CLOUDP-322487 - Webhook clusterrole

.evergreen-functions.yml

@@ -727,6 +727,16 @@ functions:
       params:
         files: [ "src/github.com/mongodb/mongodb-kubernetes/*.suite", "src/github.com/mongodb/mongodb-kubernetes/docker/mongodb-kubernetes-init-ops-manager/mmsconfiguration/*.suite" ]
 
+  test_helm_unit:
+    - command: shell.exec
+      type: test
+      params:
+        shell: bash
+        working_dir: src/github.com/mongodb/mongodb-kubernetes
+        script: |
+          source .generated/context.export.env
+          make helm-tests
+
   test_python_unit:
     - command: shell.exec
       type: test

.evergreen.yml

@@ -275,6 +275,11 @@ tasks:
     commands:
       - func: "test_python_unit"
 
+  - name: unit_tests_helm
+    tags: [ "unit_tests" ]
+    commands:
+      - func: "test_helm_unit"
+
   - name: sbom_tests
     tags: [ "unit_tests" ]
     # The SBOM tests run only on commit builds. Running this on patches might cause false-positive failures
@@ -665,6 +670,7 @@ task_groups:
       - lint_repo
       - unit_tests_golang
       - unit_tests_python
+      - unit_tests_helm
       - sbom_tests
 
   - name: gke_code_snippets_task_group

Makefile

@@ -300,8 +300,17 @@ test-race: generate fmt vet manifests golang-tests-race
 
 test: generate fmt vet manifests golang-tests
 
-# all-tests will run golang and python tests without race (used locally)
-all-tests: test python-tests
+# helm-tests will run helm chart unit tests
+helm-tests: ## Run helm chart unit tests
+	@echo "Running helm chart unit tests..."
+	@if ! helm plugin list | grep -q unittest; then \
+		echo "Installing helm-unittest plugin..."; \
+		helm plugin install https://github.com/helm-unittest/helm-unittest; \
+	fi
+	helm unittest helm_chart --color
+
+# all-tests will run golang, python, and helm tests without race (used locally)
+all-tests: test python-tests helm-tests
 
 # Build manager binary
 manager: generate fmt vet

helm_chart/templates/operator-roles-webhook.yaml

@@ -1,12 +1,13 @@
 
 {{/* This cluster role and binding is necessary to allow the operator to automatically register ValidatingWebhookConfiguration. */}}
 {{- if and .Values.operator.webhook.registerConfiguration .Values.operator.webhook.installClusterRole }}
-{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "mongodb-kubernetes-operator-mongodb-webhook") }}
+{{- $webhookClusterRoleName := printf "%s-%s-webhook" .Values.operator.name (include "mongodb-kubernetes-operator.namespace" .) }}
+{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" $webhookClusterRoleName) }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{.Values.operator.baseName}}-operator-mongodb-webhook
+  name: {{ $webhookClusterRoleName }}
 rules:
   - apiGroups:
       - "admissionregistration.k8s.io"
@@ -38,7 +39,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{.Values.operator.baseName}}-operator-mongodb-webhook
+  name: {{ $webhookClusterRoleName }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Values.operator.name }}

helm_chart/tests/webhook_clusterrole_test.yaml

@@ -0,0 +1,46 @@
+suite: test webhook consistent clusterrole and binding namecomm
+templates:
+  - operator-roles-webhook.yaml
+tests:
+  - it: should have consistent ClusterRole and ClusterRoleBinding names
+    set:
+      operator.webhook.registerConfiguration: true
+      operator.webhook.installClusterRole: true
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: ClusterRole
+        documentIndex: 0
+      - isKind:
+          of: ClusterRoleBinding
+        documentIndex: 1
+      # The key fix: both should use the same dynamic name
+      - equal:
+          path: metadata.name
+          value: mongodb-kubernetes-operator-NAMESPACE-webhook
+        documentIndex: 0
+      - equal:
+          path: roleRef.name
+          value: mongodb-kubernetes-operator-NAMESPACE-webhook
+        documentIndex: 1
+
+  # Test that different installations get unique names (prevents conflicts)
+  - it: should create unique names per installation
+    set:
+      operator.name: my-operator
+      operator.namespace: custom-ns
+      operator.webhook.registerConfiguration: true
+      operator.webhook.installClusterRole: true
+    release:
+      namespace: custom-ns
+    asserts:
+      # Verify the naming pattern: {operator.name}-{namespace}-webhook
+      - equal:
+          path: metadata.name
+          value: my-operator-custom-ns-webhook
+        documentIndex: 0
+      - equal:
+          path: roleRef.name
+          value: my-operator-custom-ns-webhook
+        documentIndex: 1