From e161cbe64700acd6a30a4ecc16375a72738c3819 Mon Sep 17 00:00:00 2001 From: "austin.barrington" Date: Wed, 1 Jul 2026 13:18:26 +0100 Subject: [PATCH 1/2] fix: add missing deployments RBAC to Helm chart manager-role template The Helm chart RBAC template only listed statefulsets under the apps apiGroup, omitting deployments. This caused the controller-runtime informer cache to fail on startup with a forbidden error when watching Deployment resources. --- dist/chart/templates/rbac/manager-role.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/dist/chart/templates/rbac/manager-role.yaml b/dist/chart/templates/rbac/manager-role.yaml index 93d0001..fd2908a 100644 --- a/dist/chart/templates/rbac/manager-role.yaml +++ b/dist/chart/templates/rbac/manager-role.yaml @@ -37,6 +37,7 @@ rules: - apiGroups: - apps resources: + - deployments - statefulsets verbs: - create From 653944ce17da97f9b0faf27d86db500d13207951 Mon Sep 17 00:00:00 2001 From: "austin.barrington" Date: Wed, 1 Jul 2026 13:41:20 +0100 Subject: [PATCH 2/2] fix: multiple operator bug fixes and Helm chart enhancements - Add missing deployments RBAC permission to Helm chart manager-role - Add missing monitoring.coreos.com/servicemonitors RBAC marker - Regenerate CRDs, RBAC, and install.yaml - Add optional Ingress and Gateway API templates (disabled by default) --- config/rbac/role.yaml | 12 ++++ dist/chart/templates/NOTES.txt | 10 ++++ dist/chart/templates/gateway/gateway.yaml | 21 +++++++ dist/chart/templates/gateway/httproute.yaml | 41 ++++++++++++++ dist/chart/templates/ingress/ingress.yaml | 38 +++++++++++++ dist/chart/values.yaml | 55 +++++++++++++++++++ dist/install.yaml | 12 ++++ .../hyperbytedbcluster_controller.go | 1 + 8 files changed, 190 insertions(+) create mode 100644 dist/chart/templates/gateway/gateway.yaml create mode 100644 dist/chart/templates/gateway/httproute.yaml create mode 100644 dist/chart/templates/ingress/ingress.yaml diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 93256be..4ad7d10 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -105,6 +105,18 @@ rules: - get - patch - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - policy resources: diff --git a/dist/chart/templates/NOTES.txt b/dist/chart/templates/NOTES.txt index 1cec53d..c4733d5 100644 --- a/dist/chart/templates/NOTES.txt +++ b/dist/chart/templates/NOTES.txt @@ -13,3 +13,13 @@ To learn more about the release, try: $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +{{- if .Values.ingress.enabled }} +The metrics endpoint is exposed via Ingress: + {{- range .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .host }}{{ range .paths }}{{ .path }}{{ end }} + {{- end }} +{{- end }} +{{- if .Values.gateway.enabled }} +Gateway API resources have been configured (gateway.enabled=true). +{{- end }} diff --git a/dist/chart/templates/gateway/gateway.yaml b/dist/chart/templates/gateway/gateway.yaml new file mode 100644 index 0000000..9192ca9 --- /dev/null +++ b/dist/chart/templates/gateway/gateway.yaml @@ -0,0 +1,21 @@ +{{- if .Values.gateway.enabled -}} +{{- if .Values.gateway.gateway -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ include "hyperbytedb-operator.resourceName" (dict "suffix" "gateway" "context" $) }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "hyperbytedb-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + control-plane: controller-manager + {{- with .Values.gateway.gateway.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + gatewayClassName: {{ .Values.gateway.gateway.gatewayClassName }} + listeners: {{ toYaml .Values.gateway.gateway.listeners | nindent 4 }} +{{- end }} +{{- end }} diff --git a/dist/chart/templates/gateway/httproute.yaml b/dist/chart/templates/gateway/httproute.yaml new file mode 100644 index 0000000..30675af --- /dev/null +++ b/dist/chart/templates/gateway/httproute.yaml @@ -0,0 +1,41 @@ +{{- if .Values.gateway.enabled -}} +{{- if .Values.gateway.httpRoutes -}} +{{- range .Values.gateway.httpRoutes }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "hyperbytedb-operator.resourceName" (dict "suffix" (printf "httproute-%s" .name) "context" $) }} + namespace: {{ $.Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ $.Release.Service }} + app.kubernetes.io/name: {{ include "hyperbytedb-operator.name" $ }} + helm.sh/chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ $.Release.Name }} + control-plane: controller-manager + {{- with .annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: {{ toYaml .parentRefs | nindent 4 }} + {{- with .hostnames }} + hostnames: {{ toYaml . | nindent 4 }} + {{- end }} + rules: + {{- range .rules }} + - matches: + {{- range .matches }} + - path: + type: {{ .pathType }} + value: {{ .path }} + {{- if .method }} + method: {{ .method }} + {{- end }} + {{- end }} + backendRefs: + - name: {{ include "hyperbytedb-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }} + port: {{ $.Values.metrics.port }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/dist/chart/templates/ingress/ingress.yaml b/dist/chart/templates/ingress/ingress.yaml new file mode 100644 index 0000000..d9d2690 --- /dev/null +++ b/dist/chart/templates/ingress/ingress.yaml @@ -0,0 +1,38 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "hyperbytedb-operator.resourceName" (dict "suffix" "ingress" "context" $) }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/name: {{ include "hyperbytedb-operator.name" . }} + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app.kubernetes.io/instance: {{ .Release.Name }} + control-plane: controller-manager + {{- with .Values.ingress.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: {{ toYaml .Values.ingress.tls | nindent 4 }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ include "hyperbytedb-operator.resourceName" (dict "suffix" "controller-manager-metrics-service" "context" $) }} + port: + number: {{ $.Values.metrics.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/dist/chart/values.yaml b/dist/chart/values.yaml index 15fcdcd..731d9b1 100644 --- a/dist/chart/values.yaml +++ b/dist/chart/values.yaml @@ -110,3 +110,58 @@ certManager: prometheus: enable: false +## Ingress for the operator metrics endpoint. +## Disabled by default. Enable to expose /metrics externally. +## +ingress: + enabled: false + ingressClassName: nginx + annotations: {} + hosts: + - host: operator.local + paths: + - path: /metrics + pathType: Prefix + tls: [] + # tls: + # - hosts: + # - operator.local + # secretName: operator-tls + +## Gateway API resources for the operator metrics endpoint. +## Disabled by default. Requires Gateway API CRDs in the cluster. +## +gateway: + enabled: false + ## Provision a Gateway resource. + ## Set to null or omit to use an existing Gateway (reference it via HTTPRoute parentRefs instead). + gateway: null + # gateway: + # gatewayClassName: istio + # annotations: {} + # listeners: + # - name: https + # port: 443 + # protocol: HTTPS + # hostname: operator.local + # tls: + # mode: Terminate + # certificateRefs: + # - name: operator-tls + + ## HTTPRoute resources attaching to a Gateway. + ## Each entry creates a separate HTTPRoute. + httpRoutes: [] + # httpRoutes: + # - name: metrics + # annotations: {} + # parentRefs: + # - name: my-gateway + # namespace: istio-system + # hostnames: + # - operator.local + # rules: + # - matches: + # - pathType: PathPrefix + # path: /metrics + diff --git a/dist/install.yaml b/dist/install.yaml index e5fe979..8abbd19 100644 --- a/dist/install.yaml +++ b/dist/install.yaml @@ -4740,6 +4740,18 @@ rules: - get - patch - update +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - policy resources: diff --git a/internal/controller/hyperbytedbcluster_controller.go b/internal/controller/hyperbytedbcluster_controller.go index 51df9fb..d4ca64e 100644 --- a/internal/controller/hyperbytedbcluster_controller.go +++ b/internal/controller/hyperbytedbcluster_controller.go @@ -70,6 +70,7 @@ type HyperbytedbClusterReconciler struct { // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;list;watch;create;update;patch;delete // nolint:gocyclo // Reconcile orchestrates many sequential steps (finalizers, services, // configmap, scale-down hooks, statefulset, status, replication checks, auto-failover);