Add Postgres Logical Replication rbac and validators (#534)

Co-authored-by: Tamal Saha <tamal@appscode.com> Signed-off-by: Rakibul-Hossain <rakibul.hossain@appscode.com>
kubedb · Sep 26, 2022 · 4b50053 · 4b50053
1 parent 753f60c
commit 4b50053
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 19 deletions.
diff --git a/charts/kubedb-ops-manager/templates/cluster-role.yaml b/charts/kubedb-ops-manager/templates/cluster-role.yaml
@@ -34,6 +34,7 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   - ops.kubedb.com
+  - postgres.kubedb.com
   resources:
   - "*"
   verbs: ["*"]
@@ -52,6 +53,12 @@ rules:
   - proxysqlopsrequests/finalizers
   - redisopsrequests/finalizers
   verbs: ["update"]
+- apiGroups:
+  - postgres.kubedb.com
+  resources:
+  - publishers/finalizers
+  - subscribers/finalizers
+  verbs: ["update"]
 - apiGroups:
   - apps
   resources:
@@ -81,50 +88,49 @@ rules:
   - configmaps
   verbs: ["create", "delete", "get", "list", "watch", "update", "patch"]
 - apiGroups:
-    - ""
+  - ""
   resources:
-    - persistentvolumeclaims
+  - persistentvolumeclaims
   verbs: ["get", "list", "patch", "delete"]
 - apiGroups:
-    - policy
+  - policy
   resources:
-    - poddisruptionbudgets
+  - poddisruptionbudgets
   verbs: ["get", "list", "create", "delete", "patch", "deletecollection"]
 - apiGroups:
   - batch
   resources:
   - jobs
   verbs: ["create", "delete", "get", "list", "watch"]
 - apiGroups:
-    - stash.appscode.com
+  - stash.appscode.com
   resources:
-    - backupsessions
-    - backupconfigurations
-    - restoresessions
+  - backupsessions
+  - backupconfigurations
+  - restoresessions
   verbs: ["get", "list", "watch", "update", "patch"]
 - apiGroups:
-    - ""
+  - ""
   resources:
-    - serviceaccounts
+  - serviceaccounts
   verbs: ["create", "delete", "get", "patch", "deletecollection"]
 - apiGroups:
-    - rbac.authorization.k8s.io
+  - rbac.authorization.k8s.io
   resources:
-    - rolebindings
-    - roles
+  - rolebindings
+  - roles
   verbs: ["create", "delete", "get", "patch", "deletecollection"]
 - apiGroups:
-    - monitoring.coreos.com
+  - monitoring.coreos.com
   resources:
-    - servicemonitors
+  - servicemonitors
   verbs: ["*"]
 - apiGroups:
-    - storage.k8s.io
+  - storage.k8s.io
   resources:
-    - storageclasses
+  - storageclasses
   verbs: ["get"]
 - apiGroups:
-   - supervisor.appscode.com
+  - supervisor.appscode.com
   resources: ["*"]
   verbs: ["create", "get", "list", "watch", "update", "patch"]
-
diff --git a/charts/kubedb-webhook-server/templates/apiregistration.yaml b/charts/kubedb-webhook-server/templates/apiregistration.yaml
@@ -100,6 +100,23 @@ spec:
   caBundle: {{ $caCrt }}
   groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
   versionPriority: {{ .Values.apiserver.versionPriority }}
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.validators.postgres.kubedb.com
+  labels:
+    app.kubernetes.io/component: kubedb-ops-manager
+    {{- include "kubedb-webhook-server.labels" . | nindent 4 }}
+spec:
+  group: validators.postgres.kubedb.com
+  version: v1alpha1
+  service:
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "kubedb-webhook-server.fullname" . }}
+  caBundle: {{ $caCrt }}
+  groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
+  versionPriority: {{ .Values.apiserver.versionPriority }}
 {{- end }}
 {{- if list "kubedb-webhook-server" "kubedb-autoscaler" | has .Values.server.repository }}
 ---

diff --git a/charts/kubedb-webhook-server/templates/cluster-role.yaml b/charts/kubedb-webhook-server/templates/cluster-role.yaml
@@ -42,6 +42,7 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   - ops.kubedb.com
+  - postgres.kubedb.com
   - autoscaling.kubedb.com
   - dashboard.kubedb.com
   - schema.kubedb.com

diff --git a/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml b/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml
@@ -71,5 +71,20 @@ webhooks:
   admissionReviewVersions: ["v1beta1"]
   failurePolicy: Fail
   sideEffects: None
+- name: publisherwebhook.validators.postgres.kubedb.com
+  clientConfig:
+    service:
+      namespace: default
+      name: kubernetes
+      path: /apis/validators.postgres.kubedb.com/v1alpha1/publisherwebhooks
+    caBundle: {{ $caCrt }}
+  rules:
+  - apiGroups: ["postgres.kubedb.com"]
+    apiVersions: ["*"]
+    resources: ["publishers"]
+    operations: ["CREATE", "UPDATE", "DELETE"]
+  admissionReviewVersions: ["v1beta1"]
+  failurePolicy: Fail
+  sideEffects: None
 {{- end }}
 {{- end }}