2024-02-09 14:36:54 +00:00
|
|
|
{{ if not .Values.yugaware.serviceAccount }}
|
2022-11-03 19:29:11 +00:00
|
|
|
apiVersion: v1
|
|
|
|
|
kind: ServiceAccount
|
|
|
|
|
metadata:
|
|
|
|
|
name: {{ .Release.Name }}
|
|
|
|
|
labels:
|
|
|
|
|
k8s-app: yugaware
|
|
|
|
|
kubernetes.io/cluster-service: "true"
|
|
|
|
|
addonmanager.kubernetes.io/mode: Reconcile
|
|
|
|
|
{{- if .Values.yugaware.serviceAccountAnnotations }}
|
|
|
|
|
annotations:
|
|
|
|
|
{{ toYaml .Values.yugaware.serviceAccountAnnotations | indent 4 }}
|
|
|
|
|
{{- end }}
|
2024-02-09 14:36:54 +00:00
|
|
|
{{ end }}
|
2022-11-03 19:29:11 +00:00
|
|
|
{{- if .Values.rbac.create }}
|
|
|
|
|
{{- if .Values.ocpCompatibility.enabled }}
|
|
|
|
|
---
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
metadata:
|
|
|
|
|
name: {{ .Release.Name }}-cluster-monitoring-view
|
|
|
|
|
labels:
|
|
|
|
|
app: yugaware
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
2024-02-09 14:36:54 +00:00
|
|
|
name: {{ .Values.yugaware.serviceAccount | default .Release.Name }}
|
2022-11-03 19:29:11 +00:00
|
|
|
namespace: {{ .Release.Namespace }}
|
|
|
|
|
roleRef:
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: cluster-monitoring-view
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
{{- else }}
|
|
|
|
|
---
|
2024-01-23 16:25:05 +00:00
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
2024-02-09 14:36:54 +00:00
|
|
|
kind: ClusterRole
|
2022-11-03 19:29:11 +00:00
|
|
|
metadata:
|
|
|
|
|
name: {{ .Release.Name }}
|
|
|
|
|
rules:
|
2024-02-09 14:36:54 +00:00
|
|
|
# Set of permissions required for operator
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- operator.yugabyte.io
|
|
|
|
|
resources:
|
|
|
|
|
- "*"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "create"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "patch"
|
|
|
|
|
- "list"
|
|
|
|
|
- "watch"
|
|
|
|
|
- "update"
|
|
|
|
|
# Set of permissions required to install, upgrade, delete the yugabyte chart
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- "policy"
|
|
|
|
|
resources:
|
|
|
|
|
- "poddisruptionbudgets"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "create"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "services"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "create"
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- "apps"
|
|
|
|
|
resources:
|
|
|
|
|
- "statefulsets"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "list"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "create"
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "secrets"
|
|
|
|
|
verbs:
|
|
|
|
|
- "create"
|
|
|
|
|
- "list"
|
|
|
|
|
- "get"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "update"
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- "cert-manager.io"
|
|
|
|
|
resources:
|
|
|
|
|
- "certificates"
|
|
|
|
|
verbs:
|
|
|
|
|
- "create"
|
|
|
|
|
- "delete"
|
|
|
|
|
- "get"
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "configmaps"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "create"
|
|
|
|
|
- "patch"
|
|
|
|
|
- "delete"
|
|
|
|
|
# Set of permissions required by YBA to manage YB DB universes
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "namespaces"
|
|
|
|
|
verbs:
|
|
|
|
|
- "delete"
|
|
|
|
|
- "create"
|
|
|
|
|
- "patch"
|
|
|
|
|
- "get"
|
|
|
|
|
- "list"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "pods"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "list"
|
|
|
|
|
- "delete"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "services"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "list"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "persistentvolumeclaims"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "patch"
|
|
|
|
|
- "list"
|
|
|
|
|
- "delete"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "pods/exec"
|
|
|
|
|
verbs:
|
|
|
|
|
- "create"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- "apps"
|
|
|
|
|
resources:
|
|
|
|
|
- "statefulsets/scale"
|
|
|
|
|
verbs:
|
|
|
|
|
- "patch"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "events"
|
|
|
|
|
verbs:
|
|
|
|
|
- "list"
|
|
|
|
|
# required to scrape resource metrics like CPU, memory, etc.
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "nodes"
|
|
|
|
|
verbs:
|
|
|
|
|
- "list"
|
|
|
|
|
- "get"
|
|
|
|
|
- "watch"
|
|
|
|
|
# required to scrape resource metrics like CPU, memory, etc.
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "nodes/proxy"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
# Ref: https://github.com/yugabyte/charts/commit/4a5319972385666487a7bc2cd0c35052f2cfa4c5
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "events"
|
|
|
|
|
verbs:
|
|
|
|
|
- "get"
|
|
|
|
|
- "list"
|
|
|
|
|
- "watch"
|
|
|
|
|
- "create"
|
|
|
|
|
- "update"
|
|
|
|
|
- "patch"
|
|
|
|
|
- "delete"
|
|
|
|
|
- apiGroups:
|
|
|
|
|
- ""
|
|
|
|
|
resources:
|
|
|
|
|
- "configmaps"
|
|
|
|
|
verbs:
|
|
|
|
|
- "list"
|
|
|
|
|
- "watch"
|
|
|
|
|
- "update"
|
2022-11-03 19:29:11 +00:00
|
|
|
---
|
|
|
|
|
kind: ClusterRoleBinding
|
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
|
|
|
metadata:
|
|
|
|
|
name: {{ .Release.Name }}
|
|
|
|
|
labels:
|
|
|
|
|
k8s-app: yugaware
|
|
|
|
|
kubernetes.io/cluster-service: "true"
|
|
|
|
|
addonmanager.kubernetes.io/mode: Reconcile
|
|
|
|
|
subjects:
|
|
|
|
|
- kind: ServiceAccount
|
2024-02-09 14:36:54 +00:00
|
|
|
name: {{ .Values.yugaware.serviceAccount | default .Release.Name }}
|
2022-11-03 19:29:11 +00:00
|
|
|
namespace: {{ .Release.Namespace }}
|
|
|
|
|
roleRef:
|
|
|
|
|
kind: ClusterRole
|
|
|
|
|
name: {{ .Release.Name }}
|
|
|
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|
|
|
{{- end }}
|
|
|
|
|
{{- end }}
|
