diff --git a/deploy/crds/mongodb.com_mongodb_crd.yaml b/deploy/crds/mongodb.com_mongodb_crd.yaml index cd4b5965e..d64854751 100644 --- a/deploy/crds/mongodb.com_mongodb_crd.yaml +++ b/deploy/crds/mongodb.com_mongodb_crd.yaml @@ -75,96 +75,95 @@ spec: - SCRAM type: string type: array - roles: - description: User-specified custom MongoDB roles that should - be configured in the deployment. - items: - description: CustomRole defines a custom MongoDB role. - properties: - authenticationRestrictions: - description: The authentication restrictions the server - enforces on the role. - items: - description: AuthenticationRestriction specifies a list - of IP addresses and CIDR ranges users are allowed - to connect to or from. - properties: - clientSource: - items: - type: string - type: array - serverAddress: - items: - type: string - type: array - required: - - clientSource - - serverAddress - type: object - type: array - db: - description: The database of the role. - type: string - privileges: - description: The privileges to grant the role. - items: - description: Privilege defines the actions a role is - allowed to perform on a given resource. - properties: - actions: - items: - type: string - type: array - resource: - description: Resource specifies specifies the resources - upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document - for more. - properties: - anyResource: - type: boolean - cluster: - type: boolean - collection: - type: string - db: - type: string - type: object - required: - - actions - - resource - type: object - type: array - role: - description: The name of the role. - type: string - roles: - description: An array of roles from which this role inherits - privileges. - items: - description: Role is the database role this user should - have + required: + - modes + type: object + roles: + description: User-specified custom MongoDB roles that should be + configured in the deployment. + items: + description: CustomRole defines a custom MongoDB role. + properties: + authenticationRestrictions: + description: The authentication restrictions the server enforces + on the role. + items: + description: AuthenticationRestriction specifies a list + of IP addresses and CIDR ranges users are allowed to connect + to or from. + properties: + clientSource: + items: + type: string + type: array + serverAddress: + items: + type: string + type: array + required: + - clientSource + - serverAddress + type: object + type: array + db: + description: The database of the role. + type: string + privileges: + description: The privileges to grant the role. + items: + description: Privilege defines the actions a role is allowed + to perform on a given resource. + properties: + actions: + items: + type: string + type: array + resource: + description: Resource specifies specifies the resources + upon which a privilege permits actions. See https://docs.mongodb.com/manual/reference/resource-document + for more. properties: - db: - description: DB is the database the role can act - on + anyResource: + type: boolean + cluster: + type: boolean + collection: type: string - name: - description: Name is the name of the role + db: type: string - required: - - db - - name type: object - type: array - required: - - db - - privileges - - role - type: object - type: array - required: - - modes - type: object + required: + - actions + - resource + type: object + type: array + role: + description: The name of the role. + type: string + roles: + description: An array of roles from which this role inherits + privileges. + items: + description: Role is the database role this user should + have + properties: + db: + description: DB is the database the role can act on + type: string + name: + description: Name is the name of the role + type: string + required: + - db + - name + type: object + type: array + required: + - db + - privileges + - role + type: object + type: array tls: description: TLS configuration for both client-server and server-server communication diff --git a/deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml b/deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml index 981088370..c863a9c39 100644 --- a/deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml +++ b/deploy/crds/mongodb.com_v1_mongodb_custom_role.yaml @@ -10,16 +10,16 @@ spec: security: authentication: modes: ["SCRAM"] - roles: # custom roles are defined here - - role: testRole - db: admin - privileges: - - resource: - db: "test" - collection: "" # an empty string indicates any collection - actions: - - find - roles: [] + roles: # custom roles are defined here + - role: testRole + db: admin + privileges: + - resource: + db: "test" + collection: "" # an empty string indicates any collection + actions: + - find + roles: [] users: - name: my-user db: admin diff --git a/pkg/apis/mongodb/v1/mongodb_types.go b/pkg/apis/mongodb/v1/mongodb_types.go index 1e68c1666..44637402f 100644 --- a/pkg/apis/mongodb/v1/mongodb_types.go +++ b/pkg/apis/mongodb/v1/mongodb_types.go @@ -273,6 +273,9 @@ type Security struct { // TLS configuration for both client-server and server-server communication // +optional TLS TLS `json:"tls"` + // User-specified custom MongoDB roles that should be configured in the deployment. + // +optional + Roles []CustomRole `json:"roles,omitempty"` } // TLS is the configuration used to set up TLS encryption @@ -306,10 +309,6 @@ type LocalObjectReference struct { type Authentication struct { // Modes is an array specifying which authentication methods should be enabled Modes []AuthMode `json:"modes"` - - // User-specified custom MongoDB roles that should be configured in the deployment. - // +optional - Roles []CustomRole `json:"roles,omitempty"` } // +kubebuilder:validation:Enum=SCRAM diff --git a/pkg/apis/mongodb/v1/zz_generated.deepcopy.go b/pkg/apis/mongodb/v1/zz_generated.deepcopy.go index caf22f5f6..c7dc414a3 100644 --- a/pkg/apis/mongodb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/mongodb/v1/zz_generated.deepcopy.go @@ -17,13 +17,6 @@ func (in *Authentication) DeepCopyInto(out *Authentication) { *out = make([]AuthMode, len(*in)) copy(*out, *in) } - if in.Roles != nil { - in, out := &in.Roles, &out.Roles - *out = make([]CustomRole, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } return } @@ -372,6 +365,13 @@ func (in *Security) DeepCopyInto(out *Security) { *out = *in in.Authentication.DeepCopyInto(&out.Authentication) out.TLS = in.TLS + if in.Roles != nil { + in, out := &in.Roles, &out.Roles + *out = make([]CustomRole, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } return } diff --git a/pkg/controller/mongodb/replica_set_controller.go b/pkg/controller/mongodb/replica_set_controller.go index 701faed67..42077b0b1 100644 --- a/pkg/controller/mongodb/replica_set_controller.go +++ b/pkg/controller/mongodb/replica_set_controller.go @@ -552,7 +552,7 @@ func (r ReplicaSetReconciler) validateUpdate(mdb mdbv1.MongoDB) error { } func getCustomRolesModification(mdb mdbv1.MongoDB) (automationconfig.Modification, error) { - roles := mdb.Spec.Security.Authentication.Roles + roles := mdb.Spec.Security.Roles if roles == nil { return automationconfig.NOOP(), nil } diff --git a/test/e2e/replica_set_custom_role/replica_set_custom_role_test.go b/test/e2e/replica_set_custom_role/replica_set_custom_role_test.go index 51336bd7f..4f137749c 100644 --- a/test/e2e/replica_set_custom_role/replica_set_custom_role_test.go +++ b/test/e2e/replica_set_custom_role/replica_set_custom_role_test.go @@ -29,7 +29,7 @@ func TestReplicaSetCustomRole(t *testing.T) { anyCollection := "" mdb, user := e2eutil.NewTestMongoDB("mdb0", "") - mdb.Spec.Security.Authentication.Roles = []mdbv1.CustomRole{ + mdb.Spec.Security.Roles = []mdbv1.CustomRole{ { Role: "testRole", DB: "admin", @@ -87,7 +87,7 @@ func TestReplicaSetCustomRole(t *testing.T) { t.Run("AutomationConfig has the correct version", mongodbtests.AutomationConfigVersionHasTheExpectedVersion(&mdb, 1)) // Verify automation config roles and roles created in admin database. - roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Authentication.Roles) + roles := mdbv1.ConvertCustomRolesToAutomationConfigCustomRole(mdb.Spec.Security.Roles) t.Run("AutomationConfig has the correct custom role", mongodbtests.AutomationConfigHasTheExpectedCustomRoles(&mdb, roles)) t.Run("Custom Role was created ", tester.VerifyRoles(roles, 1))