Merge pull request #10 from DoodleScheduling/rbac-DK-1854

raffis · web-flow · commit e78c23233905 · 2021-04-23T14:41:28.000+02:00
added user cluster roles DK-1854
diff --git a/chart/k8sdb-controller/templates/clusterrole-edit.yaml b/chart/k8sdb-controller/templates/clusterrole-edit.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.clusterRBAC.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "k8sdb-controller.fullname" . }}-edit
+  labels:
+    app.kubernetes.io/name: {{ include "k8sdb-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8sdb-controller.chart" . }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  annotations:
+    {{- toYaml .Values.annotations | nindent 4 }}
+rules:
+- apiGroups:
+  - "dbprovisioning.infra.doodle.com"
+  resources:
+  - mongodbdatabases
+  - mongodbusers
+  - postgresqldatabases
+  - postgresqlusers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - "dbprovisioning.infra.doodle.com"
+  resources:
+  - mongodbdatabases/status
+  - mongodbusers/status
+  - postgresqldatabases/status
+  - postgresqlusers/status
+  verbs:
+  - get
+{{- end }}
diff --git a/chart/k8sdb-controller/templates/clusterrole-view.yaml b/chart/k8sdb-controller/templates/clusterrole-view.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.clusterRBAC.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "k8sdb-controller.fullname" . }}-view
+  labels:
+    app.kubernetes.io/name: {{ include "k8sdb-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8sdb-controller.chart" . }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  annotations:
+    {{- toYaml .Values.annotations | nindent 4 }}
+rules:
+- apiGroups:
+  - "dbprovisioning.infra.doodle.com"
+  resources:
+  - mongodbdatabases
+  - mongodbusers
+  - postgresqldatabases
+  - postgresqlusers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "dbprovisioning.infra.doodle.com"
+  resources:
+  - mongodbdatabases/status
+  - mongodbusers/status
+  - postgresqldatabases/status
+  - postgresqlusers/status
+  verbs:
+  - get
+{{- end }}
