support multiple watch namespaces

mongodb · Dec 28, 2024 · 21f7614 · 21f7614
1 parent 8a53f24
commit 21f7614
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 66 deletions.
diff --git a/charts/community-operator/operator_rbac.yaml b/charts/community-operator/operator_rbac.yaml
@@ -0,0 +1,40 @@
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mongodbcommunity.mongodb.com
+  resources:
+  - mongodbcommunity
+  - mongodbcommunity/status
+  - mongodbcommunity/spec
+  - mongodbcommunity/finalizers
+  verbs:
+  - get
+  - patch
+  - list
+  - update
+  - watch
diff --git a/charts/community-operator/templates/_helpers.tpl b/charts/community-operator/templates/_helpers.tpl
@@ -0,0 +1,12 @@
+{{/*
+Operator's watch namespaces
+*/}}
+{{- define "community-operator.watchNamespaces" -}}
+  {{- $defaultNamespaces := list $.Release.Namespace }}
+  {{- $namespaces := default $defaultNamespaces .Values.operator.watchNamespaces }}
+  {{- if has "*" $namespaces }}
+    {{- list "*" | toYaml }}
+  {{- else }}
+    {{- $namespaces | toYaml  }}
+  {{- end }}
+{{- end }}
diff --git a/charts/community-operator/templates/operator.yaml b/charts/community-operator/templates/operator.yaml
@@ -1,3 +1,4 @@
+{{- $operatorWatchNamespaces := include "community-operator.watchNamespaces" . | fromYamlArray }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -43,13 +44,9 @@ spec:
 {{- if .Values.operator.extraEnvs }}
             {{ toYaml .Values.operator.extraEnvs | nindent 12 }}
 {{- end }}
+{{- if $operatorWatchNamespaces }}
             - name: WATCH_NAMESPACE
-{{- if .Values.operator.watchNamespace}}
-              value: "{{ .Values.operator.watchNamespace }}"
-{{- else }}
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
+              value: "{{ join "," $operatorWatchNamespaces }}"
 {{- end }}
             - name: POD_NAME
               valueFrom:

diff --git a/charts/community-operator/templates/operator_roles.yaml b/charts/community-operator/templates/operator_roles.yaml
@@ -1,77 +1,71 @@
+{{- $operatorWatchNamespaces := include "community-operator.watchNamespaces" . | fromYamlArray }}
+{{- $operatorWatchAllNamespace := has "*" $operatorWatchNamespaces }}
+{{- $operatorName := .Values.operator.name -}}
+{{- $operatorRBAC := (.Files.Lines "operator_rbac.yaml")}}
+
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.operator.name }}
+  name: {{ $operatorName }}
   namespace: {{ .Release.Namespace }}
 
+{{- if $operatorWatchAllNamespace }}
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
+kind: ClusterRole
 metadata:
-  name: {{ .Values.operator.name }}
-  {{- if not (eq (.Values.operator.watchNamespace | default "*") "*") }}
-  namespace: {{ .Values.operator.watchNamespace }}
-  {{- else }}
-  namespace: {{ .Release.Namespace }}
-  {{- end }}
+  name: {{ $operatorName }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - services
-  - configmaps
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - apps
-  resources:
-  - statefulsets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - mongodbcommunity.mongodb.com
-  resources:
-  - mongodbcommunity
-  - mongodbcommunity/status
-  - mongodbcommunity/spec
-  - mongodbcommunity/finalizers
-  verbs:
-  - get
-  - patch
-  - list
-  - update
-  - watch
+  {{- range $operatorRBAC }}
+  {{ . -}}
+  {{- end }}
 
 ---
-kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRoleBinding {{ else }} RoleBinding {{ end }}
+kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.operator.name }}
-  {{- if ne (.Values.operator.watchNamespace | default "*") "*" }}
-  namespace: {{ .Values.operator.watchNamespace }}
-  {{- else }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ $operatorName }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $operatorName }}
+  namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ $operatorName }}
+  apiGroup: rbac.authorization.k8s.io
+
+{{- else }}
+
+{{- range $namespace := $operatorWatchNamespaces }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $operatorName }}
+  namespace: {{ $namespace }}
+rules:
+  {{- range $operatorRBAC }}
+  {{ . -}}
   {{- end }}
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $operatorName }}
+  namespace: {{ $namespace }}
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.operator.name }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ $operatorName }}
+  namespace: {{ $.Release.Namespace }}
 roleRef:
-  kind: {{ if eq (.Values.operator.watchNamespace | default "") "*" }} ClusterRole {{ else }} Role {{ end }}
-  name: {{ .Values.operator.name }}
+  kind: Role
+  name: {{ $operatorName }}
   apiGroup: rbac.authorization.k8s.io
+
+{{- end }}
+
+{{- end }}
diff --git a/charts/community-operator/values.yaml b/charts/community-operator/values.yaml
@@ -17,8 +17,10 @@ operator:
   # Version of mongodb-kubernetes-operator
   version: 0.11.0
 
-  # Uncomment this line to watch all namespaces
-  # watchNamespace: "*"
+  # watchNamespaces is the set of namespaces that are watched by the Operator.
+  # - empty (watch namespace where the Operator is installed to)
+  # - ["*"] (watch all namespaces)
+  # watchNamespaces: []
 
   # Resources allocated to Operator Pod
   resources: