schmichri
commented
1 year ago @mircea-cosbuc There have been earlier discussions about it. I can confirm that this issue with operator 0.8.2 still exists. Are you still on it?
Closed jamesla closed 11 months ago
schmichri
commented
1 year ago @mircea-cosbuc There have been earlier discussions about it. I can confirm that this issue with operator 0.8.2 still exists. Are you still on it?
schmichri
commented
1 year ago I've tested to create the service-account and according RBAC manually which works but it still doesn't make sense as @jamesla said.
---
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: example-mongodb
namespace: dev
spec:
members: 3
type: ReplicaSet
version: "6.0.5"
security:
authentication:
modes: ["SCRAM"]
users:
- name: my-user
db: admin
passwordSecretRef: # a reference to the secret that will be used to generate the user's password
name: my-user-password
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
scramCredentialsSecretName: my-scram
additionalMongodConfig:
storage.wiredTiger.engineConfig.journalCompressor: zlib
statefulSet:
spec:
volumeClaimTemplates:
- metadata:
name: data-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
template:
spec:
containers:
- name: mongod
resources:
limits:
memory: 500Mi
requests:
cpu: 200m
memory: 200Mi
- name: mongodb-agent
resources:
limits:
cpu: 200m
memory: 250Mi
requests:
cpu: 200m
memory: 200Mi
initContainers:
- name: mongod-posthook
resources:
limits:
cpu: 50m
memory: 100Mi
- name: mongodb-agent-readinessprobe
resources:
limits:
cpu: 50m
memory: 100Mi
# the user credentials will be generated from this secret
# once the credentials are generated, this secret is no longer required
---
apiVersion: v1
kind: Secret
metadata:
name: my-user-password
namespace: dev
type: Opaque
stringData:
password: blubb
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mongodb-database
namespace: dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: mongodb-database
namespace: dev
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- pods
verbs:
- patch
- delete
- get
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: mongodb-database
namespace: dev
subjects:
- kind: ServiceAccount
name: mongodb-database
roleRef:
kind: Role
name: mongodb-database
apiGroup: rbac.authorization.k8s.io
mircea-cosbuc
commented
1 year ago @jamesla @schmichri This is indeed a limitation with how the operator currently works when watching all the namespaces in the cluster as you noticed in previous discussions in the issues. This will be addressed in the future to allow the operator to create service accounts dynamically so that a user is not required to create ServiceAccounts, Roles and RoleBindings in every namespace where database resources reside.
github-actions[bot]
commented
1 year ago This issue is being marked stale because it has been open for 60 days with no activity. Please comment if this issue is still affecting you. If there is no change, this issue will be closed in 30 days.
github-actions[bot]
commented
11 months ago This issue was closed because it became stale and did not receive further updates. If the issue is still affecting you, please re-open it, or file a fresh Issue with updated information.
when using the community operator and setting
the operator watches all namespaces but it doesn't have permission to actually deploy resources into other namespaces and throws the following error:
I can see this is briefly discussed in the values.yaml file in the following comment:
However this doesn't make sense, as it only lets you add a single namespace which defeats the purpose of watching all namespaces.
How can I make this operator work with all namespaces?