# # Copyright The CloudNativePG Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # {{- if .Values.serviceAccount.create }} --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "cloudnative-pg.serviceAccountName" . }} namespace: {{ include "cloudnative-pg.namespace" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- if .Values.rbac.create }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: {{- include "cloudnative-pg.clusterwideRules" . }} {{/* If we're doing a clusterWide installation (default) we add ALL the necessary rules for the operator to the ClusterRole */}} {{- if .Values.config.clusterWide }} {{- include "cloudnative-pg.commonRules" . }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "cloudnative-pg.fullname" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "cloudnative-pg.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "cloudnative-pg.serviceAccountName" . }} namespace: {{ include "cloudnative-pg.namespace" . }} {{/* If we're doing a single-namespace installation we create a Role with the common rules for the operator, and a RoleBinding. We already created the ClusterRole above with the required cluster-wide rules */}} {{- if eq .Values.config.clusterWide false }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "cloudnative-pg.fullname" . }} namespace: {{ include "cloudnative-pg.namespace" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: {{- include "cloudnative-pg.commonRules" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "cloudnative-pg.fullname" . }} namespace: {{ include "cloudnative-pg.namespace" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ include "cloudnative-pg.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "cloudnative-pg.serviceAccountName" . }} namespace: {{ include "cloudnative-pg.namespace" . }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }}-view labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- if .Values.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: - postgresql.cnpg.io resources: - backups - clusters - databases - poolers - publications - scheduledbackups - subscriptions verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }}-edit labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- if .Values.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: - postgresql.cnpg.io resources: - backups - clusters - databases - poolers - publications - scheduledbackups - subscriptions verbs: - create - delete - deletecollection - patch - update --- {{- end }}