From 2b3793c680b322d6e127d41790b8e41414353960 Mon Sep 17 00:00:00 2001 From: Jonathan Gonzalez V Date: Fri, 29 Mar 2024 14:57:24 +0100 Subject: [PATCH] chore: review Signed-off-by: Jonathan Gonzalez V --- .../templates/_helpers.tpl | 22 ++ .../templates/rbac.yaml | 344 ++---------------- 2 files changed, 49 insertions(+), 317 deletions(-) diff --git a/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl b/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl index dab0824..aa3de51 100644 --- a/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl +++ b/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl @@ -71,3 +71,25 @@ Create the imagePullSecret {{- end }} {{- end }} {{- end }} + +{{/* +Define which type of roles we should have +*/}} +{{- define "edb-postgres-for-kubernetes.role" }} +{{- if .Values.config.clusterWide }} +{{- printf "ClusterRole" }} +{{- else }} +{{- printf "Role" }} +{{- end }} +{{- end }} + +{{/* +Define the type of binding for the role +*/}} +{{- define "edb-postgres-for-kubernetes.binding" }} +{{- if .Values.config.clusterWide }} +{{- printf "ClusterRoleBinding" }} +{{- else }} +{{- printf "RoleBinding" }} +{{- end }} +{{- end }} diff --git a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml index 995264a..b849d54 100644 --- a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml +++ b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml @@ -27,10 +27,9 @@ metadata: {{- end }} {{- if .Values.rbac.create }} -{{- if .Values.config.clusterWide }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ include "edb-postgres-for-kubernetes.role" . }} metadata: name: {{ include "edb-postgres-for-kubernetes.fullname" . }} labels: @@ -67,22 +66,6 @@ rules: verbs: - create - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - apiGroups: - "" resources: @@ -165,32 +148,6 @@ rules: - patch - update - watch -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - patch - - update -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - patch - - update -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - get - - list - - update - apiGroups: - apps resources: @@ -371,327 +328,80 @@ rules: - list - patch - watch -{{ else }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "edb-postgres-for-kubernetes.fullname" . }} - labels: - {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - configmaps/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - pods/status - verbs: - - get -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - secrets/status - verbs: - - get - - patch - - update +{{/* +In case we have a clusterWide installation we should create +in the same role these permissions +*/}} +{{- if .Values.config.clusterWide }} - apiGroups: - "" resources: - - serviceaccounts + - namespaces verbs: - - create - get - list - - patch - - update - watch - apiGroups: - "" resources: - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update -- apiGroups: - - monitoring.coreos.com - resources: - - podmonitors - verbs: - - create - - delete - - get - - list - - patch - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - backups - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - backups/status - verbs: - - get - - patch - - update -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - clusters - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - clusters/finalizers - verbs: - - update -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - clusters/status - verbs: - - get - - patch - - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - poolers + - nodes verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - poolers/finalizers - verbs: - - update -- apiGroups: - - postgresql.k8s.enterprisedb.io + - admissionregistration.k8s.io resources: - - poolers/status + - mutatingwebhookconfigurations verbs: - get - - patch - - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - scheduledbackups - verbs: - - create - - delete - - get - list - patch - update - - watch -- apiGroups: - - postgresql.k8s.enterprisedb.io - resources: - - scheduledbackups/status - verbs: - - get - - patch - - update - apiGroups: - - rbac.authorization.k8s.io + - admissionregistration.k8s.io resources: - - rolebindings + - validatingwebhookconfigurations verbs: - - create - get - list - patch - update - - watch - apiGroups: - - rbac.authorization.k8s.io + - apiextensions.k8s.io resources: - - roles + - customresourcedefinitions verbs: - - create - get - list - - patch - update - - watch -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - get - - list - - patch - - watch +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: {{ include "edb-postgres-for-kubernetes.binding" . }} metadata: name: {{ include "edb-postgres-for-kubernetes.fullname" . }} labels: {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations.annotations }} + {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: {{ include "edb-postgres-for-kubernetes.role" . }} name: {{ include "edb-postgres-for-kubernetes.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "edb-postgres-for-kubernetes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} + +{{/* +In case that we're not doing a clusterWide installation +we should create a ClusterRole for the operator that will +allow a couple of missing permissions +*/}} +{{- if eq .Values.config.clusterWide false }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -746,7 +456,6 @@ rules: - get - list - update -{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -754,7 +463,7 @@ metadata: name: {{ include "edb-postgres-for-kubernetes.fullname" . }} labels: {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations.annotations }} + {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} @@ -767,3 +476,4 @@ subjects: name: {{ include "edb-postgres-for-kubernetes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} +{{- end }}