feat(rbac)!: prefix all resource names to avoid cluster conflicts

BREAKING CHANGE: All RBAC resource names have been renamed with consistent
prefixes to prevent naming conflicts with other cluster components.

Users must migrate their existing installations by deleting old resources
and applying the new manifest. See the migration guide for detailed
instructions:
https://cloudnative-pg.io/plugin-barman-cloud/resource-name-migration/

Signed-off-by: Armando Ruocco <[email protected]>

Author: armru

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [Unreleased]
+
+### BREAKING CHANGES
+
+* **manifests:** Resource names have been prefixed to avoid cluster conflicts
+  - All cluster-scoped and namespace-scoped resources now use the `barman-plugin-` prefix for consistency
+  - See the [Resource Name Migration Guide](https://cloudnative-pg.io/plugin-barman-cloud/resource-name-migration/) for detailed migration instructions
+
 ## [0.7.0](https://github.com/cloudnative-pg/plugin-barman-cloud/compare/v0.6.0...v0.7.0) (2025-09-25)
 
 

config/rbac/leader_election_role.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: plugin-barman-cloud
     app.kubernetes.io/managed-by: kustomize
-  name: leader-election-role
+  name: barman-plugin-leader-election-role
 rules:
 - apiGroups:
   - ""

config/rbac/leader_election_role_binding.yaml

@@ -4,11 +4,11 @@ metadata:
   labels:
     app.kubernetes.io/name: plugin-barman-cloud
     app.kubernetes.io/managed-by: kustomize
-  name: leader-election-rolebinding
+  name: barman-plugin-leader-election-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: leader-election-role
+  name: barman-plugin-leader-election-role
 subjects:
 - kind: ServiceAccount
   name: plugin-barman-cloud

config/rbac/metrics_auth_role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: metrics-auth-role
+  name: barman-plugin-metrics-auth-role
 rules:
 - apiGroups:
   - authentication.k8s.io

config/rbac/metrics_auth_role_binding.yaml

@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: metrics-auth-rolebinding
+  name: barman-plugin-metrics-auth-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: metrics-auth-role
+  name: barman-plugin-metrics-auth-role
 subjects:
 - kind: ServiceAccount
   name: plugin-barman-cloud

config/rbac/metrics_reader_role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: metrics-reader
+  name: barman-plugin-metrics-reader
 rules:
 - nonResourceURLs:
   - "/metrics"

config/rbac/objectstore_editor_role.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: plugin-barman-cloud
     app.kubernetes.io/managed-by: kustomize
-  name: objectstore-editor-role
+  name: barman-plugin-objectstore-editor-role
 rules:
 - apiGroups:
   - barmancloud.cnpg.io

config/rbac/objectstore_viewer_role.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     app.kubernetes.io/name: plugin-barman-cloud
     app.kubernetes.io/managed-by: kustomize
-  name: objectstore-viewer-role
+  name: barman-plugin-objectstore-viewer-role
 rules:
 - apiGroups:
   - barmancloud.cnpg.io

web/docs/resource-name-migration.md

@@ -0,0 +1,281 @@
+---
+sidebar_position: 41
+---
+
+# Resource Name Migration Guide
+
+<!-- SPDX-License-Identifier: CC-BY-4.0 -->
+
+:::warning
+Before running the migration script or applying the manifest, please:
+1. **Review the complete manifest** on the [Migration Manifest](migration-manifest.md) page to understand what changes will be made
+2. **Test in a non-production environment** first if possible
+3. **Ensure you have proper backups** of your cluster configuration
+4. **Verify the resource names match** your current installation (default namespace is `cnpg-system`)
+
+This migration will delete old RBAC resources and create new ones. While the operation is designed to be safe, you should review and understand the changes before proceeding. The maintainers of this project are not responsible for any issues that may arise during migration.
+:::
+
+## Overview
+
+Starting from version 0.8.0, the plugin-barman-cloud deployment manifests use more specific, prefixed resource names to avoid conflicts with other components deployed in the same Kubernetes cluster.
+
+## What Changed
+
+The following resources have been renamed to use proper prefixes:
+
+### Cluster-scoped Resources
+
+| Old Name | New Name |
+|----------|----------|
+| `metrics-auth-role` | `barman-plugin-metrics-auth-role` |
+| `metrics-auth-rolebinding` | `barman-plugin-metrics-auth-rolebinding` |
+| `metrics-reader` | `barman-plugin-metrics-reader` |
+| `objectstore-viewer-role` | `barman-plugin-objectstore-viewer-role` |
+| `objectstore-editor-role` | `barman-plugin-objectstore-editor-role` |
+
+### Namespace-scoped Resources
+
+| Old Name | New Name | Namespace |
+|----------|----------|-----------|
+| `leader-election-role` | `barman-plugin-leader-election-role` | `cnpg-system` |
+| `leader-election-rolebinding` | `barman-plugin-leader-election-rolebinding` | `cnpg-system` |
+
+## Why This Change?
+
+Using generic names for cluster-wide resources is discouraged as they may conflict with other components deployed in the same cluster. The new names make it clear that these resources belong to the barman-cloud plugin and help avoid naming collisions.
+
+## Migration Instructions
+
+### Automated Migration
+
+A migration script is provided below to automate the process. The script will:
+1. Delete the old generic-named resources
+2. Apply the new prefixed resources from the bundled manifest
+
+Save the following script to a file (e.g., `migrate-resource-names.sh`), make it executable with `chmod +x migrate-resource-names.sh`, and run it:
+
+```bash
+#!/usr/bin/env bash
+
+# Migration script for plugin-barman-cloud resource name changes
+# This script removes old generic-named resources and applies new prefixed ones
+
+set -e
+
+NAMESPACE="${NAMESPACE:-cnpg-system}"
+DRY_RUN="${DRY_RUN:-false}"
+MANIFEST_URL="https://cloudnative-pg.io/plugin-barman-cloud/migration-rbac.yaml"
+
+echo "=== Barman Plugin Resource Name Migration Script ==="
+echo ""
+echo "This script will migrate from generic resource names to prefixed names"
+echo "to avoid conflicts with other cluster components."
+echo ""
+echo "Namespace: ${NAMESPACE}"
+echo "Dry run: ${DRY_RUN}"
+echo ""
+
+if [ "$DRY_RUN" = "true" ]; then
+  DRY_RUN_FLAG="--dry-run=client"
+  echo "Running in DRY RUN mode - no changes will be made"
+else
+  DRY_RUN_FLAG=""
+  echo "WARNING: This will make actual changes to your cluster"
+  read -p "Continue? (y/N): " -n 1 -r
+  echo
+  if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    echo "Aborted."
+    exit 1
+  fi
+fi
+
+echo ""
+echo "=== Step 1: Deleting old cluster-scoped resources ==="
+echo ""
+
+# Delete old ClusterRoles
+echo "Deleting old ClusterRole: metrics-auth-role"
+kubectl delete clusterrole metrics-auth-role ${DRY_RUN_FLAG} --ignore-not-found=true
+
+echo "Deleting old ClusterRole: metrics-reader"
+kubectl delete clusterrole metrics-reader ${DRY_RUN_FLAG} --ignore-not-found=true
+
+echo "Deleting old ClusterRole: objectstore-viewer-role"
+kubectl delete clusterrole objectstore-viewer-role ${DRY_RUN_FLAG} --ignore-not-found=true
+
+echo "Deleting old ClusterRole: objectstore-editor-role"
+kubectl delete clusterrole objectstore-editor-role ${DRY_RUN_FLAG} --ignore-not-found=true
+
+# Delete old ClusterRoleBindings
+echo "Deleting old ClusterRoleBinding: metrics-auth-rolebinding"
+kubectl delete clusterrolebinding metrics-auth-rolebinding ${DRY_RUN_FLAG} --ignore-not-found=true
+
+echo ""
+echo "=== Step 2: Deleting old namespace-scoped resources ==="
+echo ""
+
+# Delete old Role
+echo "Deleting old Role: leader-election-role in namespace ${NAMESPACE}"
+kubectl delete role leader-election-role -n ${NAMESPACE} ${DRY_RUN_FLAG} --ignore-not-found=true
+
+# Delete old RoleBinding
+echo "Deleting old RoleBinding: leader-election-rolebinding in namespace ${NAMESPACE}"
+kubectl delete rolebinding leader-election-rolebinding -n ${NAMESPACE} ${DRY_RUN_FLAG} --ignore-not-found=true
+
+echo ""
+echo "=== Step 3: Applying new resources ==="
+echo ""
+
+if [ "$DRY_RUN" = "true" ]; then
+  echo "Skipping resource creation in dry-run mode"
+  echo "To apply new resources, run this script without DRY_RUN=true"
+else
+  echo "Applying new resources from bundled manifest..."
+  
+  # Try to apply from the documentation URL
+  if curl -fsSL "${MANIFEST_URL}" | kubectl apply -f - -n ${NAMESPACE}; then
+    echo "Successfully applied new resources from ${MANIFEST_URL}"
+  else
+    echo "Failed to download manifest from ${MANIFEST_URL}"
+    echo "Please download the manifest manually from:"
+    echo "  https://cloudnative-pg.io/plugin-barman-cloud/migration-manifest/"
+    echo ""
+    echo "Or copy it from the documentation and save it to a file, then run:"
+    echo "  kubectl apply -f <manifest-file> -n ${NAMESPACE}"
+    exit 1
+  fi
+fi
+
+echo ""
+echo "=== Migration complete! ==="
+echo ""
+echo "Summary of changes:"
+echo "  Cluster-scoped resources:"
+echo "    - metrics-auth-role → barman-plugin-metrics-auth-role"
+echo "    - metrics-auth-rolebinding → barman-plugin-metrics-auth-rolebinding"
+echo "    - metrics-reader → barman-plugin-metrics-reader"
+echo "    - objectstore-viewer-role → barman-plugin-objectstore-viewer-role"
+echo "    - objectstore-editor-role → barman-plugin-objectstore-editor-role"
+echo ""
+echo "  Namespace-scoped resources (in ${NAMESPACE}):"
+echo "    - leader-election-role → barman-plugin-leader-election-role"
+echo "    - leader-election-rolebinding → barman-plugin-leader-election-rolebinding"
+echo ""
+```
+
+#### Dry Run (Recommended First Step)
+
+Test the migration without making changes:
+
+```bash
+export DRY_RUN=true
+./migrate-resource-names.sh
+```
+
+#### Actual Migration
+
+Once you're satisfied with the dry run output:
+
+```bash
+./migrate-resource-names.sh
+```
+
+By default, the script assumes the plugin is installed in the `cnpg-system` namespace. If you're using a different namespace, set the `NAMESPACE` environment variable:
+
+```bash
+export NAMESPACE=my-namespace
+./migrate-resource-names.sh
+```
+
+### Manual Migration
+
+If you prefer to migrate manually:
+
+1. **Delete old cluster-scoped resources:**
+
+```bash
+kubectl delete clusterrole metrics-auth-role
+kubectl delete clusterrole metrics-reader
+kubectl delete clusterrole objectstore-viewer-role
+kubectl delete clusterrole objectstore-editor-role
+kubectl delete clusterrolebinding metrics-auth-rolebinding
+```
+
+2. **Delete old namespace-scoped resources:**
+
+```bash
+kubectl delete role leader-election-role -n cnpg-system
+kubectl delete rolebinding leader-election-rolebinding -n cnpg-system
+```
+
+3. **Apply the new RBAC manifest:**
+
+See the [Migration Manifest](migration-manifest.md) page for the complete bundled YAML. You can either:
+
+- Download and apply from the documentation:
+  ```bash
+  kubectl apply -f https://cloudnative-pg.io/plugin-barman-cloud/migration-rbac.yaml -n cnpg-system
+  ```
+
+- Or copy the YAML from the [Migration Manifest](migration-manifest.md) page, save it to a file, and apply:
+  ```bash
+  kubectl apply -f barman-rbac-new.yaml -n cnpg-system
+  ```
+
+## Impact
+
+- **Downtime:** The migration requires a brief interruption as the old resources are deleted and new ones are created. The plugin controller may need to restart.
+- **Permissions:** If you have custom RBAC rules or tools that reference the old resource names, they will need to be updated.
+- **External Users:** If end users have been granted the `objectstore-viewer-role` or `objectstore-editor-role`, they will need to be re-granted the new role names (`barman-plugin-objectstore-viewer-role` and `barman-plugin-objectstore-editor-role`).
+
+## Verification
+
+After migration, verify that the new resources are created:
+
+```bash
+# Check cluster-scoped resources
+kubectl get clusterrole | grep barman
+kubectl get clusterrolebinding | grep barman
+
+# Check namespace-scoped resources
+kubectl get role,rolebinding -n cnpg-system | grep barman
+```
+
+You should see the new prefixed resource names.
+
+## Troubleshooting
+
+### Plugin Not Starting After Migration
+
+If the plugin fails to start after migration, check:
+
+1. **ServiceAccount permissions:** Ensure the `plugin-barman-cloud` ServiceAccount is bound to the new roles:
+   ```bash
+   kubectl get clusterrolebinding barman-plugin-metrics-auth-rolebinding -o yaml
+   kubectl get rolebinding barman-plugin-leader-election-rolebinding -n cnpg-system -o yaml
+   ```
+
+2. **Role references:** Verify that the rolebindings reference the correct role names:
+   ```bash
+   kubectl describe rolebinding barman-plugin-leader-election-rolebinding -n cnpg-system
+   kubectl describe clusterrolebinding barman-plugin-metrics-auth-rolebinding
+   ```
+
+### Old Resources Still Present
+
+If old resources weren't deleted properly, you can force delete them:
+
+```bash
+kubectl delete clusterrole metrics-auth-role --ignore-not-found
+kubectl delete clusterrole metrics-reader --ignore-not-found
+kubectl delete clusterrole objectstore-viewer-role --ignore-not-found
+kubectl delete clusterrole objectstore-editor-role --ignore-not-found
+kubectl delete clusterrolebinding metrics-auth-rolebinding --ignore-not-found
+kubectl delete role leader-election-role -n cnpg-system --ignore-not-found
+kubectl delete rolebinding leader-election-rolebinding -n cnpg-system --ignore-not-found
+```
+
+## Support
+
+If you encounter issues during migration, please open an issue on the [GitHub repository](https://github.com/cloudnative-pg/plugin-barman-cloud/issues).