From c06b2056db422086c94b18932d1bd6e02f6bf82f Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 26 Mar 2026 10:27:20 +0100 Subject: [PATCH 01/13] chore: Describe RBAC rules, remove unnecessary rules --- .../helm/kafka-operator/templates/roles.yaml | 63 +++++++++++-------- 1 file changed, 36 insertions(+), 27 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index 53357801..d129e799 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # For automatic cluster domain detection (list nodes to infer the cluster DNS domain) - apiGroups: - "" resources: @@ -13,21 +14,26 @@ rules: verbs: - list - watch - # For automatic cluster domain detection + # For automatic cluster domain detection (probe node proxy to read DNS config) - apiGroups: - "" resources: - nodes/proxy verbs: - get + # Manage core namespaced resources created per KafkaCluster. + # All resources are applied via Server-Side Apply (create + patch) and tracked for + # orphan cleanup (list + delete). The ReconciliationPaused strategy calls get instead + # of apply_patch, so get is also needed. All three are watched by the controller via + # .owns(), so watch is required. + # - configmaps: per-rolegroup configuration, and the discovery ConfigMap + # - services: per-rolegroup headless and metrics services + # - serviceaccounts: one per KafkaCluster, created by build_rbac_resources() - apiGroups: - "" resources: - - pods - configmaps - - secrets - services - - endpoints - serviceaccounts verbs: - create @@ -35,8 +41,9 @@ rules: - get - list - patch - - update - watch + # RoleBindings bind the product ClusterRole to the per-cluster ServiceAccount. + # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). - apiGroups: - rbac.authorization.k8s.io resources: @@ -47,32 +54,23 @@ rules: - get - list - patch - - update - watch + # StatefulSets run the broker and (KRaft) controller role groups. + # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). - apiGroups: - apps resources: - statefulsets - verbs: - - get - - create - - delete - - list - - patch - - update - - watch - - apiGroups: - - batch - resources: - - jobs verbs: - create - delete - get - list - patch - - update - watch + # PodDisruptionBudgets protect broker and controller role groups during voluntary disruptions. + # Applied via SSA and tracked for orphan cleanup. PDBs are not watched by the controller + # (no .owns() / .watches()), so watch is not needed. - apiGroups: - policy resources: @@ -83,8 +81,6 @@ rules: - get - list - patch - - update - - watch - apiGroups: - apiextensions.k8s.io resources: @@ -100,6 +96,7 @@ rules: - list - watch {{- end }} + # Record Kubernetes events for reconciliation outcomes - apiGroups: - events.k8s.io resources: @@ -107,6 +104,7 @@ rules: verbs: - create - patch + # Watch and reconcile KafkaCluster resources (the primary resource for this controller) - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -114,33 +112,39 @@ rules: verbs: - get - list - - patch - watch + # Write status conditions back to the KafkaCluster object - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch + # Read AuthenticationClasses to resolve TLS and Kerberos authentication configuration. + # Only get is needed: the operator resolves classes via a direct client.get() call + # during reconciliation; there is no controller watch on AuthenticationClass. - apiGroups: - authentication.stackable.tech resources: - authenticationclasses verbs: - get - - list - - watch + # Manage Listener resources for broker bootstrap and per-rolegroup exposure. + # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). - apiGroups: - listeners.stackable.tech resources: - listeners verbs: + - create + - delete - get - list - - watch - patch - - create - - delete + - watch + # Bind the product ClusterRole to per-cluster ServiceAccounts (via RoleBindings above). + # The operator creates RoleBindings that reference this ClusterRole, so it must have + # permission to bind it. - apiGroups: - rbac.authorization.k8s.io resources: @@ -157,6 +161,9 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: + # The Kafka broker and KRaft controller pods need to read their own ConfigMaps, + # Secrets, ServiceAccounts, and Services at runtime (e.g. via the Stackable secret + # operator or init containers that inspect cluster configuration). - apiGroups: - "" resources: @@ -166,6 +173,7 @@ rules: - services verbs: - get + # Kafka pods may emit Kubernetes events (e.g. via the Stackable commons init container) - apiGroups: - events.k8s.io resources: @@ -174,6 +182,7 @@ rules: - create - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # On OpenShift, the workload pods must be allowed to use the nonroot-v2 SCC - apiGroups: - security.openshift.io resources: From d09a2e5f0bc33793c625bcce7c1825658c0ac7f4 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Thu, 26 Mar 2026 10:29:10 +0100 Subject: [PATCH 02/13] chore: Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd9d072a..0d662aba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Changed + +- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#953]). + +[#953]: https://github.com/stackabletech/kafka-operator/pull/953 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16 From 34ae82bb0b2e7430cdb674c40e2b8e6d1e74a1cb Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 13:08:47 +0200 Subject: [PATCH 03/13] chore: Remove the get for customresourcedefinitions for the operator clusterrole. --- deploy/helm/kafka-operator/templates/roles.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index d129e799..ba8f9d75 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -86,7 +86,6 @@ rules: resources: - customresourcedefinitions verbs: - - get # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's # generated certificate in the conversion webhook. {{- if .Values.maintenance.customResourceDefinitions.maintain }} From af951680f96ab69ba5dc55981ed029b432014e11 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:05:43 +0200 Subject: [PATCH 04/13] chore: Remove the nodes list/watch rule for the operator clusterrole. --- deploy/helm/kafka-operator/templates/roles.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index ba8f9d75..a09cd939 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -6,14 +6,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # For automatic cluster domain detection (list nodes to infer the cluster DNS domain) - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch # For automatic cluster domain detection (probe node proxy to read DNS config) - apiGroups: - "" From 7d00e3c0323feb3a9b02e5e15813e32392ae9605 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:06:37 +0200 Subject: [PATCH 05/13] chore: Add comment to the rule that was missing one --- deploy/helm/kafka-operator/templates/roles.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index a09cd939..a697d9a3 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -73,6 +73,7 @@ rules: - get - list - patch + # Maintain the CRD to support conversion webhook certificate updates and track startup conditions. - apiGroups: - apiextensions.k8s.io resources: From 7888e8abf116bc5241662bfd4c6221c04396679c Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:10:15 +0200 Subject: [PATCH 06/13] chore: Remove the configmaps/secrets/serviceaccounts/services get rule for the product clusterrole --- deploy/helm/kafka-operator/templates/roles.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index a697d9a3..1e600717 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -153,18 +153,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # The Kafka broker and KRaft controller pods need to read their own ConfigMaps, - # Secrets, ServiceAccounts, and Services at runtime (e.g. via the Stackable secret - # operator or init containers that inspect cluster configuration). - - apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - - services - verbs: - - get # Kafka pods may emit Kubernetes events (e.g. via the Stackable commons init container) - apiGroups: - events.k8s.io From bbeb8c084b27b6dc3ab8536837af1d25d0f13307 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:12:29 +0200 Subject: [PATCH 07/13] fix: Always allow list/watch on customresourcedefinitions for the operator Note: required by the startup condition regardless of crd maintenance --- deploy/helm/kafka-operator/templates/roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index 1e600717..a8f6cba9 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -84,10 +84,10 @@ rules: {{- if .Values.maintenance.customResourceDefinitions.maintain }} - create - patch + {{- end }} # Required for startup condition - list - watch - {{- end }} # Record Kubernetes events for reconciliation outcomes - apiGroups: - events.k8s.io From b0456776b04d2be318625d1af230e41899614ac1 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:19:54 +0200 Subject: [PATCH 08/13] chore: Simplify RBAC rule descriptions --- .../helm/kafka-operator/templates/roles.yaml | 46 ++++++++----------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index a8f6cba9..ffe04ded 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -6,7 +6,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # For automatic cluster domain detection (probe node proxy to read DNS config) + # For automatic cluster domain detection - apiGroups: - "" resources: @@ -14,13 +14,7 @@ rules: verbs: - get # Manage core namespaced resources created per KafkaCluster. - # All resources are applied via Server-Side Apply (create + patch) and tracked for - # orphan cleanup (list + delete). The ReconciliationPaused strategy calls get instead - # of apply_patch, so get is also needed. All three are watched by the controller via - # .owns(), so watch is required. - # - configmaps: per-rolegroup configuration, and the discovery ConfigMap - # - services: per-rolegroup headless and metrics services - # - serviceaccounts: one per KafkaCluster, created by build_rbac_resources() + # Applied via SSA and tracked for orphan cleanup. - apiGroups: - "" resources: @@ -34,8 +28,8 @@ rules: - list - patch - watch - # RoleBindings bind the product ClusterRole to the per-cluster ServiceAccount. - # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). + # RoleBinding created per KafkaCluster to bind the product ClusterRole to the workload + # ServiceAccount. Applied via SSA and tracked for orphan cleanup. - apiGroups: - rbac.authorization.k8s.io resources: @@ -47,8 +41,8 @@ rules: - list - patch - watch - # StatefulSets run the broker and (KRaft) controller role groups. - # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). + # StatefulSet created per role group (broker, KRaft controller). Applied via + # SSA, tracked for orphan cleanup, and owned by the controller. - apiGroups: - apps resources: @@ -60,9 +54,7 @@ rules: - list - patch - watch - # PodDisruptionBudgets protect broker and controller role groups during voluntary disruptions. - # Applied via SSA and tracked for orphan cleanup. PDBs are not watched by the controller - # (no .owns() / .watches()), so watch is not needed. + # PodDisruptionBudget created per role group. Applied via SSA and tracked for orphan cleanup. - apiGroups: - policy resources: @@ -73,7 +65,8 @@ rules: - get - list - patch - # Maintain the CRD to support conversion webhook certificate updates and track startup conditions. + # Required for maintaining the CRDs within the operator (including the conversion webhook info). + # Also for the startup condition check before the controller can run. - apiGroups: - apiextensions.k8s.io resources: @@ -88,7 +81,7 @@ rules: # Required for startup condition - list - watch - # Record Kubernetes events for reconciliation outcomes + # Required to report reconciliation results and warnings back to the KafkaCluster object. - apiGroups: - events.k8s.io resources: @@ -96,7 +89,7 @@ rules: verbs: - create - patch - # Watch and reconcile KafkaCluster resources (the primary resource for this controller) + # Primary CRD: watched by the controller and read during reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: @@ -105,24 +98,21 @@ rules: - get - list - watch - # Write status conditions back to the KafkaCluster object + # Status subresource: updated at the end of every reconciliation. - apiGroups: - {{ include "operator.name" . }}.stackable.tech resources: - {{ include "operator.name" . }}clusters/status verbs: - patch - # Read AuthenticationClasses to resolve TLS and Kerberos authentication configuration. - # Only get is needed: the operator resolves classes via a direct client.get() call - # during reconciliation; there is no controller watch on AuthenticationClass. + # Read authentication class configuration referenced in the KafkaCluster spec. - apiGroups: - authentication.stackable.tech resources: - authenticationclasses verbs: - get - # Manage Listener resources for broker bootstrap and per-rolegroup exposure. - # Applied via SSA, tracked for orphan cleanup, and watched via .owns(). + # Listener created per role group. Applied via SSA and tracked for orphan cleanup. - apiGroups: - listeners.stackable.tech resources: @@ -134,9 +124,7 @@ rules: - list - patch - watch - # Bind the product ClusterRole to per-cluster ServiceAccounts (via RoleBindings above). - # The operator creates RoleBindings that reference this ClusterRole, so it must have - # permission to bind it. + # Required to bind the product ClusterRole to the per-cluster ServiceAccount. - apiGroups: - rbac.authorization.k8s.io resources: @@ -146,6 +134,8 @@ rules: resourceNames: - {{ include "operator.name" . }}-clusterrole --- +# Product ClusterRole: bound (via per KafkaCluster RoleBinding) to the ServiceAccount that Kafka +# workload pods (brokers, KRaft controllers) run as. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -153,7 +143,7 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Kafka pods may emit Kubernetes events (e.g. via the Stackable commons init container) + # Allows Kafka pods to emit Kubernetes events. - apiGroups: - events.k8s.io resources: From ab656a9f6a8151b9f2f7cd6f48dd2bc06308794c Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:22:23 +0200 Subject: [PATCH 09/13] chore: Remove the events.k8s.io rule from the product ClusterRole. The operator manages the Kubernetes events. --- deploy/helm/kafka-operator/templates/roles.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index ffe04ded..4ac12c7a 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -143,14 +143,6 @@ metadata: labels: {{- include "operator.labels" . | nindent 4 }} rules: - # Allows Kafka pods to emit Kubernetes events. - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} # On OpenShift, the workload pods must be allowed to use the nonroot-v2 SCC - apiGroups: From 27927f5a652796c518e42dfec1228fe2cdaab8a3 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:24:06 +0200 Subject: [PATCH 10/13] chore: Keep the rbac.authorization.k8s.io rules within a ClusterRole close to each other --- .../helm/kafka-operator/templates/roles.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/roles.yaml index 4ac12c7a..906e7f00 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/roles.yaml @@ -41,6 +41,15 @@ rules: - list - patch - watch + # Required to bind the product ClusterRole to the per-cluster ServiceAccount. + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + resourceNames: + - {{ include "operator.name" . }}-clusterrole # StatefulSet created per role group (broker, KRaft controller). Applied via # SSA, tracked for orphan cleanup, and owned by the controller. - apiGroups: @@ -124,15 +133,6 @@ rules: - list - patch - watch - # Required to bind the product ClusterRole to the per-cluster ServiceAccount. - - apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - bind - resourceNames: - - {{ include "operator.name" . }}-clusterrole --- # Product ClusterRole: bound (via per KafkaCluster RoleBinding) to the ServiceAccount that Kafka # workload pods (brokers, KRaft controllers) run as. From 17d2974fc141693a8e06f4d99cc0e2295af673d7 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:29:10 +0200 Subject: [PATCH 11/13] chore: Split the roles.yaml into separate files for clusterrole-operator.yaml and clusterrole-product.yaml --- .../{roles.yaml => clusterrole-operator.yaml} | 21 ------------------- .../templates/clusterrole-product.yaml | 21 +++++++++++++++++++ 2 files changed, 21 insertions(+), 21 deletions(-) rename deploy/helm/kafka-operator/templates/{roles.yaml => clusterrole-operator.yaml} (84%) create mode 100644 deploy/helm/kafka-operator/templates/clusterrole-product.yaml diff --git a/deploy/helm/kafka-operator/templates/roles.yaml b/deploy/helm/kafka-operator/templates/clusterrole-operator.yaml similarity index 84% rename from deploy/helm/kafka-operator/templates/roles.yaml rename to deploy/helm/kafka-operator/templates/clusterrole-operator.yaml index 906e7f00..5e5b475c 100644 --- a/deploy/helm/kafka-operator/templates/roles.yaml +++ b/deploy/helm/kafka-operator/templates/clusterrole-operator.yaml @@ -133,24 +133,3 @@ rules: - list - patch - watch ---- -# Product ClusterRole: bound (via per KafkaCluster RoleBinding) to the ServiceAccount that Kafka -# workload pods (brokers, KRaft controllers) run as. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "operator.name" . }}-clusterrole - labels: - {{- include "operator.labels" . | nindent 4 }} -rules: -{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} - # On OpenShift, the workload pods must be allowed to use the nonroot-v2 SCC - - apiGroups: - - security.openshift.io - resources: - - securitycontextconstraints - resourceNames: - - nonroot-v2 - verbs: - - use -{{ end }} diff --git a/deploy/helm/kafka-operator/templates/clusterrole-product.yaml b/deploy/helm/kafka-operator/templates/clusterrole-product.yaml new file mode 100644 index 00000000..bc837687 --- /dev/null +++ b/deploy/helm/kafka-operator/templates/clusterrole-product.yaml @@ -0,0 +1,21 @@ +--- +# Product ClusterRole: bound (via per KafkaCluster RoleBinding) to the ServiceAccount that Kafka +# workload pods (brokers, KRaft controllers) run as. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "operator.name" . }}-clusterrole + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: +{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }} + # On OpenShift, the workload pods must be allowed to use the nonroot-v2 SCC + - apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - nonroot-v2 + verbs: + - use +{{ end }} From 1341888b5a854ff536a9481b5c5ebf54f413f908 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Wed, 1 Apr 2026 14:32:14 +0200 Subject: [PATCH 12/13] chore(nix): Update crate hashes --- Cargo.nix | 18 +++++++++--------- crate-hashes.json | 18 +++++++++--------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index 1cd173e5..9cd7a228 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4789,7 +4789,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "k8s_version"; authors = [ @@ -9398,7 +9398,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_certs"; authors = [ @@ -9593,7 +9593,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_operator"; authors = [ @@ -9765,7 +9765,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9800,7 +9800,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_shared"; authors = [ @@ -9881,7 +9881,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_telemetry"; authors = [ @@ -9991,7 +9991,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_versioned"; authors = [ @@ -10035,7 +10035,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10103,7 +10103,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02"; - sha256 = "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17"; + sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2"; }; libName = "stackable_webhook"; authors = [ diff --git a/crate-hashes.json b/crate-hashes.json index 3714ebda..2148b36f 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -4,14 +4,14 @@ "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-derive@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube-runtime@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "0yxp9d7x3xzlc7i67mjkizf587hvx8kwjly9p10x320hvp91qf17", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file From 7c72e2abe22af09735a84f4539c49f1a87ebe997 Mon Sep 17 00:00:00 2001 From: Nick <10092581+NickLarsenNZ@users.noreply.github.com> Date: Tue, 7 Apr 2026 12:14:25 +0200 Subject: [PATCH 13/13] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d662aba..4c8289ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Changed -- Helm deployed RBAC permissions documented, with unnecessary permissions removed ([#953]). +- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#953]). [#953]: https://github.com/stackabletech/kafka-operator/pull/953