diff --git a/charts/psmdb-db/README.md b/charts/psmdb-db/README.md index fa077971..86cdee30 100644 --- a/charts/psmdb-db/README.md +++ b/charts/psmdb-db/README.md @@ -243,6 +243,16 @@ The chart can be customized using the following configurable parameters: | `users.roles.role.name` | Name of the MongoDB role assigned to the user. As [built-in roles](https://www.mongodb.com/docs/manual/reference/built-in-roles/#built-in-roles), so [custom roles](https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/deploy-configure.md#define-a-custom-database-role) are supported | `""` | | `users.roles.role.db` | Database that the MongoDB role applies to | `""` | | | +| `roles.role` | Name of the custom role. | `""` | +| `roles.db` | Database in which you want to store the user-defined role. | `"admin"` | +| `roles.authenticationRestrictions.clientSource` | Array of IP addresses or CIDR blocks from which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the requests come from a client that is not present in this array. | `""` | +| `roles.authenticationRestrictions.serverAddress` | Array of IP addresses or CIDR blocks to which users assigned this role can connect.MongoDB servers reject connection requests from users with this role if the client requests to connect to a server that is not present in this array. | `""` | +| `roles.privileges.actions` | Name of the role. Valid values are built-in roles. | `[]` | +| `roles.privileges.resource.db` | Database for which the privilege `security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all databases. | `""` | +| `roles.privileges.resource.collection` | Collection for which the privilege `security.roles.privileges.actions` apply. An empty string ("") indicates that the privilege actions apply to all of the database's collections. | `""` | +| `roles.privileges.resource.cluster` | Flag that indicates that the privilege `security.roles.privileges.actions` apply to all databases and collections in the MongoDB deployment. If omitted, defaults to false.If set to true, do not provide values for `security.roles.privileges.resource.database` and `security.roles.privileges.resource.collection`. | `""` | +| `roles.roles.role` | Name of the role to inherit from. | `""` | +| `roles.roles.db` | Name of database that contains the role to inherit from. | `""` | | `backup.enabled` | Enable backup PBM agent | `true` | | `backup.annotations` | Backup job annotations | `{}` | | `backup.podSecurityContext` | Set the security context for a Pod | `{}` | diff --git a/charts/psmdb-db/templates/cluster.yaml b/charts/psmdb-db/templates/cluster.yaml index 6e188861..9440ec58 100644 --- a/charts/psmdb-db/templates/cluster.yaml +++ b/charts/psmdb-db/templates/cluster.yaml @@ -578,6 +578,11 @@ spec: {{ .Values.users | toYaml | indent 2 }} {{- end }} + {{- if .Values.roles }} + roles: +{{ .Values.roles | toYaml | indent 2 }} + {{- end }} + backup: enabled: {{ .Values.backup.enabled }} {{- if .Values.backup.annotations }} diff --git a/charts/psmdb-db/values.yaml b/charts/psmdb-db/values.yaml index b91e5240..3dec02a2 100644 --- a/charts/psmdb-db/values.yaml +++ b/charts/psmdb-db/values.yaml @@ -499,6 +499,40 @@ sharding: # - name: dbOwner # db: sometest +# roles: +# - role: myClusterwideAdmin +# db: admin +# privileges: +# - resource: +# cluster: true +# actions: +# - addShard +# - resource: +# db: config +# collection: '' +# actions: +# - find +# - update +# - insert +# - remove +# roles: +# - role: read +# db: admin +# - role: my-role +# db: myDb +# privileges: +# - resource: +# db: '' +# collection: '' +# actions: +# - find +# authenticationRestrictions: +# - clientSource: +# - 127.0.0.1 +# serverAddress: +# - 127.0.0.1 + + backup: enabled: true image: diff --git a/charts/psmdb-operator/crds/crd.yaml b/charts/psmdb-operator/crds/crd.yaml index 6c2ee036..6bc50308 100644 --- a/charts/psmdb-operator/crds/crd.yaml +++ b/charts/psmdb-operator/crds/crd.yaml @@ -327,6 +327,15 @@ spec: type: object replset: type: string + selective: + properties: + namespaces: + items: + type: string + type: array + withUsersAndRoles: + type: boolean + type: object storageName: type: string type: object @@ -1067,6 +1076,8 @@ spec: type: string crVersion: type: string + enableVolumeExpansion: + type: boolean ignoreAnnotations: items: type: string @@ -4019,10 +4030,24 @@ spec: type: object expose: properties: + annotations: + additionalProperties: + type: string + type: object enabled: type: boolean exposeType: type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string loadBalancerSourceRanges: items: type: string @@ -4038,6 +4063,8 @@ spec: additionalProperties: type: string type: object + type: + type: string required: - enabled type: object @@ -6879,6 +6906,10 @@ spec: type: string type: object type: object + primaryPreferTagSelector: + additionalProperties: + type: string + type: object priorityClassName: type: string readinessProbe: @@ -8854,6 +8885,64 @@ spec: - size type: object type: array + roles: + items: + properties: + authenticationRestrictions: + items: + properties: + clientSource: + items: + type: string + type: array + serverAddress: + items: + type: string + type: array + type: object + type: array + db: + type: string + privileges: + items: + properties: + actions: + items: + type: string + type: array + resource: + properties: + cluster: + type: boolean + collection: + type: string + db: + type: string + type: object + required: + - actions + type: object + type: array + role: + type: string + roles: + items: + properties: + db: + type: string + role: + type: string + required: + - db + - role + type: object + type: array + required: + - db + - privileges + - role + type: object + type: array schedulerName: type: string secrets: @@ -11605,10 +11694,24 @@ spec: type: object expose: properties: + annotations: + additionalProperties: + type: string + type: object enabled: type: boolean exposeType: type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string loadBalancerSourceRanges: items: type: string @@ -11624,6 +11727,8 @@ spec: additionalProperties: type: string type: object + type: + type: string required: - enabled type: object @@ -14465,6 +14570,10 @@ spec: type: string type: object type: object + primaryPreferTagSelector: + additionalProperties: + type: string + type: object priorityClassName: type: string readinessProbe: @@ -16967,8 +17076,22 @@ spec: type: object expose: properties: + annotations: + additionalProperties: + type: string + type: object exposeType: type: string + externalTrafficPolicy: + type: string + internalTrafficPolicy: + type: string + labels: + additionalProperties: + type: string + type: object + loadBalancerIP: + type: string loadBalancerSourceRanges: items: type: string @@ -16986,6 +17109,8 @@ spec: type: object servicePerPod: type: boolean + type: + type: string type: object hostAliases: items: @@ -19054,14 +19179,10 @@ spec: key: type: string name: - default: "" type: string - optional: - type: boolean required: - - key + - name type: object - x-kubernetes-map-type: atomic roles: items: properties: @@ -19075,7 +19196,6 @@ spec: type: object type: array required: - - db - name - passwordSecretRef - roles