CLOUDP-322487 - Change webhook's CR and CRB resource names to include operator name and namespace (#393)

# Summary

This pull request introduces Helm chart unit tests to the CI pipeline
and ensures consistent naming for ClusterRole and ClusterRoleBinding
resources in the Helm chart. The most important changes are grouped
below:

**Helm Chart Testing Integration:**

* Added a `helm-tests` target to the `Makefile` to run Helm chart unit
tests using the `helm-unittest` plugin. The target installs the plugin
if necessary and runs tests in the `helm_chart` directory.
* Created a `test_helm_unit` function in `.evergreen-functions.yml` to
execute the new Helm unit tests as part of CI.
* Added a `unit_tests_helm` task to `.evergreen.yml` and included it in
the `unit_tests_task_group` to ensure Helm unit tests run with other
unit tests in the CI pipeline.
**Helm Chart Improvements and Testing:**

* Updated `operator-roles-webhook.yaml` to dynamically generate
consistent names for ClusterRole and ClusterRoleBinding resources based
on the operator name and namespace, preventing naming conflicts across
multiple installations.
* Added a new Helm unit test suite (`webhook_clusterrole_test.yaml`) to
verify that ClusterRole and ClusterRoleBinding names are consistent and
unique per installation.


# Example

the new names:
**binding**
`<name>-<ns>-webhook-crb`
**role**
` <name>-<ns>-webhook-cr`

old names:
**binding**
`<name>-<ns>-webhook`
**role**
`mongodb-kubernetes-operator-mongodb-webhook`




## Proof of Work

- green ci 
- helm chart unit test as part of unit test:
[Link](https://spruce.mongodb.com/task/mongodb_kubernetes_unit_tests_unit_tests_helm_patch_b7211ae9f98ec21a895a77f164f74e66519f4bd4_68b6bd8e10a56d0007c1cfc5_25_09_02_09_49_06/logs?execution=0)
(IMO that unit test is more for documentation than actually testing, its
nice to have a view how those names are generated in the end)


## Checklist

- [x] Have you linked a jira ticket and/or is the ticket in the title?
- [x] Have you checked whether your jira ticket required DOCSP changes?
- [x] Have you added changelog file?
    - use `skip-changelog` label if not needed
- refer to [Changelog files and Release
Notes](https://github.com/mongodb/mongodb-kubernetes/blob/master/CONTRIBUTING.md#changelog-files-and-release-notes)
section in CONTRIBUTING.md for more details

---------

Co-authored-by: Vivek Singh <[email protected]>

Author: nammn

.evergreen-functions.yml

@@ -727,6 +727,16 @@ functions:
       params:
         files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ]
 
+  test_helm_unit:
+    - command: shell.exec
+      type: test
+      params:
+        shell: bash
+        working_dir: src/github.com/mongodb/mongodb-kubernetes
+        script: |
+          source .generated/context.export.env
+          make helm-tests
+
   test_python_unit:
     - command: shell.exec
       type: test

.evergreen.yml

@@ -275,6 +275,11 @@ tasks:
     commands:
       - func: "test_python_unit"
 
+  - name: unit_tests_helm
+    tags: [ "unit_tests" ]
+    commands:
+      - func: "test_helm_unit"
+
   - name: sbom_tests
     tags: [ "unit_tests" ]
     # The SBOM tests run only on commit builds. Running this on patches might cause false-positive failures
@@ -665,6 +670,7 @@ task_groups:
       - lint_repo
       - unit_tests_golang
       - unit_tests_python
+      - unit_tests_helm
       - sbom_tests
 
   - name: gke_code_snippets_task_group

Makefile

@@ -300,8 +300,17 @@ test-race: generate fmt vet manifests golang-tests-race
 
 test: generate fmt vet manifests golang-tests
 
-# all-tests will run golang and python tests without race (used locally)
-all-tests: test python-tests
+# helm-tests will run helm chart unit tests
+helm-tests:
+	@echo "Running helm chart unit tests..."
+	@if ! helm plugin list | grep -q unittest; then \
+		echo "Installing helm-unittest plugin..."; \
+		helm plugin install https://github.com/helm-unittest/helm-unittest; \
+	fi
+	helm unittest helm_chart --color
+
+# all-tests will run golang, python, and helm tests without race (used locally)
+all-tests: test python-tests helm-tests
 
 # Build manager binary
 manager: generate fmt vet

changelog/20250902_fix_helm_chart_webhook_per_namespace.md

@@ -0,0 +1,7 @@
+---
+title: helm chart - webhook per namespace
+kind: fix
+date: 2025-09-02
+---
+
+* Changed webhook ClusterRole and ClusterRoleBinding default names to include the namespace. This ensures that multiple operator installations in different namespaces don't conflict with each other.

helm_chart/templates/operator-roles-webhook.yaml

@@ -1,12 +1,13 @@
 
 {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}}
 {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }}
-{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "mongodb-kubernetes-operator-mongodb-webhook") }}
+{{- $webhookClusterRoleName := printf "%s-%s-webhook-cr" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }}
+{{- $webhookClusterRoleBindingName := printf "%s-%s-webhook-crb" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{.Values.operator.baseName}}-operator-mongodb-webhook
+  name: {{ $webhookClusterRoleName }}
 rules:
   - apiGroups:
       - "admissionregistration.k8s.io"
@@ -28,17 +29,16 @@ rules:
       - create
       - update
       - delete
-{{- end }}
 ---
 
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.operator.name }}-{{ include "mongodb-kubernetes-operator.namespace" . }}-webhook-binding
+  name: {{ $webhookClusterRoleBindingName }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{.Values.operator.baseName}}-operator-mongodb-webhook
+  name: {{ $webhookClusterRoleName }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.operator.name }}

helm_chart/tests/webhook_clusterrole_test.yaml

@@ -0,0 +1,52 @@
+suite: test webhook consistent clusterrole and binding
+templates:
+  - operator-roles-webhook.yaml
+tests:
+  - it: should have consistent ClusterRole and ClusterRoleBinding names
+    set:
+      operator.webhook.registerConfiguration: true
+      operator.webhook.installClusterRole: true
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: ClusterRole
+        documentIndex: 0
+      - isKind:
+          of: ClusterRoleBinding
+        documentIndex: 1
+      - equal:
+          path: metadata.name
+          value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr
+        documentIndex: 0
+      - equal:
+          path: metadata.name
+          value: mongodb-kubernetes-operator-NAMESPACE-webhook-crb
+        documentIndex: 1
+      - equal:
+          path: roleRef.name
+          value: mongodb-kubernetes-operator-NAMESPACE-webhook-cr
+        documentIndex: 1
+
+  # Test that different installations get unique names (prevents conflicts)
+  - it: should create unique names per installation
+    set:
+      operator.name: my-operator
+      operator.namespace: custom-ns
+      operator.webhook.registerConfiguration: true
+      operator.webhook.installClusterRole: true
+    release:
+      namespace: custom-ns
+    asserts:
+      - equal:
+          path: metadata.name
+          value: my-operator-custom-ns-webhook-cr
+        documentIndex: 0
+      - equal:
+          path: metadata.name
+          value: my-operator-custom-ns-webhook-crb
+        documentIndex: 1
+      - equal:
+          path: roleRef.name
+          value: my-operator-custom-ns-webhook-cr
+        documentIndex: 1

public/mongodb-kubernetes-multi-cluster.yaml

@@ -203,7 +203,7 @@ subjects:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr
 rules:
   - apiGroups:
       - "admissionregistration.k8s.io"
@@ -230,11 +230,11 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-binding
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-multi-cluster-mongodb-webhook-cr
 subjects:
   - kind: ServiceAccount
     name: mongodb-kubernetes-operator-multi-cluster

public/mongodb-kubernetes-openshift.yaml

@@ -203,7 +203,7 @@ subjects:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-mongodb-webhook-cr
 rules:
   - apiGroups:
       - "admissionregistration.k8s.io"
@@ -230,11 +230,11 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-mongodb-webhook-binding
+  name: mongodb-kubernetes-operator-mongodb-webhook-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-mongodb-webhook-cr
 subjects:
   - kind: ServiceAccount
     name: mongodb-kubernetes-operator

public/mongodb-kubernetes.yaml

@@ -203,7 +203,7 @@ subjects:
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-mongodb-webhook-cr
 rules:
   - apiGroups:
       - "admissionregistration.k8s.io"
@@ -230,11 +230,11 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: mongodb-kubernetes-operator-mongodb-webhook-binding
+  name: mongodb-kubernetes-operator-mongodb-webhook-crb
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: mongodb-kubernetes-operator-mongodb-webhook
+  name: mongodb-kubernetes-operator-mongodb-webhook-cr
 subjects:
   - kind: ServiceAccount
     name: mongodb-kubernetes-operator