From 107ffe8061bdc21868939917394e580ff7767c48 Mon Sep 17 00:00:00 2001 From: Antoine Millet Date: Wed, 23 Aug 2023 13:18:08 +0200 Subject: [PATCH] feat(cloudnative-pg): add user facing roles view and edit (#39) --- charts/cloudnative-pg/README.md | 1 + charts/cloudnative-pg/templates/rbac.yaml | 50 +++++++++++++++++++++++ charts/cloudnative-pg/values.schema.json | 3 ++ charts/cloudnative-pg/values.yaml | 3 ++ 4 files changed, 57 insertions(+) diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md index ce4596ff4..d47531715 100644 --- a/charts/cloudnative-pg/README.md +++ b/charts/cloudnative-pg/README.md @@ -44,6 +44,7 @@ CloudNativePG Helm Chart | podLabels | object | `{}` | Labels to be added to the pod. | | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod. | | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. | +| rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles | | rbac.create | bool | `true` | Specifies whether ClusterRole and ClusterRoleBinding should be created. | | replicaCount | int | `1` | | | resources | object | `{}` | | diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml index c389df10d..e5126e54b 100644 --- a/charts/cloudnative-pg/templates/rbac.yaml +++ b/charts/cloudnative-pg/templates/rbac.yaml @@ -380,4 +380,54 @@ subjects: - kind: ServiceAccount name: {{ include "cloudnative-pg.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cloudnative-pg.fullname" . }}-view + labels: + {{- include "cloudnative-pg.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.cnpg.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cloudnative-pg.fullname" . }}-edit + labels: + {{- include "cloudnative-pg.labels" . | nindent 4 }} + {{- if .Values.rbac.aggregateClusterRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - postgresql.cnpg.io + resources: + - backups + - clusters + - poolers + - scheduledbackups + verbs: + - create + - delete + - deletecollection + - patch + - update +--- {{- end }} diff --git a/charts/cloudnative-pg/values.schema.json b/charts/cloudnative-pg/values.schema.json index 9a7bfff0e..3bdf8322f 100644 --- a/charts/cloudnative-pg/values.schema.json +++ b/charts/cloudnative-pg/values.schema.json @@ -139,6 +139,9 @@ "properties": { "create": { "type": "boolean" + }, + "aggregateClusterRoles": { + "type": "boolean" } } }, diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml index 9e49cb9dd..9faf8ec0c 100644 --- a/charts/cloudnative-pg/values.yaml +++ b/charts/cloudnative-pg/values.yaml @@ -76,6 +76,9 @@ serviceAccount: rbac: # -- Specifies whether ClusterRole and ClusterRoleBinding should be created. create: true + # -- Aggregate ClusterRoles to Kubernetes default user-facing roles. + # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + aggregateClusterRoles: false # -- Annotations to be added to all other resources. commonAnnotations: {}