cecf
/
deploy


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
							{{- if .Values.deploy.restapi }}
{{- $allowedNamespaces := regexSplit " " (include "allowedNamespaces" .) -1 }}
{{- range $index, $namespace := $allowedNamespaces }}
{{- if and (eq $index 0) (not $.Values.disableClusterRole) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    api.stackgres.io/auth: user
  name: stackgres-restapi-admin
{{- with $.Values.clusterOwnerRefereces }}
  ownerReferences:
    {{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources:
  - clusterroles
  - clusterrolebindings
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups: ["apiextensions.k8s.io"]
  resources:
  - customresourcedefinitions
  resourceNames:
  - sgconfigs.stackgres.io
  - sgclusters.stackgres.io
  - sginstanceprofiles.stackgres.io
  - sgpgconfigs.stackgres.io
  - sgpoolconfigs.stackgres.io
  - sgbackups.stackgres.io
  - sgbackupconfigs.stackgres.io
  - sgobjectstorages.stackgres.io
  - sgdbops.stackgres.io
  - sgdistributedlogs.stackgres.io
  - sgshardedclusters.stackgres.io
  - sgscripts.stackgres.io
  - sgstreams.stackgres.io
  verbs:
  - get
- apiGroups: ["apiextensions.k8s.io"]
  resources:
  - customresourcedefinitions
  verbs:
  - list
- apiGroups: ["", "storage.k8s.io"]
  resources:
  - namespaces
  - storageclasses
  verbs:
  - get
  - list
  - watch
{{- end }}
{{- if not (eq $namespace "_all_namespaces_placeholder") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: {{ $namespace }}
  name: stackgres-restapi-admin
rules:
{{- end }}
- apiGroups: ["", "batch"]
  resources:
  - pods/exec
  - configmaps
  - secrets
  - jobs
  verbs:
  - create
- apiGroups: [""]
  resources:
  - pods/exec
  verbs:
  - get
- apiGroups: ["", "batch"]
  resources:
  - configmaps
  - secrets
  - jobs
  verbs:
  - delete
- apiGroups: [""]
  resources:
  - configmaps
  - secrets
  verbs:
  - patch
  - update
- apiGroups: ["", "batch", "storage.k8s.io"]
  resources:
  - pods
  - services
  - configmaps
  - secrets
  - persistentvolumes
  - persistentvolumeclaims
  - events
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups: ["stackgres.io"]
  resources:
  - sgclusters
  - sgpgconfigs
  - sginstanceprofiles
  - sgpoolconfigs
  - sgbackupconfigs
  - sgbackups
  - sgdistributedlogs
  - sgdbops
  - sgobjectstorages
  - sgscripts
  - sgshardedclusters
  - sgshardedbackups
  - sgshardeddbops
  - sgstreams
  verbs:
  - create
  - watch
  - list
  - get
  - update
  - patch
  - delete
- apiGroups: ["stackgres.io"]
  resources:
  - sgconfigs
  verbs:
  - watch
  - list
  - get
  - update
  - patch
- apiGroups: ["rbac.authorization.k8s.io"]
  resources:
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
{{- end }}
{{- end }}