From 4816e666c1dccd9b8f1a042d5d92e269d9866c27 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 19 Jun 2025 14:03:10 +0200 Subject: [PATCH 1/4] fix: remove role binding to legacy service account name --- crates/stackable-operator/src/commons/rbac.rs | 40 ++++++------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/crates/stackable-operator/src/commons/rbac.rs b/crates/stackable-operator/src/commons/rbac.rs index ddeb19e7a..a5e1943b3 100644 --- a/crates/stackable-operator/src/commons/rbac.rs +++ b/crates/stackable-operator/src/commons/rbac.rs @@ -28,24 +28,18 @@ pub enum Error { } /// Build RBAC objects for the product workloads. -/// The `product_name` is meant to be the product name, for example: zookeeper, airflow, etc. -/// and it is a assumed that a ClusterRole named `{product_name}-clusterrole` exists. +/// The names of the service account and role binding match the following templates: +/// - `{resource_name}-serviceaccount` +/// - `{resource_name}-rolebinding` +/// +/// The service account is bound to a cluster role named `{product_name}-clusterrole` which +/// must already exist. pub fn build_rbac_resources>( resource: &T, - // 'product_name' is not used to build the names of the serviceAccount and roleBinding objects, - // as this caused problems with multiple clusters of the same product within the same namespace - // see for more details. - // Instead the names for these objects are created by reading the name from the cluster object - // and appending [-rolebinding|-serviceaccount] to create unique names instead of using the - // same objects for multiple clusters. product_name: &str, labels: Labels, ) -> Result<(ServiceAccount, RoleBinding)> { let sa_name = service_account_name(&resource.name_any()); - // We add the legacy serviceAccount name to the binding here for at least one - // release cycle, so that the switchover during the upgrade can be smoother. - // To be removed in v24.3+1. - let legacy_sa_name = service_account_name(product_name); let service_account = ServiceAccount { metadata: ObjectMetaBuilder::new() .name_and_namespace(resource) @@ -74,22 +68,12 @@ pub fn build_rbac_resources>( name: format!("{product_name}-clusterrole"), api_group: "rbac.authorization.k8s.io".to_string(), }, - subjects: Some(vec![ - Subject { - kind: "ServiceAccount".to_string(), - name: sa_name, - namespace: resource.namespace(), - ..Subject::default() - }, - // We add the legacy serviceAccount name to the binding here for at least one - // release cycle, so that the switchover during the upgrade can be smoother. - Subject { - kind: "ServiceAccount".to_string(), - name: legacy_sa_name, - namespace: resource.namespace(), - ..Subject::default() - }, - ]), + subjects: Some(vec![Subject { + kind: "ServiceAccount".to_string(), + name: sa_name, + namespace: resource.namespace(), + ..Subject::default() + }]), }; Ok((service_account, role_binding)) From 81dbccf73884dbd16f49fcb1bb1a12b2e6ed7705 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 19 Jun 2025 14:12:23 +0200 Subject: [PATCH 2/4] update changelog --- crates/stackable-operator/CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 22d3b2af6..2eeccc9ec 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -11,9 +11,11 @@ All notable changes to this project will be documented in this file. ### Removed - BREAKING: Removed `last_update_time` from CRD ClusterCondition status ([#1054]). +- BREAKING: Removed role binding to legacy service accounts ([#1060]). [#1049]: https://github.com/stackabletech/operator-rs/pull/1049 [#1054]: https://github.com/stackabletech/operator-rs/pull/1054 +[#1060]: lttps://github.com/stackabletech/operator-rs/pull/1060 ## [0.93.2] - 2025-05-26 From 68dfb65cb626801df3f9f0e408c7bbad2a51b5e9 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 19 Jun 2025 14:14:37 +0200 Subject: [PATCH 3/4] fix typo --- crates/stackable-operator/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md index 2eeccc9ec..29248c3c8 100644 --- a/crates/stackable-operator/CHANGELOG.md +++ b/crates/stackable-operator/CHANGELOG.md @@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file. [#1049]: https://github.com/stackabletech/operator-rs/pull/1049 [#1054]: https://github.com/stackabletech/operator-rs/pull/1054 -[#1060]: lttps://github.com/stackabletech/operator-rs/pull/1060 +[#1060]: https://github.com/stackabletech/operator-rs/pull/1060 ## [0.93.2] - 2025-05-26 From f27dec51dcbf11fa365009d00ad4082b3fa031d2 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 24 Jun 2025 15:09:22 +0200 Subject: [PATCH 4/4] review feedback --- crates/stackable-operator/src/commons/rbac.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crates/stackable-operator/src/commons/rbac.rs b/crates/stackable-operator/src/commons/rbac.rs index a5e1943b3..7812d2d25 100644 --- a/crates/stackable-operator/src/commons/rbac.rs +++ b/crates/stackable-operator/src/commons/rbac.rs @@ -28,10 +28,14 @@ pub enum Error { } /// Build RBAC objects for the product workloads. -/// The names of the service account and role binding match the following templates: +/// The names of the service account and role binding match the following patterns: /// - `{resource_name}-serviceaccount` /// - `{resource_name}-rolebinding` /// +/// A previous version of this function used the `product_name` instead of the `resource_name`, +/// but this caused conflicts when deploying multiple instances of a product in the same namespace. +/// See for more details. +/// /// The service account is bound to a cluster role named `{product_name}-clusterrole` which /// must already exist. pub fn build_rbac_resources>(