CLOUDP-314917 CLOUDP-314918 CLOUDP-314919 - Add ClusterMongoDBRole CRD (#54)

# Summary Introduced new CRD for MongoDB roles. The new CRD is cluster-scoped and can be reused in multiple MongoDB deployments even across-namespaces. The CRD design can be found in the [TD](https://docs.google.com/document/d/11j_wg0-s3u8oBI6Ca12AZiHLlUv_ViilYwMvl2LgoiQ/edit?tab=t.bhdbox3ppbto#bookmark=id.jbs82dmgpgr6) ## Proof of Work There are unit and E2E tests verifying that the custom roles are: * Roles are added in automation config * Removing a reference to the role removes the role from automation config * Updating the role triggers a reconciliation, and role is updated in AC * Deleting the role is blocked by the finalizer * Deleting the role after it is removed from resources is not blocked anymore ## Checklist - [ ] Have you linked a jira ticket and/or is the ticket in the title? - [ ] Have you checked whether your jira ticket required DOCSP changes? - [ ] Have you checked for release_note changes? ## Reminder (Please remove this when merging) - Please try to Approve or Reject Changes the PR, keep PRs in review as short as possible - Our Short Guide for PRs: [Link](https://docs.google.com/document/d/1T93KUtdvONq43vfTfUt8l92uo4e4SEEvFbIEKOxGr44/edit?tab=t.0) - Remember the following Communication Standards - use comment prefixes for clarity: * **blocking**: Must be addressed before approval. * **follow-up**: Can be addressed in a later PR or ticket. * **q**: Clarifying question. * **nit**: Non-blocking suggestions. * **note**: Side-note, non-actionable. Example: Praise * --> no prefix is considered a question --------- Co-authored-by: Łukasz Sierant <lukasz.sierant@mongodb.com>

Author: lucian-tosa

.evergreen-tasks.yml

@@ -254,6 +254,11 @@ tasks:
  commands:
  - func: "e2e_test"
 
+ - name: e2e_mongodb_custom_roles
+ tags: [ "patch-run" ]
+ commands:
+ - func: "e2e_test"
+
  - name: e2e_replica_set_recovery
  tags: [ "patch-run" ]
  commands:
@@ -644,7 +649,7 @@ tasks:
  commands:
  - func: "e2e_test"
 
- - name: e2e_replica_set_custom_roles
+ - name: e2e_replica_set_ldap_custom_roles
  tags: [ "patch-run" ]
  commands:
  - func: "e2e_test"

.evergreen.yml

@@ -728,7 +728,7 @@ task_groups:
  - e2e_replica_set_ldap_user_to_dn_mapping
  # e2e_replica_set_ldap_agent_auth
  - e2e_replica_set_ldap_agent_client_certs
- - e2e_replica_set_custom_roles
+ - e2e_replica_set_ldap_custom_roles
  - e2e_replica_set_update_roles_no_privileges
  - e2e_replica_set_ldap_group_dn
  - e2e_replica_set_ldap_group_dn_with_x509_agent
@@ -911,6 +911,7 @@ task_groups:
  - e2e_tls_x509_configure_all_options_sc
  - e2e_tls_x509_sc
  - e2e_meko_mck_upgrade
+ - e2e_mongodb_custom_roles
  - e2e_sharded_cluster_oidc_m2m_group
  - e2e_sharded_cluster_oidc_m2m_user
  - e2e_multi_cluster_oidc_m2m_group

PROJECT

@@ -1,5 +1,13 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: mongodb.com
-layout: go.kubebuilder.io/v3
+layout:
+- go.kubebuilder.io/v3
+plugins:
+ manifests.sdk.operatorframework.io/v2: {}
+ scorecard.sdk.operatorframework.io/v2: {}
 projectName: mongodb-kubernetes
 repo: github.com/mongodb/mongodb-kubernetes
 resources:
@@ -30,7 +38,13 @@ resources:
  kind: MongoDBUser
  path: github.com/mongodb/mongodb-kubernetes/api/v1
  version: v1
+- api:
+ crdVersion: v1
+ namespaced: false
+ controller: false
+ domain: mongodb.com
+ group: mongodb
+ kind: ClusterMongoDBRole
+ path: github.com/mongodb/mongodb-kubernetes/api/v1
+ version: v1
 version: "3"
-plugins:
- manifests.sdk.operatorframework.io/v2: {}
- scorecard.sdk.operatorframework.io/v2: {}

RELEASE_NOTES.md

@@ -1,6 +1,24 @@
 [//]: # (Consider renaming or removing the header for next release, otherwise it appears as duplicate in the published release, e.g: https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.22.0 )
 <!-- Next Release -->
 
+# MCK 1.2.0 Release Notes
+
+## New Features
+
+* Added new **ClusterMongoDBRole** CRD to support reusable roles across multiple MongoDB clusters.
+ * This allows users to define roles once and reuse them in multiple **MongoDB** or **MongoDBMultiCluster** resources. The role can be referenced through the `.spec.security.roleRefs` field. Note that only one of `.spec.security.roles` and `.spec.security.roleRefs` can be used at a time.
+ * **ClusterMongoDBRole** resources are treated by the operator as a custom role templates that are only used when referenced by the database resources.
+ * The new resource is watched by default by the operator. This means that the operator will require a new **ClusterRole** and **ClusterRoleBinding** to be created in the cluster. **ClusterRole** and **ClusterRoleBinding** resources are created by default with the helm chart or the kubectl mongodb plugin.
+ * To disable this behavior in the helm chart, set the `operator.enableClusterMongoDBRoles` value to `false`. This will disable the creation of the necessary RBAC resources for the **ClusterMongoDBRole** resource, as well as disable the watch for this resource.
+ * To not install the necessary **ClusterRole** and **ClusterRoleBinding** with the kubectl mongodb plugin set the `--create-mongodb-roles-cluster-role` to false.
+ * The new **ClusterMongoDBRole** resource is designed to be read-only, meaning it can be used by MongoDB deployments managed by different operators.
+ * The **ClusterMongoDBRole** resource can be deleted at any time, but the operator will not delete any roles that were created using this resource. To properly remove access, you must **manually** remove the reference to the **ClusterMongoDBRole** in the **MongoDB** or **MongoDBMultiCluster** resources.
+ * The reference documentation for this resource can be found here: **TODO** (link to documentation)
+ * For more information please see: **TODO** (link to documentation)
+
+
+<!-- Past Releases -->
+
 # MCK 1.1.0 Release Notes
 
 ## New Features
@@ -12,7 +30,6 @@
  * minimum MongoDB Community version: 8.0.
  * TLS must be disabled in MongoDB (communication between mongot and mongod is in plaintext for now).
 
-<!-- Past Releases -->
 # MCK 1.0.1 Release Notes
 
 

api/v1/mdb/mongodb_roles_validation.go

@@ -270,7 +270,7 @@ func isValidCIDR(cidr string) bool {
 return err == nil
 }
 
-func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.ValidationResult {
+func RoleIsCorrectlyConfigured(role MongoDBRole, mdbVersion string) v1.ValidationResult {
 // Extensive validation of the roles attribute
 
 if role.Role == "" {
@@ -305,10 +305,10 @@ func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.Validatio
 return v1.ValidationSuccess()
 }
 
-func rolesAttributeisCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
+func rolesAttributeIsCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
 // Validate every single entry and return error on the first one that fails validation
 for _, role := range d.Security.Roles {
-if res := roleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
+if res := RoleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
 return v1.ValidationError("Error validating role - %s", res.Msg)
 }
 }

api/v1/mdb/mongodb_types.go

@@ -742,10 +742,16 @@ type SharedConnectionSpec struct {
 CloudManagerConfig *PrivateCloudConfig `json:"cloudManager,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="!(has(self.roles) && has(self.roleRefs)) || !(self.roles.size() > 0 && self.roleRefs.size() > 0)",message="At most one of roles or roleRefs can be non-empty"
 type Security struct {
 TLSConfig *TLSConfig `json:"tls,omitempty"`
 Authentication *Authentication `json:"authentication,omitempty"`
-Roles []MongoDbRole `json:"roles,omitempty"`
+
+// +optional
+Roles []MongoDBRole `json:"roles,omitempty"`
+
+// +optional
+RoleRefs []MongoDBRoleRef `json:"roleRefs,omitempty"`
 
 // +optional
 CertificatesSecretsPrefix string `json:"certsSecretPrefix"`
@@ -973,7 +979,16 @@ type InheritedRole struct {
 Role string `json:"role"`
 }
 
-type MongoDbRole struct {
+type MongoDBRoleRef struct {
+// +kubebuilder:validation:Required
+Name string `json:"name"`
+
+// +kubebuilder:validation:Enum=ClusterMongoDBRole
+// +kubebuilder:validation:Required
+Kind string `json:"kind"`
+}
+
+type MongoDBRole struct {
 Role string `json:"role"`
 AuthenticationRestrictions []AuthenticationRestriction `json:"authenticationRestrictions,omitempty"`
 Db string `json:"db"`
@@ -1604,7 +1619,10 @@ func EnsureSecurity(sec *Security) *Security {
 sec.TLSConfig = &TLSConfig{}
 }
 if sec.Roles == nil {
-sec.Roles = make([]MongoDbRole, 0)
+sec.Roles = make([]MongoDBRole, 0)
+}
+if sec.RoleRefs == nil {
+sec.RoleRefs = make([]MongoDBRoleRef, 0)
 }
 return sec
 }

api/v1/mdb/mongodb_validation.go

@@ -394,7 +394,7 @@ func CommonValidators(db DbCommonSpec) []func(d DbCommonSpec) v1.ValidationResul
 deploymentsMustHaveAgentModeInAuthModes,
 scramSha1AuthValidation,
 ldapAuthRequiresEnterprise,
-rolesAttributeisCorrectlyConfigured,
+rolesAttributeIsCorrectlyConfigured,
 agentModeIsSetIfMoreThanADeploymentAuthModeIsSet,
 ldapGroupDnIsSetIfLdapAuthzIsEnabledAndAgentsAreExternal,
 specWithExactlyOneSchema,

api/v1/mdb/mongodbbuilder.go

@@ -146,6 +146,22 @@ func (b *MongoDBBuilder) SetSecurityTLSEnabled() *MongoDBBuilder {
 return b
 }
 
+func (b *MongoDBBuilder) SetRoles(roles []MongoDBRole) *MongoDBBuilder {
+if b.mdb.Spec.Security == nil {
+b.mdb.Spec.Security = &Security{}
+}
+b.mdb.Spec.Security.Roles = roles
+return b
+}
+
+func (b *MongoDBBuilder) SetRoleRefs(roleRefs []MongoDBRoleRef) *MongoDBBuilder {
+if b.mdb.Spec.Security == nil {
+b.mdb.Spec.Security = &Security{}
+}
+b.mdb.Spec.Security.RoleRefs = roleRefs
+return b
+}
+
 func (b *MongoDBBuilder) SetLabels(labels map[string]string) *MongoDBBuilder {
 b.mdb.Labels = labels
 return b

api/v1/mdb/zz_generated.deepcopy.go

@@ -46,7 +46,7 @@ func DefaultMultiReplicaSetBuilder() *MultiReplicaSetBuilder {
 Authentication: &mdbv1.Authentication{
 Modes: []mdbv1.AuthMode{},
 },
-Roles: []mdbv1.MongoDbRole{},
+Roles: []mdbv1.MongoDBRole{},
 },
 DuplicateServiceObjects: util.BooleanRef(false),
 },
@@ -73,6 +73,14 @@ func (m *MultiReplicaSetBuilder) SetSecurity(s *mdbv1.Security) *MultiReplicaSet
 return m
 }
 
+func (m *MultiReplicaSetBuilder) SetRoleRefs(roleRefs []mdbv1.MongoDBRoleRef) *MultiReplicaSetBuilder {
+if m.Spec.Security == nil {
+m.Spec.Security = &mdbv1.Security{}
+}
+m.Spec.Security.RoleRefs = roleRefs
+return m
+}
+
 func (m *MultiReplicaSetBuilder) SetClusterSpecList(clusters []string) *MultiReplicaSetBuilder {
 randFive, err := rand.Int(rand.Reader, big.NewInt(5))
 if err != nil {