--- # Source: mongodb-enterprise-operator/templates/operator-roles.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: mongodb-enterprise-operator namespace: mongodb imagePullSecrets: - name: registry1-credentials --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-operator namespace: mongodb rules: - apiGroups: - "" resources: - configmaps - secrets - services verbs: - get - list - create - update - delete - watch - apiGroups: - apps resources: - statefulsets verbs: - create - get - list - watch - delete - update - apiGroups: - mongodb.com resources: - mongodb - mongodb/finalizers - mongodbusers - opsmanagers - opsmanagers/finalizers - mongodb/status - mongodbusers/status - opsmanagers/status verbs: - "*" # This ClusterRoleBinding is necessary in order to use validating # webhooks—these will prevent you from applying a variety of invalid resource # definitions. The validating webhooks are optional so this can be removed if # necessary. --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-operator-mongodb-webhook-binding namespace: mongodb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: mongodb-enterprise-operator-mongodb-webhook subjects: - kind: ServiceAccount name: mongodb-enterprise-operator namespace: mongodb --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-operator namespace: mongodb roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mongodb-enterprise-operator subjects: - kind: ServiceAccount name: mongodb-enterprise-operator namespace: mongodb # This ClusterRole is needed if the user wants to use the Kubernetes CA # infrastructure to generate certificates. --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-operator-mongodb-certs rules: - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - get - create - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-operator-mongodb-certs-binding namespace: mongodb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: mongodb-enterprise-operator-mongodb-certs subjects: - kind: ServiceAccount name: mongodb-enterprise-operator namespace: mongodb --- # Source: mongodb-enterprise-operator/templates/database-roles.yaml --- apiVersion: v1 kind: ServiceAccount metadata: name: mongodb-enterprise-appdb namespace: mongodb imagePullSecrets: - name: registry1-credentials --- apiVersion: v1 kind: ServiceAccount metadata: name: mongodb-enterprise-database-pods namespace: mongodb imagePullSecrets: - name: registry1-credentials --- apiVersion: v1 kind: ServiceAccount metadata: name: mongodb-enterprise-ops-manager namespace: mongodb imagePullSecrets: - name: registry1-credentials --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-appdb namespace: mongodb rules: - apiGroups: - "" resources: - configmaps verbs: - get --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: mongodb-enterprise-appdb namespace: mongodb roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: mongodb-enterprise-appdb subjects: - kind: ServiceAccount name: mongodb-enterprise-appdb namespace: mongodb --- # Source: mongodb-enterprise-operator/templates/operator.yaml --- apiVersion: apps/v1 kind: Deployment metadata: name: mongodb-enterprise-operator namespace: mongodb spec: replicas: 1 selector: matchLabels: app: mongodb-enterprise-operator template: metadata: labels: app: mongodb-enterprise-operator spec: serviceAccountName: mongodb-enterprise-operator securityContext: runAsNonRoot: true runAsUser: 2000 containers: - name: mongodb-enterprise-operator image: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-operator:1.5.3 imagePullPolicy: Always args: - "-watch-resource=mongodb" - "-watch-resource=opsmanagers" - "-watch-resource=mongodbusers" command: - "/usr/local/bin/mongodb-enterprise-operator" env: - name: OPERATOR_ENV value: prod - name: WATCH_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: CURRENT_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: MONGODB_ENTERPRISE_DATABASE_IMAGE value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-database:1.5.3 - name: IMAGE_PULL_POLICY value: Always - name: OPS_MANAGER_IMAGE_REPOSITORY value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-enterprise-ops-manager - name: INIT_OPS_MANAGER_IMAGE_REPOSITORY value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-init - name: INIT_OPS_MANAGER_VERSION value: 1.0.0 - name: INIT_APPDB_IMAGE_REPOSITORY value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb-init - name: INIT_APPDB_VERSION value: 1.0.0 - name: OPS_MANAGER_IMAGE_PULL_POLICY value: Always - name: APPDB_IMAGE_REPOSITORY value: registry1.dso.mil/ironbank/mongodb/mongodb-enterprise/mongodb-ops-manager-appdb imagePullSecrets: - name: registry1-credentials