[CHORE] Switch to namespace-scoped role + rolebinding resources (#5972)

## Description of changes

This will be the first step towards making it easily possible to run
multiple chroma instances in the same k8s cluster.

## Test plan

`tilt up`

## Migration plan

Will have to try this out in a staging environment. Not completely sure
yet.

## Observability plan

n/a

## Documentation Changes

n/a

Author: jasonvigil

Tiltfile

@@ -190,27 +190,27 @@ k8s_resource(
     'garbage-collection-service-memberlist:MemberList',
     'rust-log-service-memberlist:MemberList',
 
-    'sysdb-serviceaccount:serviceaccount',
+    'sysdb-serviceaccount:ServiceAccount',
     'sysdb-serviceaccount-rolebinding:RoleBinding',
-    'sysdb-query-service-memberlist-binding:clusterrolebinding',
-    'sysdb-compaction-service-memberlist-binding:clusterrolebinding',
+    'sysdb-query-service-memberlist-binding:RoleBinding',
+    'sysdb-compaction-service-memberlist-binding:RoleBinding',
 
-    'query-service-serviceaccount:serviceaccount',
+    'query-service-serviceaccount:ServiceAccount',
     'query-service-serviceaccount-rolebinding:RoleBinding',
-    'query-service-memberlist-readerwriter:ClusterRole',
-    'query-service-query-service-memberlist-binding:clusterrolebinding',
-    'query-service-memberlist-readerwriter-binding:clusterrolebinding',
-
-    'compaction-service-memberlist-readerwriter:ClusterRole',
-    'compaction-service-compaction-service-memberlist-binding:clusterrolebinding',
-    'compaction-service-memberlist-readerwriter-binding:clusterrolebinding',
-    'compaction-service-serviceaccount:serviceaccount',
+    'query-service-memberlist-readerwriter:Role',
+    'query-service-query-service-memberlist-binding:RoleBinding',
+    'query-service-memberlist-readerwriter-binding:RoleBinding',
+
+    'compaction-service-memberlist-readerwriter:Role',
+    'compaction-service-compaction-service-memberlist-binding:RoleBinding',
+    'compaction-service-memberlist-readerwriter-binding:RoleBinding',
+    'compaction-service-serviceaccount:ServiceAccount',
     'compaction-service-serviceaccount-rolebinding:RoleBinding',
 
     'test-memberlist:MemberList',
-    'test-memberlist-reader:ClusterRole',
-    'test-memberlist-reader-binding:ClusterRoleBinding',
-    'lease-watcher:role',
+    'test-memberlist-reader:Role',
+    'test-memberlist-reader-binding:RoleBinding',
+    'lease-watcher:Role',
     'rust-frontend-service-config:ConfigMap',
   ],
   new_name='k8s_setup',

k8s/distributed-chroma/Chart.yaml

@@ -16,7 +16,7 @@ apiVersion: v2
 name: distributed-chroma
 description: A helm chart for distributed Chroma
 type: application
-version: 0.1.67
+version: 0.1.68
 appVersion: "0.4.24"
 keywords:
   - chroma

k8s/distributed-chroma/templates/compaction-service-memberlist-cr.yaml

@@ -13,9 +13,10 @@ spec:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: compaction-service-memberlist-readerwriter
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups:
   - chroma.cluster
@@ -34,12 +35,13 @@ rules:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: sysdb-compaction-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: compaction-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -49,14 +51,15 @@ subjects:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   # Awkward name, but this lets the compaction-service-serviceaccount read
   # the compaction-service-memberlist.
   name: compaction-service-compaction-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: compaction-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -66,12 +69,13 @@ subjects:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: compaction-service-memberlist-readerwriter-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: compaction-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount

k8s/distributed-chroma/templates/garbage-collection-service-memberlist-cr.yaml

@@ -8,9 +8,10 @@ spec:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: garbage-collection-service-memberlist-readerwriter
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups:
     - chroma.cluster
@@ -29,12 +30,13 @@ rules:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: sysdb-garbage-collection-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: garbage-collection-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -43,12 +45,13 @@ subjects:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: garbage-collection-service-garbage-collection-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: garbage-collection-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -58,12 +61,13 @@ subjects:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: garbage-collection-service-memberlist-readerwriter-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: garbage-collection-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount

k8s/distributed-chroma/templates/lease-watcher-role.yaml

@@ -3,8 +3,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: {{ .Values.namespace }}
   name: lease-watcher
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]

k8s/distributed-chroma/templates/pod-watcher-role.yaml

@@ -3,8 +3,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  namespace: {{ .Values.namespace }}
   name: pod-watcher
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups: [""]
   resources: ["pods"]

k8s/distributed-chroma/templates/query-service-memberlist-cr.yaml

@@ -13,9 +13,10 @@ spec:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: query-service-memberlist-readerwriter
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups:
   - chroma.cluster
@@ -34,12 +35,13 @@ rules:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: sysdb-query-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: query-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -49,14 +51,15 @@ subjects:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   # Awkward name, but this lets the query-service-serviceaccount read
   # the query-service-memberlist.
   name: query-service-query-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: query-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -66,12 +69,13 @@ subjects:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: query-service-memberlist-readerwriter-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: query-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -82,12 +86,13 @@ subjects:
 
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: rust-frontend-service-query-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: query-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount

k8s/distributed-chroma/templates/rust-log-service-memberlist-cr.yaml

@@ -8,9 +8,10 @@ spec:
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: rust-log-service-memberlist-readerwriter
+  namespace: {{ .Values.namespace }}
 rules:
 - apiGroups:
     - chroma.cluster
@@ -30,12 +31,13 @@ rules:
 
 # Allows the sysdb service to read and write to the memberlist
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: sysdb-rust-log-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: rust-log-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount
@@ -46,12 +48,13 @@ subjects:
 
 # Allows the rust-frontend-service to read and write to the memberlist
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: rust-frontend-service-rust-log-service-memberlist-binding
+  namespace: {{ .Values.namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: rust-log-service-memberlist-readerwriter
 subjects:
 - kind: ServiceAccount

k8s/test/test-memberlist-cr.yaml

@@ -14,9 +14,10 @@ spec:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: test-memberlist-reader
+  namespace: chroma
 rules:
 - apiGroups:
   - chroma.cluster
@@ -35,12 +36,13 @@ rules:
 ---
 
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: test-memberlist-reader-binding
+  namespace: chroma
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: test-memberlist-reader
 subjects:
 - kind: ServiceAccount