[Enhancement] Use Role and Rolebinding instead when operator watches a specified namespace

doc/deploy_multiple_clusters_howto.md

@@ -0,0 +1,41 @@
+# Deploy Multiple Clusters HOWTO
+
+If you have deployed a StarRocks cluster by YAML manifests, you can write a new StarRocksCluster CR YAML to deploy
+another StarRocks cluster.
+
+We have split the `kube-starrocks` chart into two subcharts: `operator` and `starrocks`. Installing `kube-starrocks` is
+equivalent to installing both `operator` and `starrocks` subcharts, and uninstalling `kube-starrocks` is equivalent to
+uninstalling both `operator` and `starrocks` subcharts.
+
+If you have deployed a StarRocks cluster by `operator` + `starrocks` helm chart, you can deploy another StarRocks
+cluster by the `starrocks` helm chart.
+
+If you have deployed a StarRocks cluster by `kube-starrocks` helm chart, you have two ways to deploy another StarRocks
+cluster.
+
+1. Deploy another StarRocks cluster by `starrocks` helm chart.
+2. Deploy another StarRocks cluster by `kube-starrocks` Helm chart.
+
+This document will guide you through the process of deploying multiple StarRocks clusters by `kube-starrocks` helm
+chart.
+
+## Deploy another StarRocks cluster by `kube-starrocks` Helm chart
+
+By default, the operator will watch all namespaces. If you want to deploy another StarRocks cluster
+by `kube-starrocks`, you should limit `each operator` to watch a specific namespace.
+
+```yaml
+operator:
+  starrocksOperator:
+    watchNamespace: "your-namespace"
+```
+
+> you can also add `--set operator.starrocksOperator.watchNamespace="your-namespace"` to the `helm` command which has
+> higher priority.
+
+So, the steps to deploy multiple StarRocks clusters by `kube-starrocks` are:
+
+1. update `values.yaml` file of the first deployed StarRocks cluster to limit the operator to watch a specific
+   namespace.
+2. upgrade the first StarRocks cluster.
+3. install the second StarRocks cluster by the same `kube-starrocks` chart, and do not forget to specify the namespace.

helm-charts/charts/kube-starrocks/charts/operator/templates/clusterrole.yaml

@@ -1,4 +1,5 @@
 {{- if and .Values.starrocksOperator.enabled .Values.global.rbac.create }}
+{{- if .Values.starrocksOperator.watchNamespace | not }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -43,27 +44,13 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  - rolebindings
-  verbs:
-  - '*'
 - apiGroups:
   - starrocks.com
   resources:
   - starrocksclusters
   - starrockswarehouses
   verbs:
   - '*'
-- apiGroups:
-  - starrocks.com
-  resources:
-  - starrocksclusters/finalizers
-  - starrockswarehouses/finalizers
-  verbs:
-  - update
 - apiGroups:
   - starrocks.com
   resources:
@@ -75,3 +62,4 @@ rules:
   - update
 
 {{- end }}
+{{- end }}

helm-charts/charts/kube-starrocks/charts/operator/templates/clusterrolebinding.yaml

@@ -1,4 +1,5 @@
 {{ if and .Values.starrocksOperator.enabled .Values.global.rbac.create }}
+{{- if .Values.starrocksOperator.watchNamespace | not }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -12,3 +13,4 @@ subjects:
   name: {{ template  "operator.serviceAccountName" . }}
   namespace: {{ template  "operator.namespace" . }}
 {{- end }}
+{{- end }}

helm-charts/charts/kube-starrocks/charts/operator/templates/role.yaml

@@ -0,0 +1,66 @@
+{{- if and .Values.starrocksOperator.enabled .Values.global.rbac.create }}
+{{- if .Values.starrocksOperator.watchNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "operator.name" . }}-operator
+  namespace: {{ template "operator.namespace" . }}
+  labels:
+    app: {{ template "operator.name" . }}-operator
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - '*'
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - serviceaccounts
+  - services
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - pods
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - starrocks.com
+  resources:
+  - starrocksclusters
+  - starrockswarehouses
+  verbs:
+  - '*'
+- apiGroups:
+  - starrocks.com
+  resources:
+  - starrocksclusters/status
+  - starrockswarehouses/status
+  verbs:
+  - get
+  - patch
+  - update
+
+{{- end }}
+{{- end }}

helm-charts/charts/kube-starrocks/charts/operator/templates/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.starrocksOperator.enabled .Values.global.rbac.create }}
+{{- if .Values.starrocksOperator.watchNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "operator.name" . }}-operator
+  namespace: {{ template "operator.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "operator.name" . }}-operator
+subjects:
+- kind: ServiceAccount
+  name: {{ template  "operator.serviceAccountName" . }}
+  namespace: {{ template  "operator.namespace" . }}
+{{- end }}
+{{- end }}

helm-charts/charts/kube-starrocks/charts/operator/values.yaml

@@ -4,8 +4,10 @@
 
 global:
   rbac:
-    # if set true, the clusterrole, clusterrolebinding, role, rolebinding, serviceaccount resources will be created for
+    # if set true, the clusterrole, clusterrolebinding, serviceaccount resources will be created for
     # operator. If changed to false later, these resources will be deleted.
+    # Note: By default the operator will watch all namespaces, so it needs clusterrole, clusterrolebinding to access resources.
+    #       If .Values.starrocksOperator.watchNamespace is set, the role and rolebinding will be created for the specified namespace.
     create: true
     serviceAccount:
       name: "starrocks"
@@ -25,6 +27,8 @@ timeZone: Asia/Shanghai
 nameOverride: "kube-starrocks"
 
 starrocksOperator:
+  # If enabled, the operator releated resources will be created, including the operator deployment, service account,
+  # clusterrole, clusterrolebinding, and service account.
   enabled: true
   # annotations for starrocks operator.
   annotations: {}

helm-charts/charts/kube-starrocks/values.yaml

@@ -11,8 +11,10 @@ operator:
 
   global:
     rbac:
-      # if set true, the clusterrole, clusterrolebinding, role, rolebinding, serviceaccount resources will be created for
+      # if set true, the clusterrole, clusterrolebinding, serviceaccount resources will be created for
       # operator. If changed to false later, these resources will be deleted.
+      # Note: By default the operator will watch all namespaces, so it needs clusterrole, clusterrolebinding to access resources.
+      #       If .Values.starrocksOperator.watchNamespace is set, the role and rolebinding will be created for the specified namespace.
       create: true
       serviceAccount:
         name: "starrocks"
@@ -32,6 +34,8 @@ operator:
   nameOverride: "kube-starrocks"
 
   starrocksOperator:
+    # If enabled, the operator releated resources will be created, including the operator deployment, service account,
+    # clusterrole, clusterrolebinding, and service account.
     enabled: true
     # annotations for starrocks operator.
     annotations: {}