Skip to content

Conditional supporting RBAC creation#2128

Merged
Zerpet merged 6 commits into
mainfrom
conditional-rbac-creation
May 7, 2026
Merged

Conditional supporting RBAC creation#2128
Zerpet merged 6 commits into
mainfrom
conditional-rbac-creation

Conversation

@Zerpet

@Zerpet Zerpet commented Apr 30, 2026

Copy link
Copy Markdown
Member

Summary Of Changes

  • Conditionally create RBAC for RabbitMQ StatefulSet, based on rabbit version
  • Add delete RBAC for Role and RoleBinding to the Operator ClusterRole

Additional Context

Related to #1865. Starting in RabbitMQ 4.1, the k8s peer discovery plugin does not require any RBAC in Kubernetes. Earlier versions of this plugin queried k8s API to determine the addresses of its peers. That's not required anymore since 4.1. This PR is an optimisation that removes unnecessary RBACs (SA, Role/Binding).

The annotation based approach has a caveat: since the Operator does not know before hand the version of RabbitMQ, it creates the RBACs, and when it detects that rabbit is >= 4.1.0, it removes them. This causes a rolling restart, which slightly delays initial rabbit deployment. The same applies when rabbit is upgraded from 3.13 to 4.2. Once rabbit is upgraded to 4.2, and the annotation is updated, RBACs are deleted and the STS is rolled. This happens because the Pod Spec changes, to remove the SA reference.

Another downside is that the Operator ClusterRole now requires delete on Role, RoleBinding and ServiceAccount. This broadens the permissions of the operator with a justified reason, but it feels like the operator is effectively a super-admin-user.

I'm ok to not merge this PR, if the ClusterRole change is deemed unacceptable.

Local Testing

Unit and integration tests.

make unit-tests integration-tests

Tested locally the following scenarios:

  1. Deploy 3.13 -> Verify RBAC is created -> Upgrade 4.2 -> Verify RBAC is deleted
  2. Deploy 4.1 -> Verify RBAC is eventually deleted
  3. Deploy 4.2 -> Verify RBAC is eventually deleted

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/resource/statefulset.go Outdated
Comment thread internal/resource/rabbitmq_resource_builder.go Outdated
Comment thread internal/controller/rabbitmqcluster_controller.go Outdated
Comment thread internal/resource/rabbitmq_resource_builder.go Outdated
@Zerpet

Zerpet commented May 5, 2026

Copy link
Copy Markdown
Member Author

@copilot apply changes based on the comments in this thread

Copilot AI commented May 5, 2026

Copy link
Copy Markdown
Contributor

@copilot apply changes based on the comments in this thread

Applied the following changes in commit abfca8a:

  1. ServiceAccount always created/kept — Moved ServiceAccount builder out of the conditional block so it is always included, regardless of RabbitMQ version. The deletion block in the controller no longer removes the ServiceAccount (only Role/RoleBinding are deleted for >= 4.1).

  2. ServiceAccountName always set in StatefulSet — Removed the ShouldCreateRBAC guard around ServiceAccountName and AutomountServiceAccountToken; the pod spec always references the operator-managed ServiceAccount.

  3. Semver constraint at package scope — Created peerDiscoveryRBACConstraint as a package-level variable (using a mustNewConstraint helper) to avoid rebuilding it on every call.

  4. Renamed ShouldCreateRBACShouldCreatePeerDiscoveryRBAC — The new name clarifies that the function only gates creation of the peer-discovery Role/RoleBinding, not the ServiceAccount.

  5. Removed delete from ServiceAccount RBAC marker — Since the operator no longer explicitly deletes ServiceAccounts, the delete verb was removed from the serviceaccounts RBAC permission, reducing the operator's footprint back to the original level.

Copilot finished work on behalf of Zerpet May 5, 2026 12:00

@MirahImage MirahImage left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we still need the serviceaccount for vault integration, how complicated the logic ends up being, and the fact that we trigger additional rolling upgrades based on version, I'm not sure this is really worthwhile.

Also, did copilot actually implement the changes it claims? I'm not sure it did?

Comment thread config/rbac/role.yaml Outdated
@Zerpet

Zerpet commented May 5, 2026

Copy link
Copy Markdown
Member Author

I think it won't require a rolling restart anymore, since we are keeping the service account. The STS modification (to remove the SA reference) is what was causing the rolling restart. I'll test this in a bit.

@MirahImage

Copy link
Copy Markdown
Member

I think it won't require a rolling restart anymore, since we are keeping the service account. The STS modification (to remove the SA reference) is what was causing the rolling restart. I'll test this in a bit.

Assuming it doesn't cause the rolling restart, and that we get the rbac right after the code generation, I'm good to go with this. It's still a bit fragile, but in a way that it takes the approach that works if it doesn't know.

Zerpet and others added 6 commits May 5, 2026 16:54
Add a helper function to verify if RBAC resources (ServiceAccount, Role, and
RoleBinding) should be created based on the RabbitMQ version annotation.
The RBAC resources are no longer required for RabbitMQ >= 4.1.0.

- Skip adding RBAC resource builders for clusters >= 4.1.0
- Ensure any existing RBAC resources are deleted during reconciliation if
  the cluster is upgraded to a version that doesn't need them
- Conditionally set ServiceAccountName and AutomountServiceAccountToken
  on the StatefulSet depending on the version
- Include unit and integration tests to verify the new behavior

Made-with: Cursor
Update newly added tests to use BeTrueBecause and BeFalseBecause for more
descriptive error messages when assertions fail.

Made-with: Cursor
They are no longer required by the peer discovery plugin in 4.1+
Keeping the Service Account because it is still required for Vault
integration.
Because sometimes system tests flake attempting to verify that rabbit
has started. From the logs looks like `kubectl` command does not return.
By bumping the timeout, we should avoid hammering the CI runner with a
pile of pending `kubectl` commands.
@Zerpet Zerpet force-pushed the conditional-rbac-creation branch from e02ccda to bf74c71 Compare May 5, 2026 15:58
@Zerpet

Zerpet commented May 5, 2026

Copy link
Copy Markdown
Member Author

Confirmed the latest additions by Copilot don't cause a rolling restart. The operator initially creates the Role/Binding, because it doesn't know the version of RabbitMQ, but then it deletes them quietly. I also reviewed the Vault example. Indeed we require the SA for correct Vault integration.

@Zerpet

Zerpet commented May 5, 2026

Copy link
Copy Markdown
Member Author

The diff might look weird. This is because I rebased and squashed some commits, so the only RBAC change required is adding delete to Role/Binding.

@Zerpet Zerpet merged commit d28d547 into main May 7, 2026
115 of 117 checks passed
@Zerpet Zerpet deleted the conditional-rbac-creation branch May 7, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants