Controller changes

Author: lucian-tosa

api/v1/mdb/mongodb_types.go

@@ -739,7 +739,12 @@ type SharedConnectionSpec struct {
 type Security struct {
 	TLSConfig      *TLSConfig      `json:"tls,omitempty"`
 	Authentication *Authentication `json:"authentication,omitempty"`
-	Roles          []MongoDbRole   `json:"roles,omitempty"`
+
+	// +optional
+	Roles []MongoDBRole `json:"roles,omitempty"`
+
+	// +optional
+	RoleRefs []MongoDBRoleRef `json:"roleRefs,omitempty"`
 
 	// +optional
 	CertificatesSecretsPrefix string `json:"certsSecretPrefix"`
@@ -963,7 +968,16 @@ type InheritedRole struct {
 	Role string `json:"role"`
 }
 
-type MongoDbRole struct {
+type MongoDBRoleRef struct {
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// +kubebuilder:validation:Enum=ClusterMongoDBRole
+	// +kubebuilder:validation:Required
+	Kind string `json:"kind"`
+}
+
+type MongoDBRole struct {
 	Role                       string                      `json:"role"`
 	AuthenticationRestrictions []AuthenticationRestriction `json:"authenticationRestrictions,omitempty"`
 	Db                         string                      `json:"db"`
@@ -1505,7 +1519,10 @@ func EnsureSecurity(sec *Security) *Security {
 		sec.TLSConfig = &TLSConfig{}
 	}
 	if sec.Roles == nil {
-		sec.Roles = make([]MongoDbRole, 0)
+		sec.Roles = make([]MongoDBRole, 0)
+	}
+	if sec.RoleRefs == nil {
+		sec.RoleRefs = make([]MongoDBRoleRef, 0)
 	}
 	return sec
 }

controllers/om/deployment.go

@@ -638,12 +638,24 @@ func (d Deployment) SetRoles(roles []mdbv1.MongoDBRole) {
 	d["roles"] = roles
 }
 
-func (d Deployment) GetRoles() []mdbv1.MongoDbRole {
-	val, ok := d["roles"].([]mdbv1.MongoDbRole)
-	if !ok {
-		return []mdbv1.MongoDbRole{}
+func (d Deployment) GetRoles() []mdbv1.MongoDBRole {
+	roles := d["roles"]
+	result := make([]mdbv1.MongoDBRole, 0)
+
+	if roles == nil {
+		return result
+	}
+
+	rolesBytes, err := json.Marshal(roles)
+	if err != nil {
+		return nil
 	}
-	return val
+
+	if err := json.Unmarshal(rolesBytes, &result); err != nil {
+		return nil
+	}
+
+	return result
 }
 
 // GetAgentVersion returns the current version of all Agents in the deployment. It's empty until the

controllers/operator/clustermongodbrole_controller.go

@@ -0,0 +1,222 @@
+package operator
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"go.uber.org/zap"
+	"golang.org/x/xerrors"
+	"k8s.io/apimachinery/pkg/fields"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+	mdbmultiv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdbmulti"
+	rolev1 "github.com/mongodb/mongodb-kubernetes/api/v1/role"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/watch"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/workflow"
+	"github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/kube/annotations"
+	"github.com/mongodb/mongodb-kubernetes/pkg/util"
+	"github.com/mongodb/mongodb-kubernetes/pkg/util/env"
+)
+
+const (
+	ClusterMongoDBRoleIndexForMdb      = "mongodb.spec.security.roleRefs"
+	ClusterMongoDBRoleIndexForMdbMulti = "mdbmulticluster.spec.security.roleRefs"
+)
+
+// ClusterMongoDBRoleReconciler reconciles a ClusterMongoDBRole object
+type ClusterMongoDBRoleReconciler struct {
+	*ReconcileCommonController
+}
+
+// ClusterMongoDBRole Resource
+// +kubebuilder:rbac:groups=mongodb.com,resources={clustermongodbroles,clustermongodbroles/status,clustermongodbroles/finalizers},verbs=*
+
+func (r *ClusterMongoDBRoleReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
+	log := zap.S().With("ClusterMongoDBRole", request.NamespacedName)
+	log.Info("-> ClusterMongoDBRole.Reconcile")
+
+	role, err := r.getRole(ctx, request, log)
+	if err != nil {
+		log.Warnf("error getting custom role %s", err)
+		return reconcile.Result{RequeueAfter: time.Second * util.RetryTimeSec}, nil
+	}
+
+	log.Infow("ClusterMongoDBRole.Spec", "spec", role.Spec)
+
+	if err := role.ProcessValidationsOnReconcile(nil); err != nil {
+		return r.updateStatus(ctx, role, workflow.Invalid("%s", err.Error()), log)
+	}
+
+	if !role.DeletionTimestamp.IsZero() {
+		log.Info("ClusterMongoDBRole is being deleted")
+
+		if controllerutil.ContainsFinalizer(role, util.RoleFinalizer) {
+			return r.Delete(ctx, role, log)
+		}
+	}
+
+	if err := r.ensureFinalizer(ctx, role, log); err != nil {
+		return r.updateStatus(ctx, role, workflow.Failed(xerrors.Errorf("Failed to add finalizer: %w", err)), log)
+	}
+
+	annotationsToAdd, err := getAnnotationsForCustomRoleResource(role)
+	if err != nil {
+		return r.updateStatus(ctx, role, workflow.Failed(err), log)
+	}
+
+	if err := annotations.SetAnnotations(ctx, role, annotationsToAdd, r.client); err != nil {
+		return r.updateStatus(ctx, role, workflow.Failed(err), log)
+	}
+
+	log.Infof("Finished reconciliation for ClusterMongoDBRole!")
+	return r.updateStatus(ctx, role, workflow.OK(), log)
+}
+
+func AddClusterMongoDBRoleController(ctx context.Context, mgr manager.Manager) error {
+	reconciler := newClusterMongoDBRoleReconciler(ctx, mgr.GetClient())
+	c, err := controller.New(util.ClusterMongoDbRoleController, mgr, controller.Options{Reconciler: reconciler, MaxConcurrentReconciles: env.ReadIntOrDefault(util.MaxConcurrentReconcilesEnv, 1)}) // nolint:forbidigo
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to ClusterMongoDBRole resources
+	// We don't need a Delete handler as there is nothing to do after removing the finalizer
+	// To not get into an infinite reconcile loop, we ignore the delete event since the cleanup was already performed
+	err = c.Watch(source.Kind[client.Object](mgr.GetCache(), &rolev1.ClusterMongoDBRole{}, &handler.EnqueueRequestForObject{}, watch.PredicatesForClusterRole()))
+	if err != nil {
+		return err
+	}
+
+	if err = mgr.GetFieldIndexer().IndexField(ctx, &mdbv1.MongoDB{}, ClusterMongoDBRoleIndexForMdb, findRolesForMongoDB); err != nil {
+		return err
+	}
+
+	if err = mgr.GetFieldIndexer().IndexField(ctx, &mdbmultiv1.MongoDBMultiCluster{}, ClusterMongoDBRoleIndexForMdbMulti, findRolesForMongoDBMultiCluster); err != nil {
+		return err
+	}
+
+	zap.S().Infof("Registered controller %s", util.ClusterMongoDbRoleController)
+	return nil
+}
+
+func newClusterMongoDBRoleReconciler(ctx context.Context, kubeClient client.Client) *ClusterMongoDBRoleReconciler {
+	return &ClusterMongoDBRoleReconciler{
+		ReconcileCommonController: NewReconcileCommonController(ctx, kubeClient),
+	}
+}
+
+func (r *ClusterMongoDBRoleReconciler) getRole(ctx context.Context, request reconcile.Request, log *zap.SugaredLogger) (*rolev1.ClusterMongoDBRole, error) {
+	role := &rolev1.ClusterMongoDBRole{}
+	if _, err := r.GetResource(ctx, request, role, log); err != nil {
+		return nil, err
+	}
+
+	return role, nil
+}
+
+func (r *ClusterMongoDBRoleReconciler) Delete(ctx context.Context, role *rolev1.ClusterMongoDBRole, log *zap.SugaredLogger) (reconcile.Result, error) {
+	log.Info("Attempting to remove ClusterMongoDBRole")
+
+	err := r.ensureNoReferences(ctx, role)
+	if err != nil {
+		return r.updateStatus(ctx, role, workflow.Failed(xerrors.Errorf("Failed to remove role: %w", err)), log)
+	}
+
+	if finalizerRemoved := controllerutil.RemoveFinalizer(role, util.RoleFinalizer); !finalizerRemoved {
+		return r.updateStatus(ctx, role, workflow.Failed(xerrors.Errorf("Failed to remove finalizer")), log)
+	}
+
+	if err := r.client.Update(ctx, role); err != nil {
+		return r.updateStatus(ctx, role, workflow.Failed(xerrors.Errorf("Failed to update the role with the removed finalizer: %w", err)), log)
+	}
+
+	log.Info("ClusterMongoDBRole has been removed!")
+	return r.updateStatus(ctx, role, workflow.OK(), log)
+}
+
+func (r *ClusterMongoDBRoleReconciler) ensureFinalizer(ctx context.Context, role *rolev1.ClusterMongoDBRole, log *zap.SugaredLogger) error {
+	log.Info("Adding finalizer to the ClusterMongoDBRole resource")
+
+	if finalizerAdded := controllerutil.AddFinalizer(role, util.RoleFinalizer); finalizerAdded {
+		if err := r.client.Update(ctx, role); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (r *ClusterMongoDBRoleReconciler) ensureNoReferences(ctx context.Context, role *rolev1.ClusterMongoDBRole) error {
+	mdbList := &mdbv1.MongoDBList{}
+	err := r.client.List(ctx, mdbList, &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(ClusterMongoDBRoleIndexForMdb, role.Name),
+	})
+	if err != nil {
+		return err
+	}
+
+	multiList := &mdbmultiv1.MongoDBMultiClusterList{}
+	err = r.client.List(ctx, multiList, &client.ListOptions{
+		FieldSelector: fields.OneTermEqualSelector(ClusterMongoDBRoleIndexForMdbMulti, role.Name),
+	})
+	if err != nil {
+		return err
+	}
+
+	if len(mdbList.Items) > 0 || len(multiList.Items) > 0 {
+		resources := make([]string, 0)
+		for _, mdb := range mdbList.Items {
+			resources = append(resources, fmt.Sprintf("%s/%s", mdb.Namespace, mdb.Name))
+		}
+		for _, mdbmc := range multiList.Items {
+			resources = append(resources, fmt.Sprintf("%s/%s", mdbmc.Namespace, mdbmc.Name))
+		}
+		return xerrors.Errorf("These resources are still referencing this role: %s", strings.Join(resources, ", "))
+	}
+
+	return nil
+}
+
+func getAnnotationsForCustomRoleResource(role *rolev1.ClusterMongoDBRole) (map[string]string, error) {
+	finalAnnotations := make(map[string]string)
+	specBytes, err := json.Marshal(role.Spec)
+	if err != nil {
+		return nil, err
+	}
+	finalAnnotations[util.LastAchievedSpec] = string(specBytes)
+	return finalAnnotations, nil
+}
+
+func findRolesForMongoDB(rawObj client.Object) []string {
+	mdb := rawObj.(*mdbv1.MongoDB)
+	roles := make([]string, 0)
+	for _, roleRef := range mdb.Spec.Security.RoleRefs {
+		if roleRef.Kind == util.ClusterMongoDBRoleKind {
+			roles = append(roles, roleRef.Name)
+		}
+	}
+	return roles
+}
+
+func findRolesForMongoDBMultiCluster(rawObj client.Object) []string {
+	mdb := rawObj.(*mdbmultiv1.MongoDBMultiCluster)
+	roles := make([]string, 0)
+	for _, roleRef := range mdb.Spec.Security.RoleRefs {
+		if roleRef.Kind == util.ClusterMongoDBRoleKind {
+			roles = append(roles, roleRef.Name)
+		}
+	}
+	return roles
+}

controllers/operator/common_controller.go

@@ -23,6 +23,7 @@ import (
 
 	v1 "github.com/mongodb/mongodb-kubernetes/api/v1"
 	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+	rolev1 "github.com/mongodb/mongodb-kubernetes/api/v1/role"
 	"github.com/mongodb/mongodb-kubernetes/api/v1/status"
 	"github.com/mongodb/mongodb-kubernetes/controllers/om"
 	"github.com/mongodb/mongodb-kubernetes/controllers/om/backup"
@@ -97,7 +98,22 @@ func NewReconcileCommonController(ctx context.Context, client client.Client) *Re
 	}
 }
 
-func ensureRoles(roles []mdbv1.MongoDbRole, conn om.Connection, log *zap.SugaredLogger) workflow.Status {
+func (r *ReconcileCommonController) ensureRoles(ctx context.Context, localRoles []mdbv1.MongoDBRole, roleRefs []mdbv1.MongoDBRoleRef, conn om.Connection, mongodbResourceNsName types.NamespacedName, log *zap.SugaredLogger) workflow.Status {
+	if len(localRoles) > 0 && len(roleRefs) > 0 {
+		return workflow.Failed(xerrors.Errorf("At most one one of roles or roleRefs can be non-empty."))
+	}
+
+	var roles []mdbv1.MongoDBRole
+	if len(roleRefs) > 0 {
+		var err error
+		roles, err = r.getRoleRefs(ctx, roleRefs, mongodbResourceNsName)
+		if err != nil {
+			return workflow.Failed(err)
+		}
+	} else {
+		roles = localRoles
+	}
+
 	d, err := conn.ReadDeployment()
 	if err != nil {
 		return workflow.Failed(err)
@@ -127,6 +143,34 @@ func ensureRoles(roles []mdbv1.MongoDbRole, conn om.Connection, log *zap.Sugared
 	return workflow.OK()
 }
 
+func (r *ReconcileCommonController) getRoleRefs(ctx context.Context, roleRefs []mdbv1.MongoDBRoleRef, mongodbResourceNsName types.NamespacedName) ([]mdbv1.MongoDBRole, error) {
+	roles := make([]mdbv1.MongoDBRole, len(roleRefs))
+
+	for idx, ref := range roleRefs {
+		var role mdbv1.MongoDBRole
+		switch ref.Kind {
+
+		case util.ClusterMongoDBRoleKind:
+			r.resourceWatcher.AddWatchedResourceIfNotAdded(ref.Name, "", watch.ClusterMongoDBRole, mongodbResourceNsName)
+
+			customRole := &rolev1.ClusterMongoDBRole{}
+			err := r.client.Get(ctx, types.NamespacedName{Name: ref.Name}, customRole)
+			if err != nil {
+				return nil, xerrors.Errorf("Failed to retrieve ClusterMongoDBRole '%s': %w", ref.Name, err)
+			}
+
+			role = customRole.Spec.MongoDBRole
+
+		default:
+			return nil, xerrors.Errorf("Invalid value %s for roleRef.kind. It must be %s.", ref.Kind, util.ClusterMongoDBRoleKind)
+		}
+
+		roles[idx] = role
+	}
+
+	return roles, nil
+}
+
 // updateStatus updates the status for the CR using patch operation. Note, that the resource status is mutated and
 // it's important to pass resource by pointer to all methods which invoke current 'updateStatus'.
 func (r *ReconcileCommonController) updateStatus(ctx context.Context, reconciledResource v1.CustomResourceReadWriter, st workflow.Status, log *zap.SugaredLogger, statusOptions ...status.Option) (reconcile.Result, error) {

controllers/operator/mongodbmultireplicaset_controller.go

@@ -33,6 +33,7 @@ import (
 	"github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
 	mdbmultiv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdbmulti"
 	omv1 "github.com/mongodb/mongodb-kubernetes/api/v1/om"
+	rolev1 "github.com/mongodb/mongodb-kubernetes/api/v1/role"
 	mdbstatus "github.com/mongodb/mongodb-kubernetes/api/v1/status"
 	"github.com/mongodb/mongodb-kubernetes/controllers/om"
 	"github.com/mongodb/mongodb-kubernetes/controllers/om/host"
@@ -360,7 +361,7 @@ func (r *ReconcileMongoDbMultiReplicaSet) reconcileMemberResources(ctx context.C
 		}
 	}
 	// Ensure custom roles are created in OM
-	if status := ensureRoles(mrs.GetSecurity().Roles, conn, log); !status.IsOK() {
+	if status := r.ensureRoles(ctx, mrs.GetSecurity().Roles, mrs.GetSecurity().RoleRefs, conn, kube.ObjectKeyFromApiObject(mrs), log); !status.IsOK() {
 		return status
 	}
 
@@ -1113,6 +1114,12 @@ func AddMultiReplicaSetController(ctx context.Context, mgr manager.Manager, imag
 		return err
 	}
 
+	err = c.Watch(source.Kind[client.Object](mgr.GetCache(), &rolev1.ClusterMongoDBRole{},
+		&watch.ResourcesHandler{ResourceType: watch.ClusterMongoDBRole, ResourceWatcher: reconciler.resourceWatcher}))
+	if err != nil {
+		return err
+	}
+
 	// register watcher across member clusters
 	for k, v := range memberClustersMap {
 		err := c.Watch(source.Kind[client.Object](v.GetCache(), &appsv1.StatefulSet{}, &khandler.EnqueueRequestForOwnerMultiCluster{}, watch.PredicatesForMultiStatefulSet()))