fix: helm rbac template (#4727)

deploy/clickhouse-cluster/Chart.yaml

@@ -8,6 +8,12 @@ version: 0.6.0-alpha.33
 
 appVersion: 22.9.4
 
+dependencies:
+  - name: kblib
+    version: 0.1.0
+    repository: file://../kblib
+    alias: extra
+
 
 home: https://clickhouse.com/
 icon: https://bitnami.com/assets/stacks/clickhouse/img/clickhouse-stack-220x234.png

deploy/clickhouse-cluster/templates/rbac.yaml

@@ -0,0 +1 @@
+{{- include "kblib.rbac" . }}

deploy/etcd-cluster/Chart.yaml

@@ -22,6 +22,11 @@ version: 0.1.0
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "v3.5.6"
+dependencies:
+  - name: kblib
+    version: 0.1.0
+    repository: file://../kblib
+    alias: extra
 
 home: https://etcd.io/
 icon: https://bitnami.com/assets/stacks/etcd/img/etcd-stack-220x234.png

deploy/etcd-cluster/templates/rbac.yaml

@@ -0,0 +1 @@
+{{- include "kblib.rbac" . }}

deploy/kblib/templates/_rbac.tpl

@@ -23,6 +23,13 @@ Define the rolebinding name
 {{- printf "kb-%s" (include "kblib.clusterName" .) }}
 {{- end }}
 
+{{/*
+Define the clusterrolebinding name
+*/}}
+{{- define "kblib.clusterRoleBindingName" -}}
+{{- printf "kb-%s" (include "kblib.clusterName" .) }}
+{{- end }}
+
 {{/*
 Define the service account
 */}}
@@ -37,39 +44,39 @@ metadata:
 {{- end }}
 
 {{/*
-Define the role
+Define the rolebinding
 */}}
-{{- define "kblib.role" }}
+{{- define "kblib.roleBinding" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: RoleBinding
 metadata:
-  name: {{ include "kblib.roleName" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "kblib.roleBindingName" . }}
   labels:
     {{- include "kblib.clusterLabels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubeblocks-cluster-pod-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kblib.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{- end }}
 
 {{/*
 Define the rolebinding
 */}}
-{{- define "kblib.roleBinding" }}
+{{- define "kblib.clusterRoleBinding" }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "kblib.roleBindingName" . }}
   labels:
     {{- include "kblib.clusterLabels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ include "kblib.roleName" . }}
+  kind: ClusterRole
+  name: kubeblocks-volume-protection-pod-role
 subjects:
   - kind: ServiceAccount
     name: {{ include "kblib.serviceAccountName" . }}
@@ -84,7 +91,7 @@ Define the whole rbac
 ---
 {{- include "kblib.serviceAccount" . }}
 ---
-{{- include "kblib.role" . }}
+{{- include "kblib.clusterRoleBinding" . }}
 ---
 {{- include "kblib.roleBinding" . }}
 {{- else }}

deploy/postgresql-cluster/templates/rbac.yaml

@@ -1,55 +1 @@
-{{- if .Values.extra.rbacEnabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "kblib.roleName" . }}
-  labels:
-    {{- include "kblib.clusterLabels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - create
-      - get
-      - list
-      - patch
-      - update
-      - watch
-      # delete is required only for 'patronictl remove'
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-    verbs:
-      - get
-      - patch
-      - update
-      - create
-      - list
-      - watch
-      # delete is required only for 'patronictl remove'
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
----
-{{- include "kblib.serviceAccount" . }}
----
-{{- include "kblib.roleBinding" . }}
-{{- end }}
+{{- include "kblib.rbac" . }}