From 250b8f1d7883dda003534ab0687bbb54fafb89a4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 13:51:56 +0100 Subject: [PATCH 01/10] chore: Describe RBAC rules, remove unnecessary rules --- .../helm/druid-operator/templates/roles.yaml | 79 ++++++++++++------- 1 file changed, 50 insertions(+), 29 deletions(-) diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/roles.yaml index 46be29ba..376df711 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/roles.yaml @@ -6,73 +6,84 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch - # For automatic cluster domain detection + # For automatic cluster domain detection: the operator fetches the kubelet config from + # /api/v1/nodes/{name}/proxy/configz to read clusterDomain. The node name is provided + # via the downward API (KUBERNETES_NODE_NAME env var) so no list/watch on nodes is needed. - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Manage core workload resources created per DruidCluster. + # Applied via Server-Side Apply (create + patch) and tracked for orphan cleanup (list + delete). + # get is also required: when reconciliation is paused the framework calls client.get() instead + # of apply_patch(). Both types are owned by the controller (.owns()) and therefore also need watch. + # - configmaps: role-group config maps and discovery config maps + # - services: headless and metrics services per role group - apiGroups: - "" resources: - - pods - configmaps - - secrets - services - - endpoints - - serviceaccounts verbs: - create - delete - get - list - patch - - update - watch + # Shared internal authentication secret (cookie passphrase and internal client password). + # Managed directly via client.apply_patch() / client.delete() in internal_secret.rs — + # not via ClusterResources — so list and watch are not needed. - apiGroups: - - rbac.authorization.k8s.io + - "" resources: - - rolebindings + - secrets verbs: - create - delete - get - - list - patch - - update - - watch + # ServiceAccount created per DruidCluster for workload pod identity. + # Applied via SSA and tracked for orphan cleanup. Not watched by the controller. - apiGroups: - - apps + - "" resources: - - statefulsets + - serviceaccounts verbs: + - create + - delete - get + - list + - patch + # RoleBinding created per DruidCluster to bind the product ClusterRole to the workload + # ServiceAccount. Applied via SSA and tracked for orphan cleanup. Not watched by the controller. + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: - create - delete + - get - list - patch - - update - - watch + # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and + # owned by the controller (.owns()), so watch is also required. - apiGroups: - - batch + - apps resources: - - jobs + - statefulsets verbs: - create - delete - get - list - patch - - update - watch + # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup. + # Not watched by the controller. - apiGroups: - policy resources: @@ -83,8 +94,6 @@ rules: - get - list - patch - - update - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -100,6 +109,8 @@ rules: - list - watch {{- end }} + # Listener created per role group for external access. Applied via SSA and tracked for orphan + # cleanup. Not watched by the controller (no .owns() or .watches() on Listener in main.rs). - apiGroups: - listeners.stackable.tech resources: @@ -110,7 +121,7 @@ rules: - get - list - patch - - watch + # Required to report reconciliation results and warnings back to the DruidCluster object. - apiGroups: - events.k8s.io resources: @@ -118,6 +129,9 @@ rules: verbs: - create - patch + # Primary CRD: watched by Controller::new() and read during reconciliation. + # The operator only modifies the status subresource (see druiddclusters/status below), + # so patch on the main object is not needed. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -125,14 +139,15 @@ rules: verbs: - get - list - - patch - watch + # Status subresource: updated at the end of every reconciliation via apply_patch_status(). - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch + # Read S3 connection and bucket configuration referenced in the DruidCluster spec. - apiGroups: - s3.stackable.tech resources: @@ -142,6 +157,7 @@ rules: - get - list - watch + # Read authentication class configuration referenced in the DruidCluster spec. - apiGroups: - authentication.stackable.tech resources: @@ -150,6 +166,7 @@ rules: - get - list - watch + # Required to bind the product ClusterRole to the per-cluster ServiceAccount. - apiGroups: - rbac.authorization.k8s.io resources: @@ -167,6 +184,8 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # Druid reads its own configuration (ConfigMaps), credentials (Secrets), and service account + # token (ServiceAccount) at runtime from within the pod. - apiGroups: - "" resources: @@ -175,6 +194,7 @@ rules: - serviceaccounts verbs: - get + # Allows Druid pods to emit Kubernetes events (e.g. for lifecycle notifications). - apiGroups: - events.k8s.io resources: @@ -183,6 +203,7 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow the Druid pods to run as a non-root user. - apiGroups: - security.openshift.io resources: From 9a4f4266fecfb9b9bfa5a2a6de852a90bde7f938 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 25 Mar 2026 14:03:31 +0100 Subject: [PATCH 02/10] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40d88b32..68244800 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#810]). + +- [#810]: https://github.com/stackabletech/druid-operator/pull/810 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 9b46b57b49572938db78a86695b022c8c239c75b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 15:18:47 +0100 Subject: [PATCH 03/10] fix: CRD permissions - Add missing description - Remove `get`, it is never used - Make list/watch unconditional --- deploy/helm/druid-operator/templates/roles.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/roles.yaml index 376df711..39d164ba 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/roles.yaml @@ -94,21 +94,22 @@ rules: - get - list - patch + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - - get # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} # Listener created per role group for external access. Applied via SSA and tracked for orphan # cleanup. Not watched by the controller (no .owns() or .watches() on Listener in main.rs). - apiGroups: From 4bc4002f51e8b1fdda389cf7d31dd3575e5582aa Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 15:25:52 +0100 Subject: [PATCH 04/10] chore: Keep rbac.authorization.k8s.io rules together --- .../helm/druid-operator/templates/roles.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/roles.yaml index 39d164ba..da601792 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/roles.yaml @@ -69,6 +69,15 @@ rules: - get - list - patch + # Required to bind the product ClusterRole to the per-cluster ServiceAccount. + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + resourceNames: + - {{ include "operator.name" . }}-clusterrole # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and # owned by the controller (.owns()), so watch is also required. - apiGroups: @@ -167,16 +176,6 @@ rules: - get - list - watch - # Required to bind the product ClusterRole to the per-cluster ServiceAccount. - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind - resourceNames: - - {{ include "operator.name" . }}-clusterrole - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 73ac2229d37d09a798916e2a45e9b7162de3f05e Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 16:39:43 +0100 Subject: [PATCH 05/10] chore: Update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68244800..67aea6a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Changed -- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#810]). +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#810]). - [#810]: https://github.com/stackabletech/druid-operator/pull/810 From 19e3b0b987a2354f5ded9a25f5b890db0607d412 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 16:55:52 +0100 Subject: [PATCH 06/10] chore: Update descriptions on RBAC permissions --- .../helm/druid-operator/templates/roles.yaml | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/roles.yaml index da601792..49dd57b5 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/roles.yaml @@ -6,21 +6,16 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # For automatic cluster domain detection: the operator fetches the kubelet config from - # /api/v1/nodes/{name}/proxy/configz to read clusterDomain. The node name is provided - # via the downward API (KUBERNETES_NODE_NAME env var) so no list/watch on nodes is needed. + # For automatic cluster domain detection - apiGroups: - "" resources: - nodes/proxy verbs: - get - # Manage core workload resources created per DruidCluster. - # Applied via Server-Side Apply (create + patch) and tracked for orphan cleanup (list + delete). - # get is also required: when reconciliation is paused the framework calls client.get() instead - # of apply_patch(). Both types are owned by the controller (.owns()) and therefore also need watch. - # - configmaps: role-group config maps and discovery config maps - # - services: headless and metrics services per role group + # Manage core workload resources created per AirflowCluster. + # All resources are applied via Server-Side Apply (create + patch) and tracked for + # orphan cleanup (list + delete). - apiGroups: - "" resources: @@ -34,8 +29,7 @@ rules: - patch - watch # Shared internal authentication secret (cookie passphrase and internal client password). - # Managed directly via client.apply_patch() / client.delete() in internal_secret.rs — - # not via ClusterResources — so list and watch are not needed. + # Orphan cleanup not needed (instead, Kubernetes GC via owner reference). - apiGroups: - "" resources: @@ -79,7 +73,7 @@ rules: resourceNames: - {{ include "operator.name" . }}-clusterrole # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup, and - # owned by the controller (.owns()), so watch is also required. + # owned by the controller. - apiGroups: - apps resources: @@ -120,7 +114,7 @@ rules: - list - watch # Listener created per role group for external access. Applied via SSA and tracked for orphan - # cleanup. Not watched by the controller (no .owns() or .watches() on Listener in main.rs). + # cleanup. - apiGroups: - listeners.stackable.tech resources: @@ -140,8 +134,6 @@ rules: - create - patch # Primary CRD: watched by Controller::new() and read during reconciliation. - # The operator only modifies the status subresource (see druiddclusters/status below), - # so patch on the main object is not needed. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -150,7 +142,7 @@ rules: - get - list - watch - # Status subresource: updated at the end of every reconciliation via apply_patch_status(). + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -177,6 +169,8 @@ rules: - list - watch --- +# Product ClusterRole: bound (via per DruidCluster RoleBinding) to the ServiceAccount that Druid +# workload pods (webserver, scheduler, worker, triggerer, dag-processor) run as. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: From 46eb3344e43186080a07b0181afaade62a3dd28b Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 19:39:04 +0100 Subject: [PATCH 07/10] chore: Remove unused permissions for the product ClusterRole --- deploy/helm/druid-operator/templates/roles.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/roles.yaml index 49dd57b5..3fdebbfe 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/roles.yaml @@ -178,16 +178,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Druid reads its own configuration (ConfigMaps), credentials (Secrets), and service account - # token (ServiceAccount) at runtime from within the pod. - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - verbs: - - get # Allows Druid pods to emit Kubernetes events (e.g. for lifecycle notifications). - apiGroups: - events.k8s.io From f3d9d1e12b1f635bcc4b09b40f18dcb22a2ad508 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 19:39:28 +0100 Subject: [PATCH 08/10] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index d217a22a..c664797b 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4841,7 +4841,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "k8s_version"; authors = [ @@ -9564,7 +9564,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_certs"; authors = [ @@ -9776,7 +9776,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_operator"; authors = [ @@ -9948,7 +9948,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9983,7 +9983,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_shared"; authors = [ @@ -10064,7 +10064,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_telemetry"; authors = [ @@ -10174,7 +10174,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_versioned"; authors = [ @@ -10218,7 +10218,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10286,7 +10286,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 0c14db8c..2148b36f 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "08ahxagis53c7bxnj53xgzv5l619av1lwfc67cswrsp2wcakzns3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From 4c6e0f449c9af6c9fc2ecfa29b153b2ce3db968a Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 19:41:06 +0100 Subject: [PATCH 09/10] chore: Split clusterroles into separate files for operator and product --- .../{roles.yaml => clusterrole-operator.yaml} | 29 ------------------- .../templates/clusterrole-product.yaml | 29 +++++++++++++++++++ 2 files changed, 29 insertions(+), 29 deletions(-) rename deploy/helm/druid-operator/templates/{roles.yaml => clusterrole-operator.yaml} (83%) create mode 100644 deploy/helm/druid-operator/templates/clusterrole-product.yaml diff --git a/deploy/helm/druid-operator/templates/roles.yaml b/deploy/helm/druid-operator/templates/clusterrole-operator.yaml similarity index 83% rename from deploy/helm/druid-operator/templates/roles.yaml rename to deploy/helm/druid-operator/templates/clusterrole-operator.yaml index 3fdebbfe..a95ecd3b 100644 --- a/deploy/helm/druid-operator/templates/roles.yaml +++ b/deploy/helm/druid-operator/templates/clusterrole-operator.yaml @@ -168,32 +168,3 @@ rules: - get - list - watch ---- -# Product ClusterRole: bound (via per DruidCluster RoleBinding) to the ServiceAccount that Druid -# workload pods (webserver, scheduler, worker, triggerer, dag-processor) run as. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: - # Allows Druid pods to emit Kubernetes events (e.g. for lifecycle notifications). - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch -{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # Required on OpenShift to allow the Druid pods to run as a non-root user. - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use -{{ end }} diff --git a/deploy/helm/druid-operator/templates/clusterrole-product.yaml b/deploy/helm/druid-operator/templates/clusterrole-product.yaml new file mode 100644 index 00000000..d85ef179 --- /dev/null +++ b/deploy/helm/druid-operator/templates/clusterrole-product.yaml @@ -0,0 +1,29 @@ +--- +# Product ClusterRole: bound (via per DruidCluster RoleBinding) to the ServiceAccount that Druid +# workload pods (webserver, scheduler, worker, triggerer, dag-processor) run as. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + # Allows Druid pods to emit Kubernetes events (e.g. for lifecycle notifications). + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - patch +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # Required on OpenShift to allow the Druid pods to run as a non-root user. + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }} From c7b4ae5f8ab873c5a2a5060c810e738b538f5fb9 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Fri, 27 Mar 2026 19:42:25 +0100 Subject: [PATCH 10/10] chore: Correct roles mentioned --- deploy/helm/druid-operator/templates/clusterrole-product.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/druid-operator/templates/clusterrole-product.yaml b/deploy/helm/druid-operator/templates/clusterrole-product.yaml index d85ef179..7944f774 100644 --- a/deploy/helm/druid-operator/templates/clusterrole-product.yaml +++ b/deploy/helm/druid-operator/templates/clusterrole-product.yaml @@ -1,6 +1,6 @@ --- # Product ClusterRole: bound (via per DruidCluster RoleBinding) to the ServiceAccount that Druid -# workload pods (webserver, scheduler, worker, triggerer, dag-processor) run as. +# workload pods (brokers, coordinators, historicals, middleManagers, routers) run as. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: