added rbac-user with rbac aggregation enabled by default

2025-08-15 21:02:38 +00:00 · 2024-07-26 13:08:59 +02:00
parent 2e776fcd62
commit 46ef148a2a
2 changed files with 35 additions and 0 deletions
--- a/deploy/charts/mariadb-operator/templates/rbac-user.yaml
+++ b/deploy/charts/mariadb-operator/templates/rbac-user.yaml
@ -0,0 +1,30 @@
+{{- if .Values.rbac.enabled -}}
+{{ $fullName := include "mariadb-operator.fullname" . }}
+# the mariadb-view ClusterRole allows viewing all k8s.mariadb.com resources
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-view
+  {{- if .Values.rbac.aggregation.enabled }}
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  {{- end }}
+rules:
+- apiGroups: ["k8s.mariadb.com"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+---
+# the mariadb-edit ClusterRole allows editing k8s.mariadb.com resources
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ $fullName }}-edit
+  {{- if .Values.rbac.aggregation.enabled }}
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  {{- end }}
+rules:
+- apiGroups: ["k8s.mariadb.com"]
+  resources: ["*"]
+  verbs: ["create", "update", "patch", "delete"]
+{{- end }}
--- a/deploy/charts/mariadb-operator/values.yaml
+++ b/deploy/charts/mariadb-operator/values.yaml
@ -51,6 +51,11 @@ rbac:
  # -- Specifies whether RBAC resources should be created
  enabled: true

+  aggregation:
+
+    # -- Specifies whether the cluster roles aggrate to view and edit predefinied roles
+    enabled: true
+
 # -- Extra arguments to be passed to the controller entrypoint
 extrArgs: []