RBAC roles not assigned by autonomous operator

Couchbase Server Kubernetes
1

I am using helm + CAO 2.3.0 to deploy a dev-grade Couchbase cluster into namespace couchbase on Kubernetes (1.22) running in AWS EKS.

In my values.yaml I have a user defined as follows:

users:
  foo:
    password: password
    authDomain: local
    roles:
      - name: admin

When I do a helm install -n couchbase ... couchbase/couchbase-operator everything looks fine.

I access the admin UI using username Administator and the password printed in the notes attached to the helm release.

I also see a user foo and it is assigned to a group foo-dev (dev is the name of my cluster).

However group foo-dev has no role assigned to it.

I checked custom resource couchbasegroups/foo-dev and it does - as expected - contain

...
spec:
  roles:
  - name: admin

I checked the operator logs and it keeps repeating the following log message on every reconciliation:

{"level":"info","ts":1651136076.7576118,"logger":"cluster","msg":"Adding role to group","role":"admin"}
{"level":"info","ts":1651136083.236962,"logger":"cluster","msg":"Reconcile completed","cluster":"couchbase/dev"}

This looks suspiciously like a bug in the operator.

If I replace role admin with a bucket role like bucket_admin and I also add bucket: default to the role, then this role is assigned to both the user and its associated group.

2

Hi @gschreiber , this does appear to be a bug within operator. We are looking into solutions and a possible workaround. As it is currently, you may need to apply more granular roles as it is specifically the cluster roles that cause this problem.

1 Like
3

Hello @gschreiber,

This is in fact a bug. We had a test case that covered this use case, however it appears that it wasn’t fully checking to see if the role was being added to the group. We are tracking this issue in K8S-2727 and have a fix that will come in our next available release.

Unfortunately, the only workaround at this point is to add the role to the group manually through the Couchbase Admin UI. The operator will not remove the role, however it is unable to create it at this time.