Merge remote-tracking branch 'origin/master' into search/public-preview

Author: lsierant

.evergreen-periodic-builds.yaml

@@ -103,6 +103,22 @@ tasks:
         vars:
           image_name: mongodb-agent-1-daily
 
+  - name: periodic_build_agent_2
+    exec_timeout_secs: 43200
+    commands:
+      - func: enable_QEMU
+      - func: pipeline
+        vars:
+          image_name: mongodb-agent-2-daily
+
+  - name: periodic_build_agent_3
+    exec_timeout_secs: 43200
+    commands:
+      - func: enable_QEMU
+      - func: pipeline
+        vars:
+          image_name: mongodb-agent-3-daily
+
   #TODO should we still build the community operator?
   - name: periodic_build_community_operator
     commands:
@@ -142,6 +158,8 @@ task_groups:
       - periodic_build_sbom_cli
       - periodic_build_agent
       - periodic_build_agent_1
+      - periodic_build_agent_2
+      - periodic_build_agent_3
 
   - name: periodic_teardown_task_group
     <<: *setup_group

.githooks/pre-commit

@@ -33,7 +33,11 @@ function generate_standalone_yaml() {
   mkdir -p "${charttmpdir}"
 
   FILES=(
-    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml"
+    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-webhook.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator-sa.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator.yaml"
@@ -45,22 +49,25 @@ function generate_standalone_yaml() {
   cat "helm_chart/crds/"* >public/crds.yaml
 
   # generate openshift public example
-  rm -rf "${charttmpdir:?}/*"
+  rm -rf "${charttmpdir:?}"/*
   helm template --namespace mongodb -f helm_chart/values.yaml helm_chart --output-dir "${charttmpdir}" --values helm_chart/values-openshift.yaml ${HELM_OPTS[@]}
   cat "${FILES[@]}" >public/mongodb-kubernetes-openshift.yaml
 
   # generate openshift files for kustomize used for generating OLM bundle
-  rm -rf "${charttmpdir:?}/*"
+  rm -rf "${charttmpdir:?}"/*
   helm template --namespace mongodb -f helm_chart/values.yaml helm_chart --output-dir "${charttmpdir}" --values helm_chart/values-openshift.yaml \
     --set operator.webhook.registerConfiguration=false --set operator.webhook.installClusterRole=false ${HELM_OPTS[@]}
 
   # update kustomize files for OLM bundle with files generated for openshift
   cp "${charttmpdir}/mongodb-kubernetes/templates/operator.yaml" config/manager/manager.yaml
   cp "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml" config/rbac/database-roles.yaml
-  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles.yaml" config/rbac/operator-roles.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml" config/rbac/operator-roles-base.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml" config/rbac/operator-roles-clustermongodbroles.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml" config/rbac/operator-roles-pvc-resize.yaml
+  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml" config/rbac/operator-roles-telemetry.yaml
 
   # generate multi-cluster public example
-  rm -rf "${charttmpdir:?}/*"
+  rm -rf "${charttmpdir:?}"/*
   helm template --namespace mongodb -f helm_chart/values.yaml helm_chart --output-dir "${charttmpdir}" --values helm_chart/values-multi-cluster.yaml ${HELM_OPTS[@]}
   cat "${FILES[@]}" >public/mongodb-kubernetes-multi-cluster.yaml
 

RELEASE_NOTES.md

@@ -1,6 +1,15 @@
 [//]: # (Consider renaming or removing the header for next release, otherwise it appears as duplicate in the published release, e.g: https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.22.0 )
 <!-- Next Release -->
 
+# MCK 1.3.0 Release Notes
+
+## Other Changes
+* Optional permissions for `PersistentVolumeClaim` moved to a separate role. When managing the operator with Helm it is possible to disable permissions for `PersistentVolumeClaim` resources by setting `operator.enablePVCResize` value to `false` (`true` by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role.
+* `subresourceEnabled` Helm value was removed. This setting used to be `true` by default and made it possible to exclude subresource permissions from the operator role by specifying `false` as the value. We are removing this configuration option, making the operator roles always have subresource permissions. This setting was introduced as a temporary solution for [this](https://bugzilla.redhat.com/show_bug.cgi?id=1803171) OpenShift issue. The issue has since been resolved and the setting is no longer needed.
+
+
+<!-- Past Releases -->
+
 # MCK 1.2.0 Release Notes
 
 ## New Features
@@ -28,7 +37,6 @@
 ## Bug Fixes
 * Fixed an issue where moving a **MongoDBMultiCluster** resource to a new project (or a new OM instance) would leave the deployment in a failed state.
 
-<!-- Past Releases -->
 
 # MCK 1.1.0 Release Notes
 

changelog/20250715_other_split_persistentvolumeclaims_rbac_into_a_separate.md

@@ -0,0 +1,7 @@
+---
+title: Permissions for PersistentVolumeClaim moved to a separate role
+kind: other
+date: 2025-07-15
+---
+
+* Optional permissions for `PersistentVolumeClaim` moved to a separate role. When managing the operator with Helm it is possible to disable permissions for `PersistentVolumeClaim` resources by setting `operator.enablePVCResize` value to `false` (`true` by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role.

changelog/20250715_other_subresourceenabled_helm_value_removed.md

@@ -0,0 +1,7 @@
+---
+title: subresourceEnabled Helm value was removed
+kind: other
+date: 2025-07-15
+---
+
+* `subresourceEnabled` Helm value was removed. This setting used to be `true` by default and made it possible to exclude subresource permissions from the operator role by specifying `false` as the value. We are removing this configuration option, making the operator roles always have subresource permissions. This setting was introduced as a temporary solution for [this](https://bugzilla.redhat.com/show_bug.cgi?id=1803171) OpenShift issue. The issue has since been resolved and the setting is no longer needed.

config/rbac/kustomization.yaml

@@ -3,7 +3,10 @@ kind: Kustomization
 
 resources:
   - database-roles.yaml
-  - operator-roles.yaml
+  - operator-roles-base.yaml
+  - operator-roles-clustermongodbroles.yaml
+  - operator-roles-pvc-resize.yaml
+  - operator-roles-telemetry.yaml
 
 # we have to remove service account namespace from RoleBinding as OLM is not overriding it
 patchesJson6902:
@@ -13,4 +16,3 @@ patchesJson6902:
       kind: RoleBinding
       name: mongodb-kubernetes-appdb
     path: database-roles-patch-namespace.yaml
-

config/rbac/operator-roles-base.yaml

@@ -0,0 +1,96 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator
+  namespace: mongodb
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - delete
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+      - delete
+      - deletecollection
+  - apiGroups:
+      - mongodbcommunity.mongodb.com
+    resources:
+      - mongodbcommunity
+      - mongodbcommunity/status
+      - mongodbcommunity/spec
+      - mongodbcommunity/finalizers
+    verbs:
+      - '*'
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - mongodb
+      - mongodb/finalizers
+      - mongodbusers
+      - mongodbusers/finalizers
+      - opsmanagers
+      - opsmanagers/finalizers
+      - mongodbmulticluster
+      - mongodbmulticluster/finalizers
+      - mongodbsearch
+      - mongodbsearch/finalizers
+      - mongodb/status
+      - mongodbusers/status
+      - opsmanagers/status
+      - mongodbmulticluster/status
+      - mongodbsearch/status
+---
+# Source: mongodb-kubernetes/templates/operator-roles-base.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mongodb-kubernetes-operator
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb

config/rbac/operator-roles-clustermongodbroles.yaml

@@ -0,0 +1,27 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+rules:
+  - apiGroups:
+      - mongodb.com
+    verbs:
+      - '*'
+    resources:
+      - clustermongodbroles
+---
+# Source: mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-mongodb-cluster-mongodb-role
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb

config/rbac/operator-roles-pvc-resize.yaml

@@ -0,0 +1,34 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-pvc-resize
+  namespace: mongodb
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
+---
+# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-pvc-resize-binding
+  namespace: mongodb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mongodb-kubernetes-operator-pvc-resize
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb

config/rbac/operator-roles-telemetry.yaml

@@ -0,0 +1,43 @@
+---
+# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
+# Additional ClusterRole for clusterVersionDetection
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-cluster-telemetry
+rules:
+  # Non-resource URL permissions
+  - nonResourceURLs:
+      - "/version"
+    verbs:
+      - get
+  # Cluster-scoped resource permissions
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    resourceNames:
+      - kube-system
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - list
+---
+# Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
+# ClusterRoleBinding for clusterVersionDetection
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator-mongodb-cluster-telemetry-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: mongodb-kubernetes-operator-cluster-telemetry
+subjects:
+  - kind: ServiceAccount
+    name: mongodb-kubernetes-operator
+    namespace: mongodb