add option to not install clusterrole for telemetry (#4133)

# Summary

- some customers might have multiple operators in the same cluster. If
yes, enabling telemetry would install the clusterrole (non-namespaced
resource) multiple times and fail
- this adds support for customers to not install the clusterrole as a
helm chart setting

## Proof of Work

no clusterrole
```
1.24.0 ~/projects/ops-manager-kubernetes better-helm-chart*                                                                                kind-e2e-operator/nnguyen-evg-single 05:45:26 PM
❯ helm install operator helm_chart --set operator.telemetry.installClusterRoles=false
NAME: operator
LAST DEPLOYED: Wed Feb 26 17:45:30 2025
NAMESPACE: nnguyen-evg-single
STATUS: deployed
REVISION: 1
TEST SUITE: None
1.24.0 ~/projects/ops-manager-kubernetes better-helm-chart*                                                                                kind-e2e-operator/nnguyen-evg-single 05:45:33 PM
❯ k get clusterrole  | rg telemetry <--- none
```

clusterrole exists
```
❯ helm install operator helm_chart --set operator.telemetry.installClusterRoles=true
NAME: operator
LAST DEPLOYED: Wed Feb 26 17:47:38 2025
NAMESPACE: nnguyen-evg-single
STATUS: deployed
REVISION: 1
TEST SUITE: None
1.24.0 ~/projects/ops-manager-kubernetes better-helm-chart                                                                                 kind-e2e-operator/nnguyen-evg-single 05:47:42 PM
❯ k get clusterrole  | rg telemetry
mongodb-enterprise-operator-cluster-telemetry                          2025-02-26T16:47:40Z
```

## Checklist
- [ ] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you checked for release_note changes?

Author: nammn

config/rbac/operator-roles.yaml

@@ -7,7 +7,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-enterprise-operator-cluster-telemetry
 rules:
-
   # Non-resource URL permissions
   - nonResourceURLs:
       - "/version"

helm_chart/templates/operator-roles.yaml

@@ -181,14 +181,15 @@ subjects:
 
 
 {{ if and .Values.operator.telemetry.collection.clusters.enabled .Values.operator.telemetry.enabled}}
+{{- $clusterRoleName := printf "%s-cluster-telemetry" .Values.operator.name }}
+{{- if .Values.operator.telemetry.installClusterRoles }}
 ---
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.operator.name }}-cluster-telemetry
+  name: {{ $clusterRoleName }}
 rules:
-{{ if .Values.operator.telemetry.collection.clusters.enabled }}
   # Non-resource URL permissions
   - nonResourceURLs:
       - "/version"
@@ -219,7 +220,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Values.operator.name }}-cluster-telemetry
+  name: {{ $clusterRoleName }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.operator.name }}

helm_chart/values.yaml

@@ -101,14 +101,15 @@ operator:
   telemetry:
     # Enables telemetry. Setting this to false will stop all telemetry related work on the operator.
     enabled: true
+    # Adds RBAC clusterRole for kube-system uid detection for the kubernetes cluster uid
+    # Adds RBAC clusterRole for RBAC for nodes. We are listing exactly one node to detect the cluster provider (e.g. eks)
+    # Adds RBAC clusterRole for /version query for detecting kubernetes server version
+    # Note: the cluster UUID is unique but random and mongoDB has no way to map this to a customer.
+    installClusterRoles: true
     collection:
       # Valid time units are "m", "h". Anything less than one minute defaults to 1h
       frequency: 1h
       # Enables the operator to collect and send cluster level telemetry
-      # Adds RBAC clusterRole for kube-system uid detection for the kubernetes cluster uid
-      # Adds RBAC clusterRole for RBAC for nodes. We are listing exactly one node to detect the cluster provider (e.g. eks)
-      # Adds RBAC clusterRole for /version query for detecting kubernetes server version
-      # Note: the cluster UUID is unique but random and mongoDB has no way to map this to a customer.
       clusters:
         enabled: true
       # Enables the operator to collect and send deployment level telemetry

public/mongodb-enterprise-multi-cluster.yaml

@@ -33,7 +33,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-enterprise-operator-multi-cluster-cluster-telemetry
 rules:
-
   # Non-resource URL permissions
   - nonResourceURLs:
       - "/version"

public/mongodb-enterprise-openshift.yaml

@@ -33,7 +33,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-enterprise-operator-cluster-telemetry
 rules:
-
   # Non-resource URL permissions
   - nonResourceURLs:
       - "/version"

public/mongodb-enterprise.yaml

@@ -33,7 +33,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: mongodb-enterprise-operator-cluster-telemetry
 rules:
-
   # Non-resource URL permissions
   - nonResourceURLs:
       - "/version"

scripts/funcs/operator_deployment

@@ -32,6 +32,7 @@ get_operator_helm_values() {
     "operator.enablePVCResize=${MDB_ENABLE_PVC_RESIZE:-true}"
     "operator.telemetry.enabled=true"
     "operator.telemetry.collection.clusters.enabled=${MDB_OPERATOR_TELEMETRY_COLLECTION_CLUSTERS_ENABLED:-true}"
+    "operator.telemetry.collection.clusters.installClusterRoles=true"
     "operator.telemetry.collection.deployments.enabled=true"
     "operator.telemetry.collection.operators.enabled=true"
     # only send the telemetry to the backend on a specific variant, thus default to false