{{- if .Values.deploy.restapi }} {{- $allowedNamespaces := regexSplit " " (include "allowedNamespaces" .) -1 }} {{- range $index, $namespace := $allowedNamespaces }} {{- if and (eq $index 0) (not $.Values.disableClusterRole) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: api.stackgres.io/auth: user name: stackgres-restapi-admin {{- with $.Values.clusterOwnerRefereces }} ownerReferences: {{- toYaml . | nindent 4 }} {{- end }} rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: - clusterroles - clusterrolebindings verbs: - get - list - watch - create - update - patch - delete - apiGroups: ["apiextensions.k8s.io"] resources: - customresourcedefinitions resourceNames: - sgconfigs.stackgres.io - sgclusters.stackgres.io - sginstanceprofiles.stackgres.io - sgpgconfigs.stackgres.io - sgpoolconfigs.stackgres.io - sgbackups.stackgres.io - sgbackupconfigs.stackgres.io - sgobjectstorages.stackgres.io - sgdbops.stackgres.io - sgdistributedlogs.stackgres.io - sgshardedclusters.stackgres.io - sgscripts.stackgres.io - sgstreams.stackgres.io verbs: - get - apiGroups: ["apiextensions.k8s.io"] resources: - customresourcedefinitions verbs: - list - apiGroups: ["", "storage.k8s.io"] resources: - namespaces - storageclasses verbs: - get - list - watch {{- end }} {{- if not (eq $namespace "_all_namespaces_placeholder") }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: {{ $namespace }} name: stackgres-restapi-admin rules: {{- end }} - apiGroups: ["", "batch"] resources: - pods/exec - configmaps - secrets - jobs verbs: - create - apiGroups: [""] resources: - pods/exec verbs: - get - apiGroups: ["", "batch"] resources: - configmaps - secrets - jobs verbs: - delete - apiGroups: [""] resources: - configmaps - secrets verbs: - patch - update - apiGroups: ["", "batch", "storage.k8s.io"] resources: - pods - services - configmaps - secrets - persistentvolumes - persistentvolumeclaims - events - jobs verbs: - get - list - watch - apiGroups: ["stackgres.io"] resources: - sgclusters - sgpgconfigs - sginstanceprofiles - sgpoolconfigs - sgbackupconfigs - sgbackups - sgdistributedlogs - sgdbops - sgobjectstorages - sgscripts - sgshardedclusters - sgshardedbackups - sgshardeddbops - sgstreams verbs: - create - watch - list - get - update - patch - delete - apiGroups: ["stackgres.io"] resources: - sgconfigs verbs: - watch - list - get - update - patch - apiGroups: ["rbac.authorization.k8s.io"] resources: - roles - rolebindings verbs: - get - list - watch - create - update - patch - delete {{- end }} {{- end }}