[bitnami/rabbitmq-cluster-operator] Add aggregate cluster roles #24563 (#24563)

Signed-off-by: Yuriy Ostapenko <yuriy@ostapenko.dev>
2026-03-01 06:58:20 +08:00 · 2024-03-21 12:33:41 +01:00
parent 10584d1140
commit 96cdf9923a
3 changed files with 76 additions and 1 deletions
--- a/bitnami/rabbitmq-cluster-operator/Chart.yaml
+++ b/bitnami/rabbitmq-cluster-operator/Chart.yaml
@@ -37,4 +37,4 @@ maintainers:
 name: rabbitmq-cluster-operator
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq-cluster-operator
-version: 4.0.0
+version: 4.1.0
--- a/bitnami/rabbitmq-cluster-operator/templates/cluster-operator/aggregate-cluster-roles.yaml
+++ b/bitnami/rabbitmq-cluster-operator/templates/cluster-operator/aggregate-cluster-roles.yaml
@@ -0,0 +1,31 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.clusterOperator.rbac.create -}}
+{{- $readonlyVerbs := list "get" "list" "watch" }}
+{{- $allVerbs := list "create" "delete" "deletecollection" "get" "list" "patch" "update" "watch" }}
+{{- $roles := dict "view" $readonlyVerbs "edit" $allVerbs "admin" $allVerbs }}
+{{- range $role, $verbs := $roles -}}
+---
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" $ }}
+kind: ClusterRole
+metadata:
+  name: {{ template "common.names.fullname.namespace" $ }}-{{ $role }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: rabbitmq-operator
+    app.kubernetes.io/part-of: rabbitmq
+    rbac.authorization.k8s.io/aggregate-to-{{ $role }}: "true"
+  {{- if $.Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - rabbitmq.com
+    resources:
+      - rabbitmqclusters
+      - rabbitmqclusters/finalizers
+    verbs: {{ $verbs | toYaml | nindent 6 }}
+{{ end }}
+{{- end }}
--- a/bitnami/rabbitmq-cluster-operator/templates/messaging-topology-operator/aggregate-cluster-roles.yaml
+++ b/bitnami/rabbitmq-cluster-operator/templates/messaging-topology-operator/aggregate-cluster-roles.yaml
@@ -0,0 +1,44 @@
+{{- /*
+Copyright VMware, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.msgTopologyOperator.enabled .Values.msgTopologyOperator.rbac.create -}}
+{{- $readonlyVerbs := list "get" "list" "watch" }}
+{{- $allVerbs := list "create" "delete" "deletecollection" "get" "list" "patch" "update" "watch" }}
+{{- $roles := dict "view" $readonlyVerbs "edit" $allVerbs "admin" $allVerbs }}
+{{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.msgTopologyOperator.image "chart" .Chart ) ) }}
+{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+{{- range $role, $verbs := $roles -}}
+---
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" $ }}
+kind: ClusterRole
+metadata:
+  name: {{ template "rmqco.msgTopologyOperator.fullname.namespace" $ }}-{{ $role }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: messaging-topology-operator
+    app.kubernetes.io/part-of: rabbitmq
+    rbac.authorization.k8s.io/aggregate-to-{{ $role }}: "true"
+  {{- if $.Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - rabbitmq.com
+    resources:
+      - bindings
+      - exchanges
+      - federations
+      - operatorpolicies
+      - permissions
+      - policies
+      - queues
+      - schemareplications
+      - shovels
+      - superstreams
+      - topicpermissions
+      - users
+      - vhosts
+    verbs: {{ $verbs | toYaml | nindent 6 }}
+{{ end }}
+{{- end -}}