From 233814f1f0e6af574bea0f709230da21c9b69ee8 Mon Sep 17 00:00:00 2001 From: Mikalai Radchuk <509198+m1kola@users.noreply.github.com> Date: Wed, 16 Jul 2025 18:23:16 +0200 Subject: [PATCH] Remove undocumented operator.enablePVCResize --- .githooks/pre-commit | 2 - RELEASE_NOTES.md | 2 +- ...istentvolumeclaims_rbac_into_a_separate.md | 7 --- ...6_other_enablePVCResize_setting_removed.md | 7 +++ config/rbac/kustomization.yaml | 1 - config/rbac/operator-roles-base.yaml | 11 ++++ config/rbac/operator-roles-pvc-resize.yaml | 34 ---------- helm_chart/templates/operator-roles-base.yaml | 11 ++++ .../templates/operator-roles-pvc-resize.yaml | 63 ------------------- helm_chart/values.yaml | 3 - public/mongodb-kubernetes-multi-cluster.yaml | 45 ++++--------- public/mongodb-kubernetes-openshift.yaml | 45 ++++--------- public/mongodb-kubernetes.yaml | 45 ++++--------- scripts/funcs/operator_deployment | 1 - 14 files changed, 63 insertions(+), 214 deletions(-) delete mode 100644 changelog/20250715_other_split_persistentvolumeclaims_rbac_into_a_separate.md create mode 100644 changelog/20250716_other_enablePVCResize_setting_removed.md delete mode 100644 config/rbac/operator-roles-pvc-resize.yaml delete mode 100644 helm_chart/templates/operator-roles-pvc-resize.yaml diff --git a/.githooks/pre-commit b/.githooks/pre-commit index 4f6af7b50..66b66f28d 100755 --- a/.githooks/pre-commit +++ b/.githooks/pre-commit @@ -35,7 +35,6 @@ function generate_standalone_yaml() { FILES=( "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml" "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml" - "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml" "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml" "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-webhook.yaml" "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml" @@ -63,7 +62,6 @@ function generate_standalone_yaml() { cp "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml" config/rbac/database-roles.yaml cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml" config/rbac/operator-roles-base.yaml cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml" config/rbac/operator-roles-clustermongodbroles.yaml - cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml" config/rbac/operator-roles-pvc-resize.yaml cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml" config/rbac/operator-roles-telemetry.yaml # generate multi-cluster public example diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index adb4462b8..1a9f55c5a 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -4,7 +4,7 @@ # MCK 1.3.0 Release Notes ## Other Changes -* Optional permissions for `PersistentVolumeClaim` moved to a separate role. When managing the operator with Helm it is possible to disable permissions for `PersistentVolumeClaim` resources by setting `operator.enablePVCResize` value to `false` (`true` by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role. +* The undocumented `operator.enablePVCResize` Helm value has been removed. If you previously set this value to `false`, please note that the operator roles will now include permissions for `PersistentVolumeClaim` resources by default. * `subresourceEnabled` Helm value was removed. This setting used to be `true` by default and made it possible to exclude subresource permissions from the operator role by specifying `false` as the value. We are removing this configuration option, making the operator roles always have subresource permissions. This setting was introduced as a temporary solution for [this](https://bugzilla.redhat.com/show_bug.cgi?id=1803171) OpenShift issue. The issue has since been resolved and the setting is no longer needed. diff --git a/changelog/20250715_other_split_persistentvolumeclaims_rbac_into_a_separate.md b/changelog/20250715_other_split_persistentvolumeclaims_rbac_into_a_separate.md deleted file mode 100644 index cd043e3d5..000000000 --- a/changelog/20250715_other_split_persistentvolumeclaims_rbac_into_a_separate.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Permissions for PersistentVolumeClaim moved to a separate role -kind: other -date: 2025-07-15 ---- - -* Optional permissions for `PersistentVolumeClaim` moved to a separate role. When managing the operator with Helm it is possible to disable permissions for `PersistentVolumeClaim` resources by setting `operator.enablePVCResize` value to `false` (`true` by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role. diff --git a/changelog/20250716_other_enablePVCResize_setting_removed.md b/changelog/20250716_other_enablePVCResize_setting_removed.md new file mode 100644 index 000000000..a0524f379 --- /dev/null +++ b/changelog/20250716_other_enablePVCResize_setting_removed.md @@ -0,0 +1,7 @@ +--- +title: Undocumented operator.enablePVCResize Helm value has been removed +kind: other +date: 2025-07-15 +--- + +* The undocumented `operator.enablePVCResize` Helm value has been removed. If you previously set this value to `false`, please note that the operator roles will now include permissions for `PersistentVolumeClaim` resources by default. diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 8bcbf4d43..9f83e9ca2 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -5,7 +5,6 @@ resources: - database-roles.yaml - operator-roles-base.yaml - operator-roles-clustermongodbroles.yaml - - operator-roles-pvc-resize.yaml - operator-roles-telemetry.yaml # we have to remove service account namespace from RoleBinding as OLM is not overriding it diff --git a/config/rbac/operator-roles-base.yaml b/config/rbac/operator-roles-base.yaml index 5e914e202..42e02462b 100644 --- a/config/rbac/operator-roles-base.yaml +++ b/config/rbac/operator-roles-base.yaml @@ -79,6 +79,17 @@ rules: - opsmanagers/status - mongodbmulticluster/status - mongodbsearch/status + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + - watch + - patch + - update --- # Source: mongodb-kubernetes/templates/operator-roles-base.yaml kind: RoleBinding diff --git a/config/rbac/operator-roles-pvc-resize.yaml b/config/rbac/operator-roles-pvc-resize.yaml deleted file mode 100644 index d01d7e4c5..000000000 --- a/config/rbac/operator-roles-pvc-resize.yaml +++ /dev/null @@ -1,34 +0,0 @@ ---- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize - namespace: mongodb -rules: - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - delete - - list - - watch - - patch - - update ---- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize-binding - namespace: mongodb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mongodb-kubernetes-operator-pvc-resize -subjects: - - kind: ServiceAccount - name: mongodb-kubernetes-operator - namespace: mongodb diff --git a/helm_chart/templates/operator-roles-base.yaml b/helm_chart/templates/operator-roles-base.yaml index 39c9b033a..175a4ef8c 100644 --- a/helm_chart/templates/operator-roles-base.yaml +++ b/helm_chart/templates/operator-roles-base.yaml @@ -91,6 +91,17 @@ rules: - opsmanagers/status - mongodbmulticluster/status - mongodbsearch/status + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + - watch + - patch + - update {{- if eq $roleScope "ClusterRole" }} - apiGroups: - '' diff --git a/helm_chart/templates/operator-roles-pvc-resize.yaml b/helm_chart/templates/operator-roles-pvc-resize.yaml deleted file mode 100644 index 4d766d1a0..000000000 --- a/helm_chart/templates/operator-roles-pvc-resize.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{ if .Values.operator.createOperatorServiceAccount }} -{{ if .Values.operator.enablePVCResize }} - -{{- $watchNamespace := include "mongodb-kubernetes-operator.namespace" . | list }} -{{- if .Values.operator.watchNamespace }} -{{- $watchNamespace = regexSplit "," .Values.operator.watchNamespace -1 }} -{{- $watchNamespace = concat $watchNamespace (include "mongodb-kubernetes-operator.namespace" . | list) | uniq }} -{{- end }} - - -{{- $roleScope := "Role" -}} -{{- if or (gt (len $watchNamespace) 1) (eq (first $watchNamespace) "*") }} -{{- $roleScope = "ClusterRole" }} -{{- end }} ---- -kind: {{ $roleScope }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ .Values.operator.name }}-pvc-resize -{{- if eq $roleScope "Role" }} - namespace: {{ include "mongodb-kubernetes-operator.namespace" . }} -{{- end }} -rules: - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - delete - - list - - watch - - patch - - update -{{- range $idx, $namespace := $watchNamespace }} - -{{- $namespaceBlock := "" }} -{{- if not (eq $namespace "*") }} -{{- $namespaceBlock = printf "namespace: %s" $namespace }} -{{- end }} - ---- -{{- if eq $namespace "*" }} -kind: ClusterRoleBinding -{{- else }} -kind: RoleBinding -{{- end }} -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $.Values.operator.name }}-pvc-resize-binding - {{ $namespaceBlock }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: {{ $roleScope }} - name: {{ $.Values.operator.name }}-pvc-resize -subjects: - - kind: ServiceAccount - name: {{ $.Values.operator.name }} - namespace: {{ include "mongodb-kubernetes-operator.namespace" $ }} -{{- end }} - -{{- end}}{{/* if .Values.operator.enablePVCResize */}} -{{- end}}{{/* if .Values.operator.createOperatorServiceAccount */}} diff --git a/helm_chart/values.yaml b/helm_chart/values.yaml index 0a44d5ca0..a9b764ee4 100644 --- a/helm_chart/values.yaml +++ b/helm_chart/values.yaml @@ -71,9 +71,6 @@ operator: # Set to false to not create the ClusterRole and ClusterRoleBinding and to disable the operator watching the ClusterMongoDBRole resources. enableClusterMongoDBRoles: true - # Set to false to not create the RBAC for enabling access to the PVC for resizing for the operator - enablePVCResize: true - vaultSecretBackend: # set to true if you want the operator to store secrets in Vault enabled: false diff --git a/public/mongodb-kubernetes-multi-cluster.yaml b/public/mongodb-kubernetes-multi-cluster.yaml index f53630a0e..56c9bbaf3 100644 --- a/public/mongodb-kubernetes-multi-cluster.yaml +++ b/public/mongodb-kubernetes-multi-cluster.yaml @@ -79,6 +79,17 @@ rules: - opsmanagers/status - mongodbmulticluster/status - mongodbsearch/status + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + - watch + - patch + - update --- # Source: mongodb-kubernetes/templates/operator-roles-base.yaml kind: RoleBinding @@ -122,40 +133,6 @@ subjects: name: mongodb-kubernetes-operator-multi-cluster namespace: mongodb --- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-multi-cluster-pvc-resize - namespace: mongodb -rules: - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - delete - - list - - watch - - patch - - update ---- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-multi-cluster-pvc-resize-binding - namespace: mongodb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mongodb-kubernetes-operator-multi-cluster-pvc-resize -subjects: - - kind: ServiceAccount - name: mongodb-kubernetes-operator-multi-cluster - namespace: mongodb ---- # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml # Additional ClusterRole for clusterVersionDetection kind: ClusterRole diff --git a/public/mongodb-kubernetes-openshift.yaml b/public/mongodb-kubernetes-openshift.yaml index ce0cd73b9..c78e6e0c4 100644 --- a/public/mongodb-kubernetes-openshift.yaml +++ b/public/mongodb-kubernetes-openshift.yaml @@ -79,6 +79,17 @@ rules: - opsmanagers/status - mongodbmulticluster/status - mongodbsearch/status + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + - watch + - patch + - update --- # Source: mongodb-kubernetes/templates/operator-roles-base.yaml kind: RoleBinding @@ -122,40 +133,6 @@ subjects: name: mongodb-kubernetes-operator namespace: mongodb --- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize - namespace: mongodb -rules: - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - delete - - list - - watch - - patch - - update ---- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize-binding - namespace: mongodb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mongodb-kubernetes-operator-pvc-resize -subjects: - - kind: ServiceAccount - name: mongodb-kubernetes-operator - namespace: mongodb ---- # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml # Additional ClusterRole for clusterVersionDetection kind: ClusterRole diff --git a/public/mongodb-kubernetes.yaml b/public/mongodb-kubernetes.yaml index 69ff3f0e8..5be8743f0 100644 --- a/public/mongodb-kubernetes.yaml +++ b/public/mongodb-kubernetes.yaml @@ -79,6 +79,17 @@ rules: - opsmanagers/status - mongodbmulticluster/status - mongodbsearch/status + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - delete + - list + - watch + - patch + - update --- # Source: mongodb-kubernetes/templates/operator-roles-base.yaml kind: RoleBinding @@ -122,40 +133,6 @@ subjects: name: mongodb-kubernetes-operator namespace: mongodb --- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize - namespace: mongodb -rules: - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - delete - - list - - watch - - patch - - update ---- -# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator-pvc-resize-binding - namespace: mongodb -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: mongodb-kubernetes-operator-pvc-resize -subjects: - - kind: ServiceAccount - name: mongodb-kubernetes-operator - namespace: mongodb ---- # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml # Additional ClusterRole for clusterVersionDetection kind: ClusterRole diff --git a/scripts/funcs/operator_deployment b/scripts/funcs/operator_deployment index 8c9984b7d..b200f7c1d 100644 --- a/scripts/funcs/operator_deployment +++ b/scripts/funcs/operator_deployment @@ -29,7 +29,6 @@ get_operator_helm_values() { "mongodb.name=mongodb-enterprise-server" "mongodb.imageType=${MDB_IMAGE_TYPE:-ubi8}" "operator.mdbDefaultArchitecture=${MDB_DEFAULT_ARCHITECTURE:-non-static}" - "operator.enablePVCResize=${MDB_ENABLE_PVC_RESIZE:-true}" # only send the telemetry to the backend on a specific variant, thus default to false "operator.telemetry.send.enabled=${MDB_OPERATOR_TELEMETRY_SEND_ENABLED:-false}" # lets collect and save in the configmap as frequently as we can