operator: correct rack awareness permissions

Prior to this commit the operator's chart incorrect referenced a non-existent
`Role` for the permissions of rack awareness. As helm loves to swallow errors,
this went unnoticed until reported by an end user.

This commit corrects the mistake and adds a regression acceptance test.

Author: chrisseto

.changes/unreleased/operator-Fixed-20250609-152934.yaml

@@ -0,0 +1,7 @@
+project: operator
+kind: Fixed
+body: |-
+    `get` permissions on `Node` resources is now correctly configured by default.
+
+       `--set rbac.createAdditionalControllerCRs=true` is no longer required for rackawareness to work.
+time: 2025-06-09T15:29:34.084852-04:00

acceptance/features/cluster.feature

@@ -44,3 +44,32 @@ Feature: Basic cluster tests
     Then cluster "upgrade" is stable with 1 nodes
     And service "upgrade-external" should have named port "admin-default" with value 9640
     And rpk is configured correctly in "upgrade" cluster
+
+
+  @skip:gke @skip:aks @skip:eks
+  Scenario: Rack Awareness
+    Given I apply Kubernetes manifest:
+    # NB: You wouldn't actually use kubernetes.io/os for the value of rack,
+    # it's just a value that we know is both present and deterministic for the
+    # purpose of testing.
+    """
+    ---
+    apiVersion: cluster.redpanda.com/v1alpha2
+    kind: Redpanda
+    metadata:
+      name: rack-awareness
+    spec:
+      clusterSpec:
+        console:
+          enabled: false
+        statefulset:
+          replicas: 1
+        rackAwareness:
+          enabled: true
+          nodeAnnotation: 'kubernetes.io/os'
+    """
+    And cluster "rack-awareness" is stable with 1 nodes
+    Then running `cat /etc/redpanda/redpanda.yaml | grep -o 'rack: .*$'` will output:
+    """
+    rack: linux
+    """

acceptance/steps/register.go

@@ -67,6 +67,7 @@ func init() {
 	framework.RegisterStep(`^service "([^"]*)" has named port "([^"]*)" with value (\d+)$`, checkServiceWithPort)
 	framework.RegisterStep(`^service "([^"]*)" should have named port "([^"]*)" with value (\d+)$`, checkServiceWithPort)
 	framework.RegisterStep(`^rpk is configured correctly in "([^"]*)" cluster$`, checkRPKCommands)
+	framework.RegisterStep("running `(.*)` will output:$", runScriptInClusterCheckOutput)
 
 	// Decommissioning scenario steps
 	framework.RegisterStep(`^cluster "([^"]*)" is unhealthy$`, checkClusterUnhealthy)

acceptance/steps/rpk.go

@@ -3,25 +3,74 @@ package steps
 import (
 	"bytes"
 	"context"
+	"strings"
 
+	"github.com/cucumber/godog"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	framework "github.com/redpanda-data/redpanda-operator/harpoon"
+	redpandav1alpha2 "github.com/redpanda-data/redpanda-operator/operator/api/redpanda/v1alpha2"
 	"github.com/redpanda-data/redpanda-operator/pkg/kube"
 )
 
-func checkRPKCommands(ctx context.Context, t framework.TestingT, clusterName string) {
+func runScriptInClusterCheckOutput(ctx context.Context, t framework.TestingT, command string, output *godog.DocString) {
+	var redpandas redpandav1alpha2.RedpandaList
+	require.NoError(t, t.List(ctx, &redpandas))
+
+	if len(redpandas.Items) != 1 {
+		require.FailNow(t, "expected to find 1 %T but found %d", (*redpandav1alpha2.Redpanda)(nil), len(redpandas.Items))
+	}
+
+	redpanda := redpandas.Items[0]
+
+	var sts appsv1.StatefulSet
+	require.NoError(t, t.Get(ctx, t.ResourceKey(redpanda.Name), &sts))
+
+	selector, err := metav1.LabelSelectorAsSelector(sts.Spec.Selector)
+	require.NoError(t, err)
+
+	var pods corev1.PodList
+	require.NoError(t, t.List(ctx, &pods, client.MatchingLabelsSelector{
+		Selector: selector,
+	}))
+
+	if len(pods.Items) < 1 {
+		require.FailNow(t, "expected to find at least 1 Pod but found none")
+	}
+
+	pod := pods.Items[0]
+
 	ctl, err := kube.FromRESTConfig(t.RestConfig())
 	require.NoError(t, err)
 
-	var clusterSet appsv1.StatefulSet
+	t.Logf("executing %q in Pod %q", command, pod.Name)
+
+	var stdout bytes.Buffer
+	require.NoError(t, ctl.Exec(ctx, &pod, kube.ExecOptions{
+		Container: "redpanda",
+		Command:   []string{"/bin/bash", "-c", command},
+		Stdout:    &stdout,
+	}))
+
+	// Correct for extra whitespace from either the command itself or from
+	// godog's parsing.
+	expected := strings.Trim(output.Content, "\n ")
+	actual := strings.Trim(stdout.String(), "\n ")
+
+	require.Equal(t, expected, actual)
+}
+
+func checkRPKCommands(ctx context.Context, t framework.TestingT, clusterName string) {
+	ctl, err := kube.FromRESTConfig(t.RestConfig())
+	require.NoError(t, err)
 
 	key := t.ResourceKey(clusterName)
 
+	var clusterSet appsv1.StatefulSet
 	require.NoError(t, t.Get(ctx, key, &clusterSet))
 
 	selector, err := metav1.LabelSelectorAsSelector(clusterSet.Spec.Selector)

operator/CHANGELOG.md

@@ -95,6 +95,9 @@ This is required to ensure that a pre-existing sts can roll over to new configur
 * Setting `serviceAccount.create` to `false` no longer prevents the Kubernetes ServiceAccountToken volume from being mounted to the operator Pod.
 * updated operator v1 to ignore "cluster.redpanda.com/node-pool-spec" annotation for pod rolls. previously, under certain conditions, the operator started rolling pods if this annotation changed - but there is no need to do so.
 * Added the missing `https` port to the operator Pod that was referenced by the [`ServiceMonitor`](https://github.com/redpanda-data/redpanda-operator/blob/4e34c5ea79b00fa0caeda64955e3291666194274/operator/chart/servicemonitor.go#L42)
+* `get` permissions on `Node` resources is now correctly configured by default.
+
+   `--set rbac.createAdditionalControllerCRs=true` is no longer required for rackawareness to work.
 
 ## [v25.1.1-beta3](https://github.com/redpanda-data/redpanda-operator/releases/tag/operator%2Fv25.1.1-beta3) - 2025-05-07
 ### Added

operator/chart/rbac.go

@@ -45,6 +45,7 @@ func ClusterRoles(dot *helmette.Dot) []rbacv1.ClusterRole {
 			RuleFiles: []string{
 				"files/rbac/leader-election.ClusterRole.yaml",
 				"files/rbac/pvcunbinder.ClusterRole.yaml",
+				"files/rbac/rack-awareness.ClusterRole.yaml", // Rack awareness is a toggle on the CR, so we always need RBAC for it.
 				"files/rbac/v1-manager.ClusterRole.yaml",
 			},
 		},
@@ -140,8 +141,7 @@ func Roles(dot *helmette.Dot) []rbacv1.Role {
 			Name:    Fullname(dot),
 			Enabled: values.Scope == Namespace,
 			RuleFiles: []string{
-				"files/rbac/rack-awareness.Role.yaml", // Rack awareness is a toggle on the CR, so we always need RBAC for it.
-				"files/rbac/sidecar.Role.yaml",        // Sidecar is a toggle on the CR, so we always need RBAC for it.
+				"files/rbac/sidecar.Role.yaml", // Sidecar is a toggle on the CR, so we always need RBAC for it.
 				"files/rbac/v2-manager.Role.yaml",
 			},
 		},

operator/chart/templates/_rbac.go.tpl

@@ -14,7 +14,7 @@
 {{- if (or $values.crds.enabled $values.crds.experimental) -}}
 {{- $managerFiles = (concat (default (list) $managerFiles) (list "files/rbac/crd-installation.ClusterRole.yaml")) -}}
 {{- end -}}
-{{- $bundles := (list (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Cluster") "RuleFiles" (list "files/rbac/leader-election.ClusterRole.yaml" "files/rbac/pvcunbinder.ClusterRole.yaml" "files/rbac/v1-manager.ClusterRole.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Namespace") "RuleFiles" $managerFiles)) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "additional-controllers")))) "r") "Enabled" (and (eq $values.scope "Namespace") $values.rbac.createAdditionalControllerCRs) "RuleFiles" (list "files/rbac/decommission.ClusterRole.yaml" "files/rbac/node-watcher.ClusterRole.yaml" "files/rbac/old-decommission.ClusterRole.yaml" "files/rbac/pvcunbinder.ClusterRole.yaml")))) -}}
+{{- $bundles := (list (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Cluster") "RuleFiles" (list "files/rbac/leader-election.ClusterRole.yaml" "files/rbac/pvcunbinder.ClusterRole.yaml" "files/rbac/rack-awareness.ClusterRole.yaml" "files/rbac/v1-manager.ClusterRole.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Namespace") "RuleFiles" $managerFiles)) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "additional-controllers")))) "r") "Enabled" (and (eq $values.scope "Namespace") $values.rbac.createAdditionalControllerCRs) "RuleFiles" (list "files/rbac/decommission.ClusterRole.yaml" "files/rbac/node-watcher.ClusterRole.yaml" "files/rbac/old-decommission.ClusterRole.yaml" "files/rbac/pvcunbinder.ClusterRole.yaml")))) -}}
 {{- $clusterRoles := (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil)) "rules" (coalesce nil)) (mustMergeOverwrite (dict) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole")) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil)) (dict "name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "metrics-reader")))) "r") "labels" (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r") "annotations" $values.annotations)) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil)) (dict "verbs" (list "get") "nonResourceURLs" (list "/metrics"))))))) -}}
 {{- range $_, $bundle := $bundles -}}
 {{- if (not $bundle.Enabled) -}}
@@ -49,7 +49,7 @@
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
-{{- $bundles := (list (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "election-role")))) "r") "Enabled" true "RuleFiles" (list "files/rbac/leader-election.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Cluster") "RuleFiles" (list "files/rbac/pvcunbinder.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Namespace") "RuleFiles" (list "files/rbac/rack-awareness.Role.yaml" "files/rbac/sidecar.Role.yaml" "files/rbac/v2-manager.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (printf "%s%s" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "-additional-controllers") "Enabled" (and (eq $values.scope "Namespace") $values.rbac.createAdditionalControllerCRs) "RuleFiles" (list "files/rbac/decommission.Role.yaml" "files/rbac/node-watcher.Role.yaml" "files/rbac/old-decommission.Role.yaml" "files/rbac/pvcunbinder.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "rpk-bundle")))) "r") "Enabled" $values.rbac.createRPKBundleCRs "RuleFiles" (list "files/rbac/rpk-debug-bundle.Role.yaml")))) -}}
+{{- $bundles := (list (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "election-role")))) "r") "Enabled" true "RuleFiles" (list "files/rbac/leader-election.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Cluster") "RuleFiles" (list "files/rbac/pvcunbinder.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "Enabled" (eq $values.scope "Namespace") "RuleFiles" (list "files/rbac/sidecar.Role.yaml" "files/rbac/v2-manager.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (printf "%s%s" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "-additional-controllers") "Enabled" (and (eq $values.scope "Namespace") $values.rbac.createAdditionalControllerCRs) "RuleFiles" (list "files/rbac/decommission.Role.yaml" "files/rbac/node-watcher.Role.yaml" "files/rbac/old-decommission.Role.yaml" "files/rbac/pvcunbinder.Role.yaml"))) (mustMergeOverwrite (dict "Enabled" false "RuleFiles" (coalesce nil) "Name" "") (dict "Name" (get (fromJson (include "operator.cleanForK8sWithSuffix" (dict "a" (list (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r") "rpk-bundle")))) "r") "Enabled" $values.rbac.createRPKBundleCRs "RuleFiles" (list "files/rbac/rpk-debug-bundle.Role.yaml")))) -}}
 {{- $roles := (coalesce nil) -}}
 {{- range $_, $bundle := $bundles -}}
 {{- if (not $bundle.Enabled) -}}