diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f5aee6..7ff023f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#412]). + +[#412]: https://github.com/stackabletech/commons-operator/pull/412 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 diff --git a/Cargo.nix b/Cargo.nix index c6cadaa..46246bf 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4801,7 +4801,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "k8s_version"; authors = [ @@ -9293,7 +9293,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_certs"; authors = [ @@ -9479,7 +9479,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_operator"; authors = [ @@ -9651,7 +9651,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9686,7 +9686,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_shared"; authors = [ @@ -9767,7 +9767,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_telemetry"; authors = [ @@ -9877,7 +9877,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_versioned"; authors = [ @@ -9921,7 +9921,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -9989,7 +9989,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "8425ce312cfadcc49c157bada79cac04c3ad5229"; - sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c"; + sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 6839c8b..2bebff2 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#k8s-version@0.1.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-certs@0.4.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator-derive@0.3.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator@0.107.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-shared@0.1.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-telemetry@0.6.2": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned-macros@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-webhook@0.9.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#k8s-version@0.1.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-certs@0.4.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator-derive@0.3.1": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-operator@0.107.1": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-shared@0.1.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-telemetry@0.6.2": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned-macros@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-versioned@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.107.1#stackable-webhook@0.9.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file diff --git a/deploy/helm/commons-operator/templates/roles.yaml b/deploy/helm/commons-operator/templates/roles.yaml index 31d541f..7f60c0b 100644 --- a/deploy/helm/commons-operator/templates/roles.yaml +++ b/deploy/helm/commons-operator/templates/roles.yaml @@ -6,33 +6,35 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # Watch pods to detect expired restart annotations. + # Watch configmaps and secrets to trigger rolling restarts of referencing StatefulSets. - apiGroups: - "" resources: - pods - configmaps - secrets - - nodes verbs: - - get - list - watch - # For automatic cluster domain detection + # For automatic cluster domain detection. - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Watch and patch StatefulSets (labelled restarter.stackable.tech/enabled=true) + # to trigger rolling restarts when referenced ConfigMaps or Secrets change. - apiGroups: - apps resources: - statefulsets verbs: - - get - list - watch - - patch # We need to add a label to the StatefulSet + - patch + # Emit Kubernetes events from the restart controllers. - apiGroups: - events.k8s.io resources: @@ -40,28 +42,29 @@ rules: verbs: - create - patch + # Evict pods whose restarter.stackable.tech/expires-at.* annotation timestamp + # has been reached. - apiGroups: - "" resources: - pods/eviction verbs: - create - # Required to maintain MutatingWebhookConfigurations. The operator needs to do this, as it needs - # to enter e.g. it's generated certificate in the webhooks. + # Required to maintain MutatingWebhookConfigurations with auto-generated and + # rotated webhook certificates. - apiGroups: [admissionregistration.k8s.io] resources: [mutatingwebhookconfigurations] verbs: - create - patch -# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's -# generated certificate in the conversion webhook. {{ if .Values.maintenance.customResourceDefinitions.maintain }} + # Required to maintain the CRD with auto-generated and rotated webhook + # certificates. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - get - create - patch {{ end }}