From 18dce18a411c3464fa7fc6d51ced6e018ff10462 Mon Sep 17 00:00:00 2001
From: j4ckstraw <j4ckstraw@foxmail.com>
Date: Thu, 24 Apr 2025 14:41:16 +0800
Subject: [PATCH] doris-operator: add aggregated-clusterrole

Signed-off-by: j4ckstraw <j4ckstraw@foxmail.com>
---
 .../templates/aggregated-clusterrole.yaml     | 72 +++++++++++++++++++
 helm-charts/doris-operator/values.yaml        |  3 +
 2 files changed, 75 insertions(+)
 create mode 100644 helm-charts/doris-operator/templates/aggregated-clusterrole.yaml

diff --git a/helm-charts/doris-operator/templates/aggregated-clusterrole.yaml b/helm-charts/doris-operator/templates/aggregated-clusterrole.yaml
new file mode 100644
index 00000000..1bf53c9f
--- /dev/null
+++ b/helm-charts/doris-operator/templates/aggregated-clusterrole.yaml
@@ -0,0 +1,72 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+{{- if .Values.dorisOperator.enableAggregatedClusterRole }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-doris.name" . }}-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - disaggregated.cluster.doris.com
+  resources:
+  - dorisdisaggregatedclusters
+  - dorisdisaggregatedclusters/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - doris.selectdb.com
+  resources:
+  - dorisclusters
+  - dorisclusters/status
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kube-doris.name" . }}-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - disaggregated.cluster.doris.com
+  resources:
+  - dorisdisaggregatedclusters
+  verbs:
+  - create
+  - update
+  - delete
+  - patch
+  - deletecollection
+- apiGroups:
+  - doris.selectdb.com
+  resources:
+  - dorisclusters
+  verbs:
+  - create
+  - update
+  - delete
+  - patch
+  - deletecollection
+{{- end }}
diff --git a/helm-charts/doris-operator/values.yaml b/helm-charts/doris-operator/values.yaml
index 17f1ff46..de03bad1 100644
--- a/helm-charts/doris-operator/values.yaml
+++ b/helm-charts/doris-operator/values.yaml
@@ -44,3 +44,6 @@ dorisOperator:
   #             values:
   #               - target-host-name
   enableWebhook: false
+
+  # create aggregate-cluster role, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  enableAggregatedClusterRole: false