CLOUDP-331496: Remove undocumented operator.enablePVCResize Helm value

.githooks/pre-commit

@@ -35,7 +35,6 @@ function generate_standalone_yaml() {
   FILES=(
     "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml"
-    "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-webhook.yaml"
     "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml"
@@ -63,7 +62,6 @@ function generate_standalone_yaml() {
   cp "${charttmpdir}/mongodb-kubernetes/templates/database-roles.yaml" config/rbac/database-roles.yaml
   cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-base.yaml" config/rbac/operator-roles-base.yaml
   cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-clustermongodbroles.yaml" config/rbac/operator-roles-clustermongodbroles.yaml
-  cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml" config/rbac/operator-roles-pvc-resize.yaml
   cp "${charttmpdir}/mongodb-kubernetes/templates/operator-roles-telemetry.yaml" config/rbac/operator-roles-telemetry.yaml
 
   # generate multi-cluster public example

RELEASE_NOTES.md

@@ -4,7 +4,7 @@
 # MCK 1.3.0 Release Notes
 
 ## Other Changes
-* Optional permissions for `PersistentVolumeClaim` moved to a separate role. When managing the operator with Helm it is possible to disable permissions for `PersistentVolumeClaim` resources by setting `operator.enablePVCResize` value to `false` (`true` by default). When enabled, previously these permissions were part of the primary operator role. With this change, permissions have a separate role.
+* The undocumented `operator.enablePVCResize` Helm value has been removed. If you previously set this value to `false`, please note that the operator roles will now include permissions for `PersistentVolumeClaim` resources by default.
 * `subresourceEnabled` Helm value was removed. This setting used to be `true` by default and made it possible to exclude subresource permissions from the operator role by specifying `false` as the value. We are removing this configuration option, making the operator roles always have subresource permissions. This setting was introduced as a temporary solution for [this](https://bugzilla.redhat.com/show_bug.cgi?id=1803171) OpenShift issue. The issue has since been resolved and the setting is no longer needed.
 
 

changelog/20250716_other_enablePVCResize_setting_removed.md

@@ -0,0 +1,7 @@
+---
+title: Undocumented operator.enablePVCResize Helm value has been removed
+kind: other
+date: 2025-07-15
+---
+
+* The undocumented `operator.enablePVCResize` Helm value has been removed. If you previously set this value to `false`, please note that the operator roles will now include permissions for `PersistentVolumeClaim` resources by default.

config/rbac/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
   - database-roles.yaml
   - operator-roles-base.yaml
   - operator-roles-clustermongodbroles.yaml
-  - operator-roles-pvc-resize.yaml
   - operator-roles-telemetry.yaml
 
 # we have to remove service account namespace from RoleBinding as OLM is not overriding it

config/rbac/operator-roles-base.yaml

@@ -79,6 +79,17 @@ rules:
       - opsmanagers/status
       - mongodbmulticluster/status
       - mongodbsearch/status
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
 ---
 # Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: RoleBinding

helm_chart/templates/operator-roles-base.yaml

@@ -91,6 +91,17 @@ rules:
       - opsmanagers/status
       - mongodbmulticluster/status
       - mongodbsearch/status
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
 {{- if eq $roleScope "ClusterRole" }}
   - apiGroups:
       - ''

helm_chart/values.yaml

@@ -71,9 +71,6 @@ operator:
   # Set to false to not create the ClusterRole and ClusterRoleBinding and to disable the operator watching the ClusterMongoDBRole resources.
   enableClusterMongoDBRoles: true
 
-  # Set to false to not create the RBAC for enabling access to the PVC for resizing for the operator
-  enablePVCResize: true
-
   vaultSecretBackend:
     # set to true if you want the operator to store secrets in Vault
     enabled: false

public/mongodb-kubernetes-multi-cluster.yaml

@@ -79,6 +79,17 @@ rules:
       - opsmanagers/status
       - mongodbmulticluster/status
       - mongodbsearch/status
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
 ---
 # Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: RoleBinding
@@ -122,40 +133,6 @@ subjects:
     name: mongodb-kubernetes-operator-multi-cluster
     namespace: mongodb
 ---
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-multi-cluster-pvc-resize
-  namespace: mongodb
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - persistentvolumeclaims
-    verbs:
-      - get
-      - delete
-      - list
-      - watch
-      - patch
-      - update
----
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-multi-cluster-pvc-resize-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mongodb-kubernetes-operator-multi-cluster-pvc-resize
-subjects:
-  - kind: ServiceAccount
-    name: mongodb-kubernetes-operator-multi-cluster
-    namespace: mongodb
----
 # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole

public/mongodb-kubernetes-openshift.yaml

@@ -79,6 +79,17 @@ rules:
       - opsmanagers/status
       - mongodbmulticluster/status
       - mongodbsearch/status
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
 ---
 # Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: RoleBinding
@@ -122,40 +133,6 @@ subjects:
     name: mongodb-kubernetes-operator
     namespace: mongodb
 ---
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-pvc-resize
-  namespace: mongodb
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - persistentvolumeclaims
-    verbs:
-      - get
-      - delete
-      - list
-      - watch
-      - patch
-      - update
----
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-pvc-resize-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mongodb-kubernetes-operator-pvc-resize
-subjects:
-  - kind: ServiceAccount
-    name: mongodb-kubernetes-operator
-    namespace: mongodb
----
 # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole

public/mongodb-kubernetes.yaml

@@ -79,6 +79,17 @@ rules:
       - opsmanagers/status
       - mongodbmulticluster/status
       - mongodbsearch/status
+  - apiGroups:
+      - ''
+    resources:
+      - persistentvolumeclaims
+    verbs:
+      - get
+      - delete
+      - list
+      - watch
+      - patch
+      - update
 ---
 # Source: mongodb-kubernetes/templates/operator-roles-base.yaml
 kind: RoleBinding
@@ -122,40 +133,6 @@ subjects:
     name: mongodb-kubernetes-operator
     namespace: mongodb
 ---
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-pvc-resize
-  namespace: mongodb
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - persistentvolumeclaims
-    verbs:
-      - get
-      - delete
-      - list
-      - watch
-      - patch
-      - update
----
-# Source: mongodb-kubernetes/templates/operator-roles-pvc-resize.yaml
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: mongodb-kubernetes-operator-pvc-resize-binding
-  namespace: mongodb
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: mongodb-kubernetes-operator-pvc-resize
-subjects:
-  - kind: ServiceAccount
-    name: mongodb-kubernetes-operator
-    namespace: mongodb
----
 # Source: mongodb-kubernetes/templates/operator-roles-telemetry.yaml
 # Additional ClusterRole for clusterVersionDetection
 kind: ClusterRole

scripts/funcs/operator_deployment

@@ -29,7 +29,6 @@ get_operator_helm_values() {
     "mongodb.name=mongodb-enterprise-server"
     "mongodb.imageType=${MDB_IMAGE_TYPE:-ubi8}"
     "operator.mdbDefaultArchitecture=${MDB_DEFAULT_ARCHITECTURE:-non-static}"
-    "operator.enablePVCResize=${MDB_ENABLE_PVC_RESIZE:-true}"
     # only send the telemetry to the backend on a specific variant, thus default to false
     "operator.telemetry.send.enabled=${MDB_OPERATOR_TELEMETRY_SEND_ENABLED:-false}"
     # lets collect and save in the configmap as frequently as we can