diff --git a/charts/community-operator/operator_rbac.yaml b/charts/community-operator/operator_rbac.yaml new file mode 100644 index 00000000..69da9597 --- /dev/null +++ b/charts/community-operator/operator_rbac.yaml @@ -0,0 +1,40 @@ +- apiGroups: + - "" + resources: + - pods + - services + - configmaps + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mongodbcommunity.mongodb.com + resources: + - mongodbcommunity + - mongodbcommunity/status + - mongodbcommunity/spec + - mongodbcommunity/finalizers + verbs: + - get + - patch + - list + - update + - watch \ No newline at end of file diff --git a/charts/community-operator/templates/_helpers.tpl b/charts/community-operator/templates/_helpers.tpl new file mode 100644 index 00000000..417ef003 --- /dev/null +++ b/charts/community-operator/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* +Operator's watch namespaces +*/}} +{{- define "community-operator.watchNamespaces" -}} + {{- $defaultNamespaces := list $.Release.Namespace }} + {{- $namespaces := default $defaultNamespaces .Values.operator.watchNamespaces }} + {{- if has "*" $namespaces }} + {{- list "*" | toYaml }} + {{- else }} + {{- $namespaces | toYaml }} + {{- end }} +{{- end }} + +{{/* +Database namespaces +*/}} +{{- define "community-operator.database.namespaces" -}} + {{- $defaultNamespaces := include "community-operator.watchNamespaces" . | fromYamlArray }} + {{- $namespaces := default $defaultNamespaces .Values.database.namespaces }} + {{- if has "*" $namespaces }} + {{- list | toYaml }} + {{- else }} + {{- $namespaces | toYaml }} + {{- end }} +{{- end }} diff --git a/charts/community-operator/templates/database_roles.yaml b/charts/community-operator/templates/database_roles.yaml index b5662ff6..7debec48 100644 --- a/charts/community-operator/templates/database_roles.yaml +++ b/charts/community-operator/templates/database_roles.yaml @@ -1,16 +1,20 @@ +{{- $databaseNamespaces := include "community-operator.database.namespaces" . | fromYamlArray }} +{{- $databaseName := $.Values.database.name }} +{{- range $namespace := $databaseNamespaces }} + --- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.database.name }} - namespace: {{ if .Values.database.namespace }} {{ .Values.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} + name: {{ $databaseName }} + namespace: {{ $namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ .Values.database.name }} - namespace: {{ if .Values.database.namespace }} {{ .Values.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} + name: {{ $databaseName }} + namespace: {{ $namespace }} rules: - apiGroups: - "" @@ -31,12 +35,14 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.database.name }} - namespace: {{ if .Values.database.namespace }} {{ .Values.database.namespace }} {{ else }} {{ .Release.Namespace }} {{ end }} + name: {{ $databaseName }} + namespace: {{ $namespace }} subjects: - kind: ServiceAccount - name: {{ .Values.database.name }} + name: {{ $databaseName }} roleRef: kind: Role - name: {{ .Values.database.name }} + name: {{ $databaseName }} apiGroup: rbac.authorization.k8s.io + +{{- end }} \ No newline at end of file diff --git a/charts/community-operator/templates/operator.yaml b/charts/community-operator/templates/operator.yaml index 2de178c2..fdb66523 100644 --- a/charts/community-operator/templates/operator.yaml +++ b/charts/community-operator/templates/operator.yaml @@ -1,3 +1,4 @@ +{{- $operatorWatchNamespaces := include "community-operator.watchNamespaces" . | fromYamlArray }} --- apiVersion: apps/v1 kind: Deployment @@ -43,13 +44,9 @@ spec: {{- if .Values.operator.extraEnvs }} {{ toYaml .Values.operator.extraEnvs | nindent 12 }} {{- end }} +{{- if $operatorWatchNamespaces }} - name: WATCH_NAMESPACE -{{- if .Values.operator.watchNamespace}} - value: "{{ .Values.operator.watchNamespace }}" -{{- else }} - valueFrom: - fieldRef: - fieldPath: metadata.namespace + value: "{{ join "," $operatorWatchNamespaces }}" {{- end }} - name: POD_NAME valueFrom: diff --git a/charts/community-operator/templates/operator_roles.yaml b/charts/community-operator/templates/operator_roles.yaml index 0f0988b9..b4673c21 100644 --- a/charts/community-operator/templates/operator_roles.yaml +++ b/charts/community-operator/templates/operator_roles.yaml @@ -1,77 +1,71 @@ +{{- $operatorWatchNamespaces := include "community-operator.watchNamespaces" . | fromYamlArray }} +{{- $operatorWatchAllNamespace := has "*" $operatorWatchNamespaces }} +{{- $operatorName := .Values.operator.name -}} +{{- $operatorRBAC := (.Files.Lines "operator_rbac.yaml")}} + --- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ .Values.operator.name }} + name: {{ $operatorName }} namespace: {{ .Release.Namespace }} +{{- if $operatorWatchAllNamespace }} + --- apiVersion: rbac.authorization.k8s.io/v1 -kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} +kind: ClusterRole metadata: - name: {{ .Values.operator.name }} - {{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }} - namespace: {{ .Values.operator.watchNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} - {{- end }} + name: {{ $operatorName }} rules: -- apiGroups: - - "" - resources: - - pods - - services - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mongodbcommunity.mongodb.com - resources: - - mongodbcommunity - - mongodbcommunity/status - - mongodbcommunity/spec - - mongodbcommunity/finalizers - verbs: - - get - - patch - - list - - update - - watch + {{- range $operatorRBAC }} + {{ . -}} + {{- end }} --- -kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }} +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.operator.name }} - {{- if ne (.Values.operator.watchNamespace | default "*") "*" }} - namespace: {{ .Values.operator.watchNamespace }} - {{- else }} - namespace: {{ .Release.Namespace }} + name: {{ $operatorName }} +subjects: +- kind: ServiceAccount + name: {{ $operatorName }} + namespace: {{ $.Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $operatorName }} + apiGroup: rbac.authorization.k8s.io + +{{- else }} + +{{- range $namespace := $operatorWatchNamespaces }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $operatorName }} + namespace: {{ $namespace }} +rules: + {{- range $operatorRBAC }} + {{ . -}} {{- end }} + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $operatorName }} + namespace: {{ $namespace }} subjects: - kind: ServiceAccount - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} + name: {{ $operatorName }} + namespace: {{ $.Release.Namespace }} roleRef: - kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }} - name: {{ .Values.operator.name }} + kind: Role + name: {{ $operatorName }} apiGroup: rbac.authorization.k8s.io + +{{- end }} + +{{- end }} diff --git a/charts/community-operator/values.yaml b/charts/community-operator/values.yaml index 036f39cc..087f1a53 100644 --- a/charts/community-operator/values.yaml +++ b/charts/community-operator/values.yaml @@ -17,8 +17,10 @@ operator: # Version of mongodb-kubernetes-operator version: 0.11.0 - # Uncomment this line to watch all namespaces - # watchNamespace: "*" + # watchNamespaces is the set of namespaces that are watched by the Operator. + # - empty (watch namespace where the Operator is installed to) + # - ["*"] (watch all namespaces) + # watchNamespaces: [] # Resources allocated to Operator Pod resources: @@ -51,14 +53,11 @@ operator: ## Operator's database database: name: mongodb-database - # set this to the namespace where you would like - # to deploy the MongoDB database, - # Note if the database namespace is not same - # as the operator namespace, - # make sure to set "watchNamespace" to "*" + # If "watchNamespaces" is set to ["*"], + # then set the database namespaces # to ensure that the operator has the # permission to reconcile resources in other namespaces - # namespace: mongodb-database + # namespaces: ["mongodb-database"] agent: name: mongodb-agent-ubi