feat(plugin-barman-cloud): add user facing roles view and edit

kristiangronas · kristiangronas · commit f1a670b38f08 · 2025-10-08T09:57:34.000+02:00
diff --git a/charts/plugin-barman-cloud/templates/rbac.yaml b/charts/plugin-barman-cloud/templates/rbac.yaml
@@ -114,4 +114,52 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "plugin-barman-cloud.serviceAccountName" . }}
   namespace: {{ include "plugin-barman-cloud.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "plugin-barman-cloud.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+  name: {{ include "plugin-barman-cloud.fullname" . }}-viewer
+rules:
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "plugin-barman-cloud.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+  name: {{ include "plugin-barman-cloud.fullname" . }}-editor
+rules:
+- apiGroups:
+  - barmancloud.cnpg.io
+  resources:
+  - objectstores
+  verbs:
+  - create
+  - delete
+  - patch
+  - update
 {{- end }}
diff --git a/charts/plugin-barman-cloud/values.schema.json b/charts/plugin-barman-cloud/values.schema.json
@@ -318,6 +318,12 @@
           "required": [],
           "title": "create",
           "type": "boolean"
+        },
+        "aggregateClusterRoles": {
+          "default": false,
+          "description": "Specifies whether ClusterRoles should be aggregated to standard user roles",
+          "required": [],
+          "type": "boolean"
         }
       },
       "required": [
diff --git a/charts/plugin-barman-cloud/values.yaml b/charts/plugin-barman-cloud/values.yaml
@@ -92,6 +92,9 @@ serviceAccount:
 rbac:
   # -- Specifies whether Role and RoleBinding should be created.
   create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
 
 # @schema
 # additionalProperties: true
