feat: clusterrole aggregated to user facing roles

Signed-off-by: Cyril Jouve <[email protected]>
cloudnative-pg · Jun 5, 2023 · de6af7d · de6af7d
1 parent 9642a35
commit de6af7d
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 0 deletions.
diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md
@@ -44,6 +44,7 @@ CloudNativePG Helm Chart
 | podLabels | object | `{}` | Labels to be added to the pod. |
 | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod. |
 | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. |
+| rbac.aggregate | bool | `false` | Create a ClusterRole and aggregate it to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) |
 | rbac.create | bool | `true` | Specifies whether ClusterRole and ClusterRoleBinding should be created. |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
@@ -55,3 +56,5 @@ CloudNativePG Helm Chart
 | tolerations | list | `[]` | Tolerations for the operator to be installed. |
 | webhook | object | `{"livenessProbe":{"initialDelaySeconds":3},"mutating":{"create":true,"failurePolicy":"Fail"},"port":9443,"readinessProbe":{"initialDelaySeconds":3},"validating":{"create":true,"failurePolicy":"Fail"}}` | The webhook configuration. |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml
@@ -380,4 +380,59 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "cloudnative-pg.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{- if .Values.rbac.aggregate }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-edit
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  {{- with .Values.commonAnnotations.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-view
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  {{- with .Values.commonAnnotations.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
 {{- end }}
diff --git a/charts/cloudnative-pg/values.schema.json b/charts/cloudnative-pg/values.schema.json
@@ -137,6 +137,9 @@
         "rbac": {
             "type": "object",
             "properties": {
+                "aggregate": {
+                    "type": "boolean"
+                },
                 "create": {
                     "type": "boolean"
                 }

diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml
@@ -76,6 +76,8 @@ serviceAccount:
 rbac:
   # -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
   create: true
+  # -- Create a ClusterRole and aggregate it to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+  aggregate: false
 
 # -- Annotations to be added to all other resources.
 commonAnnotations: {}