroles/status
+    {{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.operator.name }}
+    namespace: {{ include "mongodb-kubernetes-operator.namespace" . }}
+
 {{- end }}
 ---
 

public/mongodb-kubernetes-multi-cluster.yaml

@@ -2,6 +2,21 @@
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+      - clustermongodbroles/finalizers
+      - clustermongodbroles/status
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-mongodb-webhook
 rules:
@@ -57,6 +72,20 @@ rules:
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator-multi-cluster
+    namespace: mongodb
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-binding
 roleRef:
@@ -290,6 +319,7 @@ spec:
             - -watch-resource=mongodbusers
             - -watch-resource=mongodbcommunity
             - -watch-resource=mongodbsearch
+            - -watch-resource=clustermongodbroles
             - -watch-resource=mongodbmulticluster
           command:
             - /usr/local/bin/mongodb-kubernetes-operator

public/mongodb-kubernetes-openshift.yaml

@@ -2,6 +2,21 @@
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+      - clustermongodbroles/finalizers
+      - clustermongodbroles/status
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-mongodb-webhook
 rules:
@@ -57,6 +72,20 @@ rules:
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-mongodb-webhook-binding
 roleRef:
@@ -287,6 +316,7 @@ spec:
             - -watch-resource=mongodbusers
             - -watch-resource=mongodbcommunity
             - -watch-resource=mongodbsearch
+            - -watch-resource=clustermongodbroles
           command:
             - /usr/local/bin/mongodb-kubernetes-operator
           resources:

public/mongodb-kubernetes.yaml

@@ -2,6 +2,21 @@
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+      - clustermongodbroles/finalizers
+      - clustermongodbroles/status
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-mongodb-webhook
 rules:
@@ -57,6 +72,20 @@ rules:
 # Source: mongodb-kubernetes/templates/operator-roles.yaml
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb
+---
+# Source: mongodb-kubernetes/templates/operator-roles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-kubernetes-operator-mongodb-webhook-binding
 roleRef:
@@ -290,6 +319,7 @@ spec:
             - -watch-resource=mongodbusers
             - -watch-resource=mongodbcommunity
             - -watch-resource=mongodbsearch
+            - -watch-resource=clustermongodbroles
           command:
             - /usr/local/bin/mongodb-kubernetes-operator
           resources:

public/tools/multicluster/pkg/common/common.go

@@ -319,9 +319,6 @@ func EnsureMultiClusterResources(ctx context.Context, flags Flags, clientMap map
 	}
 
 	centralClusterClient := clientMap[flags.CentralCluster]
-	if err != nil {
-		return xerrors.Errorf("failed to get central cluster clientset: %w", err)
-	}
 
 	if err := createKubeConfigSecret(ctx, centralClusterClient, kubeConfigBytes, flags); err != nil {
 		return xerrors.Errorf("failed creating KubeConfig secret: %w", err)
@@ -524,6 +521,22 @@ func buildClusterRoleTelemetry() rbacv1.ClusterRole {
 	}
 }
 
+func buildClusterRoleMongoDBRole() rbacv1.ClusterRole {
+	return rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:   DefaultOperatorName + "-multi-cluster-role-mongodb-roles",
+			Labels: multiClusterLabels(),
+		},
+		Rules: []rbacv1.PolicyRule{
+			{
+				Verbs:     []string{"*"},
+				Resources: []string{"clustermongodbroles", "clustermongodbroles/finalizers", "clustermongodbroles/status"},
+				APIGroups: []string{"mongodb.com"},
+			},
+		},
+	}
+}
+
 // buildRoleBinding creates the RoleBinding which binds the Role to the given ServiceAccount.
 func buildRoleBinding(role rbacv1.Role, serviceAccount string, serviceAccountNamespace string) rbacv1.RoleBinding {
 	return rbacv1.RoleBinding{
@@ -592,6 +605,23 @@ func createRoles(ctx context.Context, c KubeClient, serviceAccountName, serviceA
 
 	}
 
+	// Create ClusterRole to access the cluster-scoped resource ClusterMongoDBRole
+	clusterRoleForMongoDBRole := buildClusterRoleMongoDBRole()
+	_, err = c.RbacV1().ClusterRoles().Create(ctx, &clusterRoleForMongoDBRole, metav1.CreateOptions{})
+	if err != nil {
+		if errors.IsAlreadyExists(err) {
+			if _, err := c.RbacV1().ClusterRoles().Update(ctx, &clusterRoleForMongoDBRole, metav1.UpdateOptions{}); err != nil {
+				return xerrors.Errorf("error updating role: %w", err)
+			}
+		} else {
+			return xerrors.Errorf("error creating cluster role: %w", err)
+		}
+	}
+
+	if err := createClusterRoleBinding(ctx, c, serviceAccountName, serviceAccountNamespace, DefaultOperatorName+"-cluster-mongodb-role-binding", clusterRoleForMongoDBRole); err != nil {
+		return err
+	}
+
 	if !clusterScoped {
 		var role rbacv1.Role
 		if clusterType == clusterTypeCentral {