diff --git a/.githooks/pre-commit b/.githooks/pre-commit index 40fe6d772..6319735e2 100755 --- a/.githooks/pre-commit +++ b/.githooks/pre-commit @@ -113,7 +113,7 @@ function regenerate_public_rbac_multi_cluster() { if echo "$git_last_changed" | grep -q 'public/tools/multicluster'; then echo 'regenerating multicluster RBAC public example' pushd public/tools/multicluster - EXPORT_RBAC_SAMPLES="true" go test -run TestPrintingOutRolesServiceAccountsAndRoleBindings + EXPORT_RBAC_SAMPLES="true" go test ./... -run TestPrintingOutRolesServiceAccountsAndRoleBindings popd git add public/samples/multi-cluster-cli-gitops fi diff --git a/docker/mongodb-kubernetes-tests/tests/conftest.py b/docker/mongodb-kubernetes-tests/tests/conftest.py index 433588c0a..06721556a 100644 --- a/docker/mongodb-kubernetes-tests/tests/conftest.py +++ b/docker/mongodb-kubernetes-tests/tests/conftest.py @@ -261,10 +261,7 @@ def intermediate_issuer(cert_manager: str, issuer: str, namespace: str) -> str: This fixture creates an intermediate "Issuer" in the testing namespace """ # Create the Certificate for the intermediate CA based on the issuer fixture - from kubetester.certs import ( - Certificate, - Issuer, - ) + from kubetester.certs import Certificate, Issuer intermediate_ca_cert = Certificate(namespace=namespace, name="intermediate-ca-issuer") intermediate_ca_cert["spec"] = { @@ -1418,10 +1415,7 @@ def create_issuer( else: raise e - from kubetester.certs import ( - ClusterIssuer, - Issuer, - ) + from kubetester.certs import ClusterIssuer, Issuer # And then creates the Issuer if clusterwide: diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_tls_with_x509.py b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_tls_with_x509.py index ba106bb92..c0c421b3f 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_tls_with_x509.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster/multi_cluster_tls_with_x509.py @@ -3,10 +3,7 @@ import kubernetes from kubetester.automation_config_tester import AutomationConfigTester -from kubetester.certs import ( - Certificate, - create_multi_cluster_x509_user_cert, -) +from kubetester.certs import Certificate, create_multi_cluster_x509_user_cert from kubetester.certs_mongodb_multi import ( create_multi_cluster_mongodb_x509_tls_certs, create_multi_cluster_x509_agent_certs, diff --git a/docker/mongodb-kubernetes-tests/tests/multicluster_om/multicluster_om_appdb_no_mesh.py b/docker/mongodb-kubernetes-tests/tests/multicluster_om/multicluster_om_appdb_no_mesh.py index b8520cb9a..7d6929f37 100644 --- a/docker/mongodb-kubernetes-tests/tests/multicluster_om/multicluster_om_appdb_no_mesh.py +++ b/docker/mongodb-kubernetes-tests/tests/multicluster_om/multicluster_om_appdb_no_mesh.py @@ -10,9 +10,7 @@ from kubernetes import client from kubetester import create_or_update_configmap, create_or_update_service, try_load from kubetester.awss3client import AwsS3Client -from kubetester.certs import ( - create_ops_manager_tls_certs, -) +from kubetester.certs import create_ops_manager_tls_certs from kubetester.certs_mongodb_multi import create_multi_cluster_mongodb_tls_certs from kubetester.kubetester import KubernetesTester, ensure_ent_version from kubetester.kubetester import fixture as _fixture diff --git a/docker/mongodb-kubernetes-tests/tests/olm/olm_meko_operator_upgrade_with_resources.py b/docker/mongodb-kubernetes-tests/tests/olm/olm_meko_operator_upgrade_with_resources.py index 29e023b80..6adc8ade5 100644 --- a/docker/mongodb-kubernetes-tests/tests/olm/olm_meko_operator_upgrade_with_resources.py +++ b/docker/mongodb-kubernetes-tests/tests/olm/olm_meko_operator_upgrade_with_resources.py @@ -1,11 +1,7 @@ import kubernetes import pytest from kubeobject import CustomObject -from kubetester import ( - create_or_update_secret, - get_default_storage_class, - try_load, -) +from kubetester import create_or_update_secret, get_default_storage_class, try_load from kubetester.awss3client import AwsS3Client from kubetester.certs import create_sharded_cluster_certs from kubetester.kubetester import ensure_ent_version diff --git a/docker/mongodb-kubernetes-tests/tests/olm/olm_operator_upgrade_with_resources.py b/docker/mongodb-kubernetes-tests/tests/olm/olm_operator_upgrade_with_resources.py index 0cacb3804..f0aafacf5 100644 --- a/docker/mongodb-kubernetes-tests/tests/olm/olm_operator_upgrade_with_resources.py +++ b/docker/mongodb-kubernetes-tests/tests/olm/olm_operator_upgrade_with_resources.py @@ -1,11 +1,7 @@ import kubernetes import pytest from kubeobject import CustomObject -from kubetester import ( - create_or_update_secret, - get_default_storage_class, - try_load, -) +from kubetester import create_or_update_secret, get_default_storage_class, try_load from kubetester.awss3client import AwsS3Client from kubetester.certs import create_sharded_cluster_certs from kubetester.kubetester import ensure_ent_version diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_restore_minio.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_restore_minio.py index 6a8f4d891..66c25eadb 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_restore_minio.py +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_restore_minio.py @@ -20,10 +20,7 @@ from pymongo import ReadPreference from pytest import fixture, mark from tests.common.cert.cert_issuer import create_appdb_certs -from tests.conftest import ( - assert_data_got_restored, - is_multi_cluster, -) +from tests.conftest import assert_data_got_restored, is_multi_cluster from tests.opsmanager.conftest import mino_operator_install, mino_tenant_install from tests.opsmanager.om_ops_manager_backup import S3_SECRET_NAME from tests.opsmanager.om_ops_manager_backup_tls_custom_ca import ( diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_tls.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_tls.py index 0b2f96c0c..285234f19 100644 --- a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_tls.py +++ b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_tls.py @@ -9,10 +9,7 @@ from kubetester.phase import Phase from pytest import fixture, mark from tests.common.cert.cert_issuer import create_appdb_certs -from tests.conftest import ( - get_member_cluster_api_client, - is_multi_cluster, -) +from tests.conftest import get_member_cluster_api_client, is_multi_cluster from tests.opsmanager.om_ops_manager_backup import ( BLOCKSTORE_RS_NAME, OPLOG_RS_NAME, diff --git a/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml b/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml index 2109ded19..0c8d0e4e4 100644 --- a/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml +++ b/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml @@ -21,6 +21,18 @@ rules: - mongodb - mongodb/finalizers - mongodb/status + - mongodbsearch + - mongodbsearch/finalizers + - mongodbsearch/status + verbs: + - '*' +- apiGroups: + - mongodbcommunity.mongodb.com + resources: + - mongodbcommunity + - mongodbcommunity/status + - mongodbcommunity/spec + - mongodbcommunity/finalizers verbs: - '*' - apiGroups: @@ -49,6 +61,17 @@ rules: - delete - watch - deletecollection +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - create + - update + - watch + - patch - apiGroups: - "" resources: @@ -57,6 +80,8 @@ rules: - get - list - watch + - delete + - deletecollection - apiGroups: - "" resources: @@ -65,6 +90,34 @@ rules: - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + multi-cluster: "true" + name: mongodb-kubernetes-operator-multi-cluster-role-telemetry +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resourceNames: + - kube-system + resources: + - namespaces + verbs: + - get +- nonResourceURLs: + - /version + verbs: + - get + --- # Central Cluster, cluster-scoped resources apiVersion: rbac.authorization.k8s.io/v1 @@ -80,20 +133,35 @@ roleRef: name: mongodb-kubernetes-operator-multi-cluster-role subjects: - kind: ServiceAccount - name: test-service-account + name: mongodb-kubernetes-operator-multicluster + namespace: central-namespace + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + multi-cluster: "true" + name: mongodb-kubernetes-operator-multi-telemetry-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mongodb-kubernetes-operator-multi-cluster-role-telemetry +subjects: +- kind: ServiceAccount + name: mongodb-kubernetes-operator-multicluster namespace: central-namespace --- # Central Cluster, cluster-scoped resources apiVersion: v1 kind: ServiceAccount -imagePullSecrets: -- name: image-registries-secret metadata: creationTimestamp: null labels: multi-cluster: "true" - name: test-service-account + name: mongodb-kubernetes-operator-multicluster namespace: central-namespace --- diff --git a/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml b/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml index 8ad4aa728..72b5fb801 100644 --- a/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml +++ b/public/samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml @@ -33,6 +33,17 @@ rules: - delete - watch - deletecollection +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - create + - update + - watch + - patch - apiGroups: - "" resources: @@ -41,6 +52,8 @@ rules: - get - list - watch + - delete + - deletecollection - apiGroups: - "" resources: @@ -48,6 +61,52 @@ rules: verbs: - list - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resourceNames: + - kube-system + resources: + - namespaces + verbs: + - get +- nonResourceURLs: + - /version + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + multi-cluster: "true" + name: mongodb-kubernetes-operator-multi-cluster-role-telemetry +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resourceNames: + - kube-system + resources: + - namespaces + verbs: + - get +- nonResourceURLs: + - /version + verbs: + - get --- # Member Cluster, cluster-scoped resources @@ -64,28 +123,35 @@ roleRef: name: mongodb-kubernetes-operator-multi-cluster-role subjects: - kind: ServiceAccount - name: test-service-account - namespace: member-namespace + name: mongodb-kubernetes-operator-multicluster + namespace: central-namespace --- -# Member Cluster, cluster-scoped resources -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-appdb - namespace: member-namespace + name: mongodb-kubernetes-operator-multi-telemetry-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mongodb-kubernetes-operator-multi-cluster-role-telemetry +subjects: +- kind: ServiceAccount + name: mongodb-kubernetes-operator-multicluster + namespace: central-namespace --- +# Member Cluster, cluster-scoped resources apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-database-pods + name: mongodb-kubernetes-appdb namespace: member-namespace --- @@ -95,19 +161,17 @@ metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-ops-manager + name: mongodb-kubernetes-database-pods namespace: member-namespace --- apiVersion: v1 kind: ServiceAccount -imagePullSecrets: -- name: image-registries-secret metadata: creationTimestamp: null labels: multi-cluster: "true" - name: test-service-account + name: mongodb-kubernetes-ops-manager namespace: member-namespace --- diff --git a/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml b/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml index e6aadfa69..32fb04744 100644 --- a/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml +++ b/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml @@ -22,6 +22,18 @@ rules: - mongodb - mongodb/finalizers - mongodb/status + - mongodbsearch + - mongodbsearch/finalizers + - mongodbsearch/status + verbs: + - '*' +- apiGroups: + - mongodbcommunity.mongodb.com + resources: + - mongodbcommunity + - mongodbcommunity/status + - mongodbcommunity/spec + - mongodbcommunity/finalizers verbs: - '*' - apiGroups: @@ -50,6 +62,17 @@ rules: - delete - watch - deletecollection +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - create + - update + - watch + - patch - apiGroups: - "" resources: @@ -58,6 +81,8 @@ rules: - get - list - watch + - delete + - deletecollection --- # Central Cluster, namespace-scoped resources @@ -75,20 +100,18 @@ roleRef: name: mongodb-kubernetes-operator-multi-role subjects: - kind: ServiceAccount - name: test-service-account + name: mongodb-kubernetes-operator-multicluster namespace: central-namespace --- # Central Cluster, namespace-scoped resources apiVersion: v1 kind: ServiceAccount -imagePullSecrets: -- name: image-registries-secret metadata: creationTimestamp: null labels: multi-cluster: "true" - name: test-service-account + name: mongodb-kubernetes-operator-multicluster namespace: central-namespace --- diff --git a/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml b/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml index 80b9f9620..0c0d6f3a6 100644 --- a/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml +++ b/public/samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml @@ -5,7 +5,7 @@ metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-appdb + name: mongodb-kubernetes-appdb namespace: member-namespace rules: - apiGroups: @@ -59,6 +59,17 @@ rules: - delete - watch - deletecollection +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - create + - update + - watch + - patch - apiGroups: - "" resources: @@ -67,6 +78,8 @@ rules: - get - list - watch + - delete + - deletecollection --- # Member Cluster, namespace-scoped resources @@ -76,15 +89,15 @@ metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-appdb + name: mongodb-kubernetes-appdb namespace: member-namespace roleRef: apiGroup: "" kind: Role - name: mongodb-enterprise-appdb + name: mongodb-kubernetes-appdb subjects: - kind: ServiceAccount - name: mongodb-enterprise-appdb + name: mongodb-kubernetes-appdb --- apiVersion: rbac.authorization.k8s.io/v1 @@ -101,8 +114,8 @@ roleRef: name: mongodb-kubernetes-operator-multi-role subjects: - kind: ServiceAccount - name: test-service-account - namespace: member-namespace + name: mongodb-kubernetes-operator-multicluster + namespace: central-namespace --- # Member Cluster, namespace-scoped resources @@ -112,17 +125,7 @@ metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-appdb - namespace: member-namespace - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - creationTimestamp: null - labels: - multi-cluster: "true" - name: mongodb-enterprise-database-pods + name: mongodb-kubernetes-appdb namespace: member-namespace --- @@ -132,19 +135,17 @@ metadata: creationTimestamp: null labels: multi-cluster: "true" - name: mongodb-enterprise-ops-manager + name: mongodb-kubernetes-database-pods namespace: member-namespace --- apiVersion: v1 kind: ServiceAccount -imagePullSecrets: -- name: image-registries-secret metadata: creationTimestamp: null labels: multi-cluster: "true" - name: test-service-account + name: mongodb-kubernetes-ops-manager namespace: member-namespace --- diff --git a/public/tools/multicluster/pkg/common/common_test.go b/public/tools/multicluster/pkg/common/common_test.go index 7ca5639d0..1dd769437 100644 --- a/public/tools/multicluster/pkg/common/common_test.go +++ b/public/tools/multicluster/pkg/common/common_test.go @@ -485,7 +485,8 @@ func TestPrintingOutRolesServiceAccountsAndRoleBindings(t *testing.T) { sb = marshalToYaml(t, sb, "Central Cluster, cluster-scoped resources", "rbac.authorization.k8s.io/v1", "ClusterRoleBinding", crb.Items) sb = marshalToYaml(t, sb, "Central Cluster, cluster-scoped resources", "v1", "ServiceAccount", sa.Items) - _ = os.WriteFile("../../samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml", []byte(sb.String()), os.ModePerm) + err = os.WriteFile("../../../../samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_central_cluster.yaml", []byte(sb.String()), os.ModePerm) + assert.NoError(t, err) } { @@ -503,7 +504,8 @@ func TestPrintingOutRolesServiceAccountsAndRoleBindings(t *testing.T) { sb = marshalToYaml(t, sb, "Member Cluster, cluster-scoped resources", "rbac.authorization.k8s.io/v1", "ClusterRoleBinding", crb.Items) sb = marshalToYaml(t, sb, "Member Cluster, cluster-scoped resources", "v1", "ServiceAccount", sa.Items) - _ = os.WriteFile("../../samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml", []byte(sb.String()), os.ModePerm) + err = os.WriteFile("../../../../samples/multi-cluster-cli-gitops/resources/rbac/cluster_scoped_member_cluster.yaml", []byte(sb.String()), os.ModePerm) + assert.NoError(t, err) } { @@ -523,7 +525,8 @@ func TestPrintingOutRolesServiceAccountsAndRoleBindings(t *testing.T) { sb = marshalToYaml(t, sb, "Central Cluster, namespace-scoped resources", "rbac.authorization.k8s.io/v1", "RoleBinding", rb.Items) sb = marshalToYaml(t, sb, "Central Cluster, namespace-scoped resources", "v1", "ServiceAccount", sa.Items) - _ = os.WriteFile("../../samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml", []byte(sb.String()), os.ModePerm) + err = os.WriteFile("../../../../samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_central_cluster.yaml", []byte(sb.String()), os.ModePerm) + assert.NoError(t, err) } { @@ -543,7 +546,8 @@ func TestPrintingOutRolesServiceAccountsAndRoleBindings(t *testing.T) { sb = marshalToYaml(t, sb, "Member Cluster, namespace-scoped resources", "rbac.authorization.k8s.io/v1", "RoleBinding", rb.Items) sb = marshalToYaml(t, sb, "Member Cluster, namespace-scoped resources", "v1", "ServiceAccount", sa.Items) - _ = os.WriteFile("../../samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml", []byte(sb.String()), os.ModePerm) + err = os.WriteFile("../../../../samples/multi-cluster-cli-gitops/resources/rbac/namespace_scoped_member_cluster.yaml", []byte(sb.String()), os.ModePerm) + assert.NoError(t, err) } } diff --git a/scripts/dev/print_operator_env.sh b/scripts/dev/print_operator_env.sh index dfe6da689..c66bdf824 100755 --- a/scripts/dev/print_operator_env.sh +++ b/scripts/dev/print_operator_env.sh @@ -13,14 +13,14 @@ function print_operator_env() { WATCH_NAMESPACE=\"${WATCH_NAMESPACE}\" NAMESPACE=\"${NAMESPACE}\" IMAGE_PULL_POLICY=\"Always\" -MONGODB_ENTERPRISE_DATABASE_IMAGE=\"${MONGODB_ENTERPRISE_DATABASE_IMAGE:-${DATABASE_REGISTRY}/mongodb-kubernetes-database${UBI_IMAGE_SUFFIX}}\" -INIT_DATABASE_IMAGE_REPOSITORY=\"${INIT_DATABASE_REGISTRY}/mongodb-kubernetes-init-database${UBI_IMAGE_SUFFIX}\" +MONGODB_ENTERPRISE_DATABASE_IMAGE=\"${MONGODB_ENTERPRISE_DATABASE_IMAGE:-${DATABASE_REGISTRY}/mongodb-kubernetes-database}\" +INIT_DATABASE_IMAGE_REPOSITORY=\"${INIT_DATABASE_REGISTRY}/mongodb-kubernetes-init-database\" INIT_DATABASE_VERSION=\"${INIT_DATABASE_VERSION}\" DATABASE_VERSION=\"${DATABASE_VERSION}\" OPS_MANAGER_IMAGE_REPOSITORY=\"${OPS_MANAGER_REGISTRY}/mongodb-enterprise-ops-manager${UBI_IMAGE_SUFFIX}\" -INIT_OPS_MANAGER_IMAGE_REPOSITORY=\"${INIT_OPS_MANAGER_REGISTRY}/mongodb-kubernetes-init-ops-manager${UBI_IMAGE_SUFFIX}\" +INIT_OPS_MANAGER_IMAGE_REPOSITORY=\"${INIT_OPS_MANAGER_REGISTRY}/mongodb-kubernetes-init-ops-manager\" INIT_OPS_MANAGER_VERSION=\"${INIT_OPS_MANAGER_VERSION}\" -INIT_APPDB_IMAGE_REPOSITORY=\"${INIT_APPDB_REGISTRY}/mongodb-kubernetes-init-appdb${UBI_IMAGE_SUFFIX}\" +INIT_APPDB_IMAGE_REPOSITORY=\"${INIT_APPDB_REGISTRY}/mongodb-kubernetes-init-appdb\" INIT_APPDB_VERSION=\"${INIT_APPDB_VERSION}\" OPS_MANAGER_IMAGE_PULL_POLICY=\"Always\" MONGODB_IMAGE=\"mongodb-enterprise-server\"