From 4b500533b28a2f63c5f29fe84bae94ad7709d060 Mon Sep 17 00:00:00 2001
From: Rakibul Hossain <rakibul.hossain@appscode.com>
Date: Mon, 26 Sep 2022 19:20:39 +0600
Subject: [PATCH] Add Postgres Logical Replication rbac and validators (#534)

Co-authored-by: Tamal Saha <tamal@appscode.com>
Signed-off-by: Rakibul-Hossain <rakibul.hossain@appscode.com>
---
 .../templates/cluster-role.yaml               | 44 +++++++++++--------
 .../templates/apiregistration.yaml            | 17 +++++++
 .../templates/cluster-role.yaml               |  1 +
 .../ops-manager/validating-webhook.yaml       | 15 +++++++
 4 files changed, 58 insertions(+), 19 deletions(-)

diff --git a/charts/kubedb-ops-manager/templates/cluster-role.yaml b/charts/kubedb-ops-manager/templates/cluster-role.yaml
index f412dad8f..cd08ea925 100644
--- a/charts/kubedb-ops-manager/templates/cluster-role.yaml
+++ b/charts/kubedb-ops-manager/templates/cluster-role.yaml
@@ -34,6 +34,7 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   - ops.kubedb.com
+  - postgres.kubedb.com
   resources:
   - "*"
   verbs: ["*"]
@@ -52,6 +53,12 @@ rules:
   - proxysqlopsrequests/finalizers
   - redisopsrequests/finalizers
   verbs: ["update"]
+- apiGroups:
+  - postgres.kubedb.com
+  resources:
+  - publishers/finalizers
+  - subscribers/finalizers
+  verbs: ["update"]
 - apiGroups:
   - apps
   resources:
@@ -81,14 +88,14 @@ rules:
   - configmaps
   verbs: ["create", "delete", "get", "list", "watch", "update", "patch"]
 - apiGroups:
-    - ""
+  - ""
   resources:
-    - persistentvolumeclaims
+  - persistentvolumeclaims
   verbs: ["get", "list", "patch", "delete"]
 - apiGroups:
-    - policy
+  - policy
   resources:
-    - poddisruptionbudgets
+  - poddisruptionbudgets
   verbs: ["get", "list", "create", "delete", "patch", "deletecollection"]
 - apiGroups:
   - batch
@@ -96,35 +103,34 @@ rules:
   - jobs
   verbs: ["create", "delete", "get", "list", "watch"]
 - apiGroups:
-    - stash.appscode.com
+  - stash.appscode.com
   resources:
-    - backupsessions
-    - backupconfigurations
-    - restoresessions
+  - backupsessions
+  - backupconfigurations
+  - restoresessions
   verbs: ["get", "list", "watch", "update", "patch"]
 - apiGroups:
-    - ""
+  - ""
   resources:
-    - serviceaccounts
+  - serviceaccounts
   verbs: ["create", "delete", "get", "patch", "deletecollection"]
 - apiGroups:
-    - rbac.authorization.k8s.io
+  - rbac.authorization.k8s.io
   resources:
-    - rolebindings
-    - roles
+  - rolebindings
+  - roles
   verbs: ["create", "delete", "get", "patch", "deletecollection"]
 - apiGroups:
-    - monitoring.coreos.com
+  - monitoring.coreos.com
   resources:
-    - servicemonitors
+  - servicemonitors
   verbs: ["*"]
 - apiGroups:
-    - storage.k8s.io
+  - storage.k8s.io
   resources:
-    - storageclasses
+  - storageclasses
   verbs: ["get"]
 - apiGroups:
-   - supervisor.appscode.com
+  - supervisor.appscode.com
   resources: ["*"]
   verbs: ["create", "get", "list", "watch", "update", "patch"]
-
diff --git a/charts/kubedb-webhook-server/templates/apiregistration.yaml b/charts/kubedb-webhook-server/templates/apiregistration.yaml
index a4c1a9553..a6dbab7d1 100644
--- a/charts/kubedb-webhook-server/templates/apiregistration.yaml
+++ b/charts/kubedb-webhook-server/templates/apiregistration.yaml
@@ -100,6 +100,23 @@ spec:
   caBundle: {{ $caCrt }}
   groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
   versionPriority: {{ .Values.apiserver.versionPriority }}
+---
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.validators.postgres.kubedb.com
+  labels:
+    app.kubernetes.io/component: kubedb-ops-manager
+    {{- include "kubedb-webhook-server.labels" . | nindent 4 }}
+spec:
+  group: validators.postgres.kubedb.com
+  version: v1alpha1
+  service:
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "kubedb-webhook-server.fullname" . }}
+  caBundle: {{ $caCrt }}
+  groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
+  versionPriority: {{ .Values.apiserver.versionPriority }}
 {{- end }}
 {{- if list "kubedb-webhook-server" "kubedb-autoscaler" | has .Values.server.repository }}
 ---
diff --git a/charts/kubedb-webhook-server/templates/cluster-role.yaml b/charts/kubedb-webhook-server/templates/cluster-role.yaml
index 15c3b3f1b..fa71721aa 100644
--- a/charts/kubedb-webhook-server/templates/cluster-role.yaml
+++ b/charts/kubedb-webhook-server/templates/cluster-role.yaml
@@ -42,6 +42,7 @@ rules:
   - kubedb.com
   - catalog.kubedb.com
   - ops.kubedb.com
+  - postgres.kubedb.com
   - autoscaling.kubedb.com
   - dashboard.kubedb.com
   - schema.kubedb.com
diff --git a/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml b/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml
index 89bd502e6..556c5a815 100644
--- a/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml
+++ b/charts/kubedb-webhook-server/templates/ops-manager/validating-webhook.yaml
@@ -71,5 +71,20 @@ webhooks:
   admissionReviewVersions: ["v1beta1"]
   failurePolicy: Fail
   sideEffects: None
+- name: publisherwebhook.validators.postgres.kubedb.com
+  clientConfig:
+    service:
+      namespace: default
+      name: kubernetes
+      path: /apis/validators.postgres.kubedb.com/v1alpha1/publisherwebhooks
+    caBundle: {{ $caCrt }}
+  rules:
+  - apiGroups: ["postgres.kubedb.com"]
+    apiVersions: ["*"]
+    resources: ["publishers"]
+    operations: ["CREATE", "UPDATE", "DELETE"]
+  admissionReviewVersions: ["v1beta1"]
+  failurePolicy: Fail
+  sideEffects: None
 {{- end }}
 {{- end }}