Refactor custom roles in crd (#293)

* Refactor Roles from Spec.Security.Authentication to Spec.Security

* Add missing crd field

* Fix yaml whitespace

Author: alyacb

deploy/crds/mongodb.com_mongodb_crd.yaml

@@ -75,96 +75,95 @@ spec:
                         - SCRAM
                         type: string
                       type: array
-                    roles:
-                      description: User-specified custom MongoDB roles that should
-                        be configured in the deployment.
-                      items:
-                        description: CustomRole defines a custom MongoDB role.
-                        properties:
-                          authenticationRestrictions:
-                            description: The authentication restrictions the server
-                              enforces on the role.
-                            items:
-                              description: AuthenticationRestriction specifies a list
-                                of IP addresses and CIDR ranges users are allowed
-                                to connect to or from.
-                              properties:
-                                clientSource:
-                                  items:
-                                    type: string
-                                  type: array
-                                serverAddress:
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                              - clientSource
-                              - serverAddress
-                              type: object
-                            type: array
-                          db:
-                            description: The database of the role.
-                            type: string
-                          privileges:
-                            description: The privileges to grant the role.
-                            items:
-                              description: Privilege defines the actions a role is
-                                allowed to perform on a given resource.
-                              properties:
-                                actions:
-                                  items:
-                                    type: string
-                                  type: array
-                                resource:
-                                  description: Resource specifies specifies the resources
-                                    upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
-                                    for more.
-                                  properties:
-                                    anyResource:
-                                      type: boolean
-                                    cluster:
-                                      type: boolean
-                                    collection:
-                                      type: string
-                                    db:
-                                      type: string
-                                  type: object
-                              required:
-                              - actions
-                              - resource
-                              type: object
-                            type: array
-                          role:
-                            description: The name of the role.
-                            type: string
-                          roles:
-                            description: An array of roles from which this role inherits
-                              privileges.
-                            items:
-                              description: Role is the database role this user should
-                                have
+                  required:
+                  - modes
+                  type: object
+                roles:
+                  description: User-specified custom MongoDB roles that should be
+                    configured in the deployment.
+                  items:
+                    description: CustomRole defines a custom MongoDB role.
+                    properties:
+                      authenticationRestrictions:
+                        description: The authentication restrictions the server enforces
+                          on the role.
+                        items:
+                          description: AuthenticationRestriction specifies a list
+                            of IP addresses and CIDR ranges users are allowed to connect
+                            to or from.
+                          properties:
+                            clientSource:
+                              items:
+                                type: string
+                              type: array
+                            serverAddress:
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - clientSource
+                          - serverAddress
+                          type: object
+                        type: array
+                      db:
+                        description: The database of the role.
+                        type: string
+                      privileges:
+                        description: The privileges to grant the role.
+                        items:
+                          description: Privilege defines the actions a role is allowed
+                            to perform on a given resource.
+                          properties:
+                            actions:
+                              items:
+                                type: string
+                              type: array
+                            resource:
+                              description: Resource specifies specifies the resources
+                                upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document
+                                for more.
                               properties:
-                                db:
-                                  description: DB is the database the role can act
-                                    on
+                                anyResource:
+                                  type: boolean
+                                cluster:
+                                  type: boolean
+                                collection:
                                   type: string
-                                name:
-                                  description: Name is the name of the role
+                                db:
                                   type: string
-                              required:
-                              - db
-                              - name
                               type: object
-                            type: array
-                        required:
-                        - db
-                        - privileges
-                        - role
-                        type: object
-                      type: array
-                  required:
-                  - modes
-                  type: object
+                          required:
+                          - actions
+                          - resource
+                          type: object
+                        type: array
+                      role:
+                        description: The name of the role.
+                        type: string
+                      roles:
+                        description: An array of roles from which this role inherits
+                          privileges.
+                        items:
+                          description: Role is the database role this user should
+                            have
+                          properties:
+                            db:
+                              description: DB is the database the role can act on
+                              type: string
+                            name:
+                              description: Name is the name of the role
+                              type: string
+                          required:
+                          - db
+                          - name
+                          type: object
+                        type: array
+                    required:
+                    - db
+                    - privileges
+                    - role
+                    type: object
+                  type: array
                 tls:
                   description: TLS configuration for both client-server and server-server
                     communication

deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml

@@ -10,16 +10,16 @@ spec:
   security:
     authentication:
       modes: ["SCRAM"]
-      roles: # custom roles are defined here
-        - role: testRole
-          db: admin
-          privileges:
-            - resource:
-                db: "test"
-                collection: "" # an empty string indicates any collection
-              actions:
-                - find
-          roles: []
+    roles: # custom roles are defined here
+      - role: testRole
+        db: admin
+        privileges:
+          - resource:
+              db: "test"
+              collection: "" # an empty string indicates any collection
+            actions:
+              - find
+        roles: []
   users:
     - name: my-user
       db: admin

pkg/apis/mongodb/v1/mongodb_types.go

@@ -273,6 +273,9 @@ type Security struct {
 	// TLS configuration for both client-server and server-server communication
 	// +optional
 	TLS TLS `json:"tls"`
+	// User-specified custom MongoDB roles that should be configured in the deployment.
+	// +optional
+	Roles []CustomRole `json:"roles,omitempty"`
 }
 
 // TLS is the configuration used to set up TLS encryption
@@ -306,10 +309,6 @@ type LocalObjectReference struct {
 type Authentication struct {
 	// Modes is an array specifying which authentication methods should be enabled
 	Modes []AuthMode `json:"modes"`
-
-	// User-specified custom MongoDB roles that should be configured in the deployment.
-	// +optional
-	Roles []CustomRole `json:"roles,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=SCRAM

pkg/apis/mongodb/v1/zz_generated.deepcopy.go

@@ -552,7 +552,7 @@ func (r ReplicaSetReconciler) validateUpdate(mdb mdbv1.MongoDB) error {
 }
 
 func getCustomRolesModification(mdb mdbv1.MongoDB) (automationconfig.Modification, error) {
-	roles := mdb.Spec.Security.Authentication.Roles
+	roles := mdb.Spec.Security.Roles
 	if roles == nil {
 		return automationconfig.NOOP(), nil
 	}

pkg/controller/mongodb/replica_set_controller.go

@@ -29,7 +29,7 @@ func TestReplicaSetCustomRole(t *testing.T) {
 	anyCollection := ""
 
 	mdb, user := e2eutil.NewTestMongoDB("mdb0", "")
-	mdb.Spec.Security.Authentication.Roles = []mdbv1.CustomRole{
+	mdb.Spec.Security.Roles = []mdbv1.CustomRole{
 		{
 			Role: "testRole",
 			DB:   "admin",
@@ -87,7 +87,7 @@ func TestReplicaSetCustomRole(t *testing.T) {
 	t.Run("AutomationConfig has the correct version", mongodbtests.AutomationConfigVersionHasTheExpectedVersion(&mdb, 1))
 
 	// Verify automation config roles and roles created in admin database.
-	roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Authentication.Roles)
+	roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Roles)
 	t.Run("AutomationConfig has the correct custom role", mongodbtests.AutomationConfigHasTheExpectedCustomRoles(&mdb, roles))
 	t.Run("Custom Role was created ", tester.VerifyRoles(roles, 1))