From 480123b55606f26dac1d33f1dca0ab376a41dbbd Mon Sep 17 00:00:00 2001 From: Oliver Ni Date: Wed, 19 Jun 2024 02:52:03 -0400 Subject: [PATCH] fix(mongodb-operator): patch quirk in operator The operator is weird and requires that every namespace that wants to deploy MongoDB resources have a service account. This is a bit of a pain, but we can copy over the service account from the operator's namespace. https://github.com/mongodb/mongodb-kubernetes-operator/issues/850 We do some Nix magic here. Essentially, we look for all namespaces that have MongoDBCommunity resources and copy over the service account from the operator's namespace. We can do this by defining a submodule that Nix will merge with the existing `namespaces` submodule provided by transpire. --- kubernetes/core/mongodb-operator.nix | 62 +++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 11 deletions(-) diff --git a/kubernetes/core/mongodb-operator.nix b/kubernetes/core/mongodb-operator.nix index bbc323b..c257ff5 100644 --- a/kubernetes/core/mongodb-operator.nix +++ b/kubernetes/core/mongodb-operator.nix @@ -1,17 +1,57 @@ -{ transpire, ... }: +{ lib, config, transpire, ... }: +let + # The operator is weird and requires that every namespace that wants to deploy + # MongoDB resources have a service account. This is a bit of a pain, but we + # can copy over the service account from the operator's namespace. + + # https://github.com/mongodb/mongodb-kubernetes-operator/issues/850 + + # We do some Nix magic here. Essentially, we look for all namespaces that have + # MongoDBCommunity resources and copy over the service account from the + # operator's namespace. We can do this by defining a submodule that Nix will + # merge with the existing `namespaces` submodule provided by transpire. + + operatorResources = config.namespaces.mongodb-operator.resources; + + resourcesToCopy = { + v1.ServiceAccount.mongodb-database = null; + "rbac.authorization.k8s.io/v1".Role.mongodb-database = null; + "rbac.authorization.k8s.io/v1".RoleBinding.mongodb-database = null; + }; + + namespaceModule = { config, name, ... }: + let + hasMongos = config.resources."mongodbcommunity.mongodb.com/v1".MongoDBCommunity != { }; + overrideNs = obj: lib.mkMerge [ obj { metadata.namespace = lib.mkForce name; } ]; + copiedResources = lib.mapAttrsRecursive + (path: _: overrideNs (lib.getAttrFromPath path operatorResources)) + resourcesToCopy; + in + { + resources = lib.mkIf (name != "mongodb-operator" && hasMongos) copiedResources; + }; +in { - namespaces.mongodb-operator = { - helmReleases.mongodb-operator = { - chart = transpire.fetchFromHelm { - repo = "https://mongodb.github.io/helm-charts"; - name = "community-operator"; - version = "0.9.0"; - sha256 = "OvHPiqHinxSD7vYtYKlfuvgNjG6+6jLZwIlpvFvMOZ8="; - }; + options = { + namespaces = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule namespaceModule); + }; + }; + + config = { + namespaces.mongodb-operator = { + helmReleases.mongodb-operator = { + chart = transpire.fetchFromHelm { + repo = "https://mongodb.github.io/helm-charts"; + name = "community-operator"; + version = "0.9.0"; + sha256 = "OvHPiqHinxSD7vYtYKlfuvgNjG6+6jLZwIlpvFvMOZ8="; + }; - values = { - operator.watchNamespace = "*"; + values = { + operator.watchNamespace = "*"; + }; }; }; };