CLOUDP-314917 CLOUDP-314918 CLOUDP-314919 - Add ClusterMongoDBRole CRD (#54)

# Summary

Introduced new CRD for MongoDB roles. The new CRD is cluster-scoped and
can be reused in multiple MongoDB deployments even across-namespaces.

The CRD design can be found in the
[TD](https://docs.google.com/document/d/11j_wg0-s3u8oBI6Ca12AZiHLlUv_ViilYwMvl2LgoiQ/edit?tab=t.bhdbox3ppbto#bookmark=id.jbs82dmgpgr6)

## Proof of Work

There are unit and E2E tests verifying that the custom roles are:
* Roles are added in automation config
* Removing a reference to the role removes the role from automation
config
* Updating the role triggers a reconciliation, and role is updated in AC
* Deleting the role is blocked by the finalizer
* Deleting the role after it is removed from resources is not blocked
anymore

## Checklist
- [ ] Have you linked a jira ticket and/or is the ticket in the title?
- [ ] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you checked for release_note changes?

## Reminder (Please remove this when merging)
- Please try to Approve or Reject Changes the PR, keep PRs in review as
short as possible
- Our Short Guide for PRs:
[Link](https://docs.google.com/document/d/1T93KUtdvONq43vfTfUt8l92uo4e4SEEvFbIEKOxGr44/edit?tab=t.0)
- Remember the following Communication Standards - use comment prefixes
for clarity:
  * **blocking**: Must be addressed before approval.
  * **follow-up**: Can be addressed in a later PR or ticket.
  * **q**: Clarifying question.
  * **nit**: Non-blocking suggestions.
  * **note**: Side-note, non-actionable. Example: Praise 
  * --> no prefix is considered a question

---------

Co-authored-by: Łukasz Sierant <lukasz.sierant@mongodb.com>

Author: lucian-tosa

.evergreen-tasks.yml

@@ -254,6 +254,11 @@ tasks:
     commands:
       - func: "e2e_test"
 
+  - name: e2e_mongodb_custom_roles
+    tags: [ "patch-run" ]
+    commands:
+      - func: "e2e_test"
+
   - name: e2e_replica_set_recovery
     tags: [ "patch-run" ]
     commands:
@@ -644,7 +649,7 @@ tasks:
     commands:
       - func: "e2e_test"
 
-  - name: e2e_replica_set_custom_roles
+  - name: e2e_replica_set_ldap_custom_roles
     tags: [ "patch-run" ]
     commands:
       - func: "e2e_test"

.evergreen.yml

@@ -728,7 +728,7 @@ task_groups:
       - e2e_replica_set_ldap_user_to_dn_mapping
       # e2e_replica_set_ldap_agent_auth
       - e2e_replica_set_ldap_agent_client_certs
-      - e2e_replica_set_custom_roles
+      - e2e_replica_set_ldap_custom_roles
       - e2e_replica_set_update_roles_no_privileges
       - e2e_replica_set_ldap_group_dn
       - e2e_replica_set_ldap_group_dn_with_x509_agent
@@ -911,6 +911,7 @@ task_groups:
       - e2e_tls_x509_configure_all_options_sc
       - e2e_tls_x509_sc
       - e2e_meko_mck_upgrade
+      - e2e_mongodb_custom_roles
       - e2e_sharded_cluster_oidc_m2m_group
       - e2e_sharded_cluster_oidc_m2m_user
       - e2e_multi_cluster_oidc_m2m_group

PROJECT

@@ -1,5 +1,13 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: mongodb.com
-layout: go.kubebuilder.io/v3
+layout:
+- go.kubebuilder.io/v3
+plugins:
+  manifests.sdk.operatorframework.io/v2: {}
+  scorecard.sdk.operatorframework.io/v2: {}
 projectName: mongodb-kubernetes
 repo: github.com/mongodb/mongodb-kubernetes
 resources:
@@ -30,7 +38,13 @@ resources:
   kind: MongoDBUser
   path: github.com/mongodb/mongodb-kubernetes/api/v1
   version: v1
+- api:
+    crdVersion: v1
+    namespaced: false
+  controller: false
+  domain: mongodb.com
+  group: mongodb
+  kind: ClusterMongoDBRole
+  path: github.com/mongodb/mongodb-kubernetes/api/v1
+  version: v1
 version: "3"
-plugins:
-  manifests.sdk.operatorframework.io/v2: {}
-  scorecard.sdk.operatorframework.io/v2: {}

RELEASE_NOTES.md

@@ -1,6 +1,24 @@
 [//]: # (Consider renaming or removing the header for next release, otherwise it appears as duplicate in the published release, e.g: https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/tag/1.22.0 )
 <!-- Next Release -->
 
+# MCK 1.2.0 Release Notes
+
+## New Features
+
+* Added new **ClusterMongoDBRole** CRD to support reusable roles across multiple MongoDB clusters.
+  * This allows users to define roles once and reuse them in multiple **MongoDB** or **MongoDBMultiCluster** resources. The role can be referenced through the `.spec.security.roleRefs` field. Note that only one of `.spec.security.roles` and `.spec.security.roleRefs` can be used at a time.
+  * **ClusterMongoDBRole** resources are treated by the operator as a custom role templates that are only used when referenced by the database resources.
+  * The new resource is watched by default by the operator. This means that the operator will require a new **ClusterRole** and **ClusterRoleBinding** to be created in the cluster. **ClusterRole** and **ClusterRoleBinding** resources are created by default with the helm chart or the kubectl mongodb plugin.
+    * To disable this behavior in the helm chart, set the `operator.enableClusterMongoDBRoles` value to `false`. This will disable the creation of the necessary RBAC resources for the **ClusterMongoDBRole** resource, as well as disable the watch for this resource.
+    * To not install the necessary **ClusterRole** and **ClusterRoleBinding** with the kubectl mongodb plugin set the `--create-mongodb-roles-cluster-role` to false.
+  * The new **ClusterMongoDBRole** resource is designed to be read-only, meaning it can be used by MongoDB deployments managed by different operators.
+  * The **ClusterMongoDBRole** resource can be deleted at any time, but the operator will not delete any roles that were created using this resource. To properly remove access, you must **manually** remove the reference to the **ClusterMongoDBRole** in the **MongoDB** or **MongoDBMultiCluster** resources.
+  * The reference documentation for this resource can be found here: **TODO** (link to documentation)
+  * For more information please see: **TODO** (link to documentation)
+
+
+<!-- Past Releases -->
+
 # MCK 1.1.0 Release Notes
 
 ## New Features
@@ -12,7 +30,6 @@
     * minimum MongoDB Community version: 8.0.
     * TLS must be disabled in MongoDB (communication between mongot and mongod is in plaintext for now).
 
-<!-- Past Releases -->
 # MCK 1.0.1 Release Notes
 
 

api/v1/mdb/mongodb_roles_validation.go

@@ -270,7 +270,7 @@ func isValidCIDR(cidr string) bool {
 	return err == nil
 }
 
-func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.ValidationResult {
+func RoleIsCorrectlyConfigured(role MongoDBRole, mdbVersion string) v1.ValidationResult {
 	// Extensive validation of the roles attribute
 
 	if role.Role == "" {
@@ -305,10 +305,10 @@ func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.Validatio
 	return v1.ValidationSuccess()
 }
 
-func rolesAttributeisCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
+func rolesAttributeIsCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
 	// Validate every single entry and return error on the first one that fails validation
 	for _, role := range d.Security.Roles {
-		if res := roleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
+		if res := RoleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
 			return v1.ValidationError("Error validating role - %s", res.Msg)
 		}
 	}

api/v1/mdb/mongodb_types.go

@@ -742,10 +742,16 @@ type SharedConnectionSpec struct {
 	CloudManagerConfig *PrivateCloudConfig `json:"cloudManager,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="!(has(self.roles) && has(self.roleRefs)) || !(self.roles.size() > 0 && self.roleRefs.size() > 0)",message="At most one of roles or roleRefs can be non-empty"
 type Security struct {
 	TLSConfig      *TLSConfig      `json:"tls,omitempty"`
 	Authentication *Authentication `json:"authentication,omitempty"`
-	Roles          []MongoDbRole   `json:"roles,omitempty"`
+
+	// +optional
+	Roles []MongoDBRole `json:"roles,omitempty"`
+
+	// +optional
+	RoleRefs []MongoDBRoleRef `json:"roleRefs,omitempty"`
 
 	// +optional
 	CertificatesSecretsPrefix string `json:"certsSecretPrefix"`
@@ -973,7 +979,16 @@ type InheritedRole struct {
 	Role string `json:"role"`
 }
 
-type MongoDbRole struct {
+type MongoDBRoleRef struct {
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// +kubebuilder:validation:Enum=ClusterMongoDBRole
+	// +kubebuilder:validation:Required
+	Kind string `json:"kind"`
+}
+
+type MongoDBRole struct {
 	Role                       string                      `json:"role"`
 	AuthenticationRestrictions []AuthenticationRestriction `json:"authenticationRestrictions,omitempty"`
 	Db                         string                      `json:"db"`
@@ -1604,7 +1619,10 @@ func EnsureSecurity(sec *Security) *Security {
 		sec.TLSConfig = &TLSConfig{}
 	}
 	if sec.Roles == nil {
-		sec.Roles = make([]MongoDbRole, 0)
+		sec.Roles = make([]MongoDBRole, 0)
+	}
+	if sec.RoleRefs == nil {
+		sec.RoleRefs = make([]MongoDBRoleRef, 0)
 	}
 	return sec
 }

api/v1/mdb/mongodb_validation.go

@@ -394,7 +394,7 @@ func CommonValidators(db DbCommonSpec) []func(d DbCommonSpec) v1.ValidationResul
 		deploymentsMustHaveAgentModeInAuthModes,
 		scramSha1AuthValidation,
 		ldapAuthRequiresEnterprise,
-		rolesAttributeisCorrectlyConfigured,
+		rolesAttributeIsCorrectlyConfigured,
 		agentModeIsSetIfMoreThanADeploymentAuthModeIsSet,
 		ldapGroupDnIsSetIfLdapAuthzIsEnabledAndAgentsAreExternal,
 		specWithExactlyOneSchema,

api/v1/mdb/mongodbbuilder.go

@@ -146,6 +146,22 @@ func (b *MongoDBBuilder) SetSecurityTLSEnabled() *MongoDBBuilder {
 	return b
 }
 
+func (b *MongoDBBuilder) SetRoles(roles []MongoDBRole) *MongoDBBuilder {
+	if b.mdb.Spec.Security == nil {
+		b.mdb.Spec.Security = &Security{}
+	}
+	b.mdb.Spec.Security.Roles = roles
+	return b
+}
+
+func (b *MongoDBBuilder) SetRoleRefs(roleRefs []MongoDBRoleRef) *MongoDBBuilder {
+	if b.mdb.Spec.Security == nil {
+		b.mdb.Spec.Security = &Security{}
+	}
+	b.mdb.Spec.Security.RoleRefs = roleRefs
+	return b
+}
+
 func (b *MongoDBBuilder) SetLabels(labels map[string]string) *MongoDBBuilder {
 	b.mdb.Labels = labels
 	return b

api/v1/mdb/zz_generated.deepcopy.go

@@ -46,7 +46,7 @@ func DefaultMultiReplicaSetBuilder() *MultiReplicaSetBuilder {
 				Authentication: &mdbv1.Authentication{
 					Modes: []mdbv1.AuthMode{},
 				},
-				Roles: []mdbv1.MongoDbRole{},
+				Roles: []mdbv1.MongoDBRole{},
 			},
 			DuplicateServiceObjects: util.BooleanRef(false),
 		},
@@ -73,6 +73,14 @@ func (m *MultiReplicaSetBuilder) SetSecurity(s *mdbv1.Security) *MultiReplicaSet
 	return m
 }
 
+func (m *MultiReplicaSetBuilder) SetRoleRefs(roleRefs []mdbv1.MongoDBRoleRef) *MultiReplicaSetBuilder {
+	if m.Spec.Security == nil {
+		m.Spec.Security = &mdbv1.Security{}
+	}
+	m.Spec.Security.RoleRefs = roleRefs
+	return m
+}
+
 func (m *MultiReplicaSetBuilder) SetClusterSpecList(clusters []string) *MultiReplicaSetBuilder {
 	randFive, err := rand.Int(rand.Reader, big.NewInt(5))
 	if err != nil {

api/v1/mdbmulti/mongodbmultibuilder.go

@@ -0,0 +1,40 @@
+package role
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/mongodb/mongodb-kubernetes/api/v1"
+	mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+)
+
+// ClusterMongoDBRoleSpec defines the desired state of ClusterMongoDBRole.
+type ClusterMongoDBRoleSpec struct {
+	// +kubebuilder:pruning:PreserveUnknownFields
+	mdbv1.MongoDBRole `json:",inline"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:openapi-gen=true
+// +kubebuilder:resource:scope=Cluster,shortName=cmdbr
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The time since the MongoDB Custom Role resource was created."
+
+// ClusterMongoDBRole is the Schema for the clustermongodbroles API.
+type ClusterMongoDBRole struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec ClusterMongoDBRoleSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterMongoDBRoleList contains a list of ClusterMongoDBRole.
+type ClusterMongoDBRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterMongoDBRole `json:"items"`
+}
+
+func init() {
+	v1.SchemeBuilder.Register(&ClusterMongoDBRole{}, &ClusterMongoDBRoleList{})
+}

api/v1/role/clustermongodbrole_types.go

@@ -0,0 +1,4 @@
+package role
+
+// +k8s:deepcopy-gen=package
+// +versionName=v1

api/v1/role/doc.go

@@ -0,0 +1,20 @@
+// Package v1 contains API Schema definitions for the mongodb v1 API group
+// +kubebuilder:object:generate=true
+// +groupName=mongodb.com
+package role
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "mongodb.com", Version: "v1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)