From 7fbb73c8875296399edfab22284fa950b38e8cce Mon Sep 17 00:00:00 2001 From: Romain Winieski Date: Wed, 17 Jun 2026 18:37:32 +0200 Subject: [PATCH 1/4] fix manager rbac --- .../templates/manager-rbac.yaml | 34 ++++++++++ hack/helmify-post-process.sh | 66 +++++++++++++++++++ 2 files changed, 100 insertions(+) diff --git a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml index 4468f86..b650262 100644 --- a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml +++ b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml @@ -85,6 +85,23 @@ rules: - patch - update - watch +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -216,6 +233,23 @@ rules: - patch - update - watch +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/hack/helmify-post-process.sh b/hack/helmify-post-process.sh index 802b884..6039223 100755 --- a/hack/helmify-post-process.sh +++ b/hack/helmify-post-process.sh @@ -247,6 +247,31 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - get +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update - apiGroups: - apps resources: @@ -303,6 +328,14 @@ rules: - patch - update - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -371,6 +404,31 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - get +- apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - update - apiGroups: - apps resources: @@ -427,6 +485,14 @@ rules: - patch - update - watch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding From 5425d3b95defbd8baaf347c99a0ec346d3e64dbc Mon Sep 17 00:00:00 2001 From: Romain Winieski Date: Wed, 17 Jun 2026 18:38:59 +0200 Subject: [PATCH 2/4] fix storageclass for PVC --- .../templates/manager-rbac.yaml | 44 +++++++++++++++---- hack/helmify-post-process.sh | 44 +++++++++++++++---- 2 files changed, 72 insertions(+), 16 deletions(-) diff --git a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml index b650262..17af2e2 100644 --- a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml +++ b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml @@ -242,14 +242,6 @@ rules: - create - patch - update -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -270,4 +262,40 @@ subjects: name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" $ }}' namespace: '{{ $.Release.Namespace }}' {{- end }} +{{- /* +storageclass is a cluster-scoped resource; a namespaced Role cannot grant access +to it. A dedicated ClusterRole + ClusterRoleBinding is required in namespace mode +so the operator can read allowVolumeExpansion and perform PVC resize operations. +*/}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: marklogic-operator-storageclass-reader + labels: + {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} +rules: +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: marklogic-operator-storageclass-reader + labels: + {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: marklogic-operator-storageclass-reader +subjects: +- kind: ServiceAccount + name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' {{- end }} diff --git a/hack/helmify-post-process.sh b/hack/helmify-post-process.sh index 6039223..cf1a396 100755 --- a/hack/helmify-post-process.sh +++ b/hack/helmify-post-process.sh @@ -485,14 +485,6 @@ rules: - patch - update - watch -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -513,6 +505,42 @@ subjects: name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" $ }}' namespace: '{{ $.Release.Namespace }}' {{- end }} +{{- /* +storageclass is a cluster-scoped resource; a namespaced Role cannot grant access +to it. A dedicated ClusterRole + ClusterRoleBinding is required in namespace mode +so the operator can read allowVolumeExpansion and perform PVC resize operations. +*/}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: marklogic-operator-storageclass-reader + labels: + {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} +rules: +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: marklogic-operator-storageclass-reader + labels: + {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: marklogic-operator-storageclass-reader +subjects: +- kind: ServiceAccount + name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' {{- end }} TMPL_EOF echo " [manager-rbac.yaml] Done." From a12c7a1d1ec33eb97fa42bfa811d9c76976084c4 Mon Sep 17 00:00:00 2001 From: Romain Winieski Date: Wed, 17 Jun 2026 18:48:10 +0200 Subject: [PATCH 3/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../templates/manager-rbac.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml index 17af2e2..5a113d4 100644 --- a/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml +++ b/charts/marklogic-operator-kubernetes/templates/manager-rbac.yaml @@ -271,7 +271,7 @@ so the operator can read allowVolumeExpansion and perform PVC resize operations. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} labels: {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} rules: @@ -287,13 +287,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} labels: {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} subjects: - kind: ServiceAccount name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" . }}' From 10f938c96f3725a2d8af0b3922f4dcff4765abf6 Mon Sep 17 00:00:00 2001 From: Romain Winieski Date: Wed, 17 Jun 2026 18:48:30 +0200 Subject: [PATCH 4/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- hack/helmify-post-process.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/helmify-post-process.sh b/hack/helmify-post-process.sh index cf1a396..077f82e 100755 --- a/hack/helmify-post-process.sh +++ b/hack/helmify-post-process.sh @@ -514,7 +514,7 @@ so the operator can read allowVolumeExpansion and perform PVC resize operations. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} labels: {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} rules: @@ -530,13 +530,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} labels: {{- include "marklogic-operator-kubernetes.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: marklogic-operator-storageclass-reader + name: {{ printf "%s-storageclass-reader" (include "marklogic-operator-kubernetes.fullname" .) | trunc 63 | trimSuffix "-" }} subjects: - kind: ServiceAccount name: '{{ include "marklogic-operator-kubernetes.serviceAccountName" . }}'