feat(plugin-barman-cloud): add user facing roles view and edit

kristiangronas · kristiangronas · commit 3cf0b0d6069a · 2025-10-08T10:21:09.000+02:00
Signed-off-by: Kristian Grønås &lt;Kristian.Gronas@uib.no&gt;
diff --git a/charts/plugin-barman-cloud/README.md b/charts/plugin-barman-cloud/README.md
@@ -49,6 +49,7 @@ Helm Chart for CloudNativePG's CNPG-I backup plugin using Barman Cloud
 | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod. |
 | priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. |
 | rbac.create | bool | `true` | Specifies whether Role and RoleBinding should be created. |
+| rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |
 | service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
diff --git a/charts/plugin-barman-cloud/templates/rbac.yaml b/charts/plugin-barman-cloud/templates/rbac.yaml
@@ -114,4 +114,52 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "plugin-barman-cloud.serviceAccountName" . }}
   namespace: {{ include "plugin-barman-cloud.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "plugin-barman-cloud.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+  name: {{ include "plugin-barman-cloud.fullname" . }}-viewer
+rules:
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "plugin-barman-cloud.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+  name: {{ include "plugin-barman-cloud.fullname" . }}-editor
+rules:
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 {{- end }}
diff --git a/charts/plugin-barman-cloud/values.schema.json b/charts/plugin-barman-cloud/values.schema.json
@@ -318,6 +318,12 @@
           "required": [],
           "title": "create",
           "type": "boolean"
+        },
+        "aggregateClusterRoles": {
+          "default": false,
+          "description": "Specifies whether ClusterRoles should be aggregated to standard user roles",
+          "required": [],
+          "type": "boolean"
         }
       },
       "required": [
diff --git a/charts/plugin-barman-cloud/values.yaml b/charts/plugin-barman-cloud/values.yaml
@@ -92,6 +92,9 @@ serviceAccount:
 rbac:
   # -- Specifies whether Role and RoleBinding should be created.
   create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
 
 # @schema
 # additionalProperties: true
