Merge branch 'owls-120737' into 'main'

Correct Helm chart usage of enableClusterRoleBinding

See merge request weblogic-cloud/weblogic-kubernetes-operator!4868

(cherry picked from commit f88e424)

382bed5 Correct usage of cluster roles
4be70c7 Work in progress
582b921 Merge remote-tracking branch 'origin/main' into owls-120737
e27d172 Merge remote-tracking branch 'origin/main' into owls-120737
6e51178 Merge remote-tracking branch 'origin/main' into owls-120737
422280c Work in progress
03e4fc6 Work in progress
35027b8 Test passing
dbd928f Merge remote-tracking branch 'origin/main' into owls-120737
217b81d Corrections

Author: rjeberhard

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-domain-admin.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorClusterRoleDomainAdmin" }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-general.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorClusterRoleGeneral" }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-namespace.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorClusterRoleNamespace" }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrole-operator-admin.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorClusterRoleOperatorAdmin" }}

kubernetes/charts/weblogic-operator/templates/_operator-clusterrolebinding-general.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.clusterRoleBindingGeneral" }}

kubernetes/charts/weblogic-operator/templates/_operator-rolebinding-namespace.tpl

@@ -1,16 +1,17 @@
-# Copyright (c) 2018, 2022, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- define "operator.operatorRoleBindingNamespace" }}
 ---
-{{- if and (or .enableClusterRoleBinding (not (hasKey . "enableClusterRoleBinding"))) (ne .domainNamespaceSelectionStrategy "Dedicated") }}
+{{- $useClusterRole := and (or .enableClusterRoleBinding (not (hasKey . "enableClusterRoleBinding"))) (not (eq .domainNamespaceSelectionStrategy "Dedicated")) }}
+{{- if $useClusterRole }}
 kind: "ClusterRoleBinding"
 {{- else }}
 kind: "RoleBinding"
 {{- end }}
 apiVersion: "rbac.authorization.k8s.io/v1"
 metadata:
-  {{- if and (or .enableClusterRoleBinding (not (hasKey . "enableClusterRoleBinding"))) (ne .domainNamespaceSelectionStrategy "Dedicated") }}
+  {{- if $useClusterRole }}
   name: {{ list .Release.Namespace "weblogic-operator-clusterrolebinding-namespace" | join "-" | quote }}
   {{- else }}
   name: "weblogic-operator-rolebinding-namespace"

kubernetes/charts/weblogic-operator/templates/_operator.tpl

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 {{- if and (not (empty .Capabilities.APIVersions)) (not (.Capabilities.APIVersions.Has "policy/v1")) }}
@@ -28,9 +28,10 @@
 {{- include "operator.operatorInternalService" . }}
 {{- include "operator.operatorExternalService" . }}
 {{- include "operator.operatorWebhookExternalService" . }}
-{{- if or (not .enableClusterRoleBinding) (eq .domainNamespaceSelectionStrategy "Dedicated") }}
-{{-   include "operator.domainNamespaces" . }}
-{{- else }}
+{{- $useClusterRole := and (or .enableClusterRoleBinding (not (hasKey . "enableClusterRoleBinding"))) (not (eq .domainNamespaceSelectionStrategy "Dedicated")) }}
+{{- if $useClusterRole }}
 {{-   include "operator.operatorRoleBindingNamespace" . }}
+{{- else }}
+{{-   include "operator.domainNamespaces" . }}
 {{- end }}
 {{- end }}

kubernetes/charts/weblogic-operator/values.yaml

@@ -48,8 +48,12 @@ domainNamespaceSelectionStrategy: LabelSelector
 
 # enableClusterRoleBinding specifies whether the roles necessary for the operator to manage domains
 # will be granted using a ClusterRoleBinding rather than using RoleBindings in each managed namespace.
-# If not specified, the default is true unless 'domainNamespaceSelectionStrategy' is 'Dedicated, in which
+# If not specified, the default is true unless 'domainNamespaceSelectionStrategy' is 'Dedicated', in which
 # case this value is ignored as all resources will be created in the namespace where the operator is deployed.
+# If `enableClusterRoleBinding` is false but `domainNamespaceSelectionStrategy` is not `Dedicated` then
+# ClusterRoleBindings will still be created to allow the operator to manage the CRDs and to list namespaces.
+# No ClusterRoles or ClusterRoleBindings will be created when `enableClusterRoleBinding` is false and
+# `domainNamespaceSelectionStrategy` is `Dedicated`.
 #
 enableClusterRoleBinding: true
 

kubernetes/src/test/java/oracle/kubernetes/operator/create/CreateOperatorGeneratedFilesTestBase.java

@@ -651,20 +651,16 @@ private V1ClusterRole getExpectedWeblogicOperatorNamespaceRole() {
 
   @Test
   void generatesCorrect_domainNamespaces_weblogicOperatorRoleBindings() {
-    for (String domainNamespace : getInputs().getDomainNamespaces().split(",")) {
-      String namespace = domainNamespace.trim();
-      assertThat(
-          getGeneratedFiles().getWeblogicOperatorRoleBinding(namespace),
-          equalTo(getExpectedWeblogicOperatorRoleBinding(namespace)));
-    }
+    assertThat(
+        getGeneratedFiles().getWeblogicOperatorClusterRoleBinding(),
+        equalTo(getExpectedWeblogicOperatorClusterRoleBinding()));
   }
 
-  private V1RoleBinding getExpectedWeblogicOperatorRoleBinding(String namespace) {
-    return newRoleBinding()
+  private V1ClusterRoleBinding getExpectedWeblogicOperatorClusterRoleBinding() {
+    return newClusterRoleBinding()
         .metadata(
             newObjectMeta()
-                .name("weblogic-operator-rolebinding-namespace")
-                .namespace(namespace)
+                .name(getInputs().getNamespace() + "-weblogic-operator-clusterrolebinding-namespace")
                 .putLabelsItem(OPERATORNAME_LABEL, getInputs().getNamespace()))
         .addSubjectsItem(
             newSubject()

kubernetes/src/test/java/oracle/kubernetes/operator/helm/HelmOperatorValues.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helm;
@@ -103,8 +103,6 @@ private void loadImagePullSecretsFromMap(Map<String, Object> map) {
   Map<String, Object> createMap() {
     HashMap<String, Object> map = new HashMap<>();
 
-    map.put("enableClusterRoleBinding", Boolean.FALSE);
-
     addStringMapEntry(map, this::getServiceAccount, "serviceAccount");
     addStringMapEntry(map, this::getWeblogicOperatorImage, "image");
     addStringMapEntry(map, this::getJavaLoggingLevel, "javaLoggingLevel");