Replace ClusterRole with Role only for posthog namespace

If the clickhouse-operator is only deployed into a single namespace, it only needs access to this namespace and not the whole cluster.
PostHog · Nov 18, 2022 · d36a778 · d36a778
1 parent 5a61f35
commit d36a778
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 20 deletions.
diff --git a/...ates/clickhouse-operator/clusterrole.yaml → ...g/templates/clickhouse-operator/role.yaml b/...ates/clickhouse-operator/clusterrole.yaml → ...g/templates/clickhouse-operator/role.yaml
@@ -3,13 +3,13 @@
 #
 # NAMESPACE={{ .Values.clickhouse.namespace | default .Release.Namespace }}
 # COMMENT=#
-# ROLE_KIND=ClusterRole
+# ROLE_KIND=Role
 # ROLE_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
-# ROLE_BINDING_KIND=ClusterRoleBinding
+# ROLE_BINDING_KIND=RoleBinding
 # ROLE_BINDING_NAME=clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
 #
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
   namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}

diff --git a/...ickhouse-operator/clusterrolebinding.yaml → ...ates/clickhouse-operator/rolebinding.yaml b/...ickhouse-operator/clusterrolebinding.yaml → ...ates/clickhouse-operator/rolebinding.yaml
@@ -1,16 +1,15 @@
 {{- if .Values.clickhouse.enabled }}
-# Setup ClusterRoleBinding between ClusterRole and ServiceAccount.
-# ClusterRoleBinding is namespace-less and must have unique name
+# Setup RoleBinding between Role and ServiceAccount.
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
   namespace: {{ .Values.clickhouse.namespace | default .Release.Namespace }}
   labels:
     clickhouse.altinity.com/chop: 0.18.4
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: clickhouse-operator-{{ .Values.clickhouse.namespace | default .Release.Namespace }}
 subjects:
 - kind: ServiceAccount

diff --git a/...erator/__snapshot__/clusterrole.yaml.snap → ...ouse-operator/__snapshot__/role.yaml.snap b/...erator/__snapshot__/clusterrole.yaml.snap → ...ouse-operator/__snapshot__/role.yaml.snap
@@ -1,7 +1,7 @@
 the manifest should match the snapshot when using default values:
   1: |
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole
+    kind: Role
     metadata:
       labels:
         clickhouse.altinity.com/chop: 0.18.4

diff --git a/...__snapshot__/clusterrolebinding.yaml.snap → ...erator/__snapshot__/rolebinding.yaml.snap b/...__snapshot__/clusterrolebinding.yaml.snap → ...erator/__snapshot__/rolebinding.yaml.snap
@@ -1,15 +1,15 @@
 the manifest should match the snapshot when using default values:
   1: |
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
+    kind: RoleBinding
     metadata:
       labels:
         clickhouse.altinity.com/chop: 0.18.4
       name: clickhouse-operator-NAMESPACE
       namespace: NAMESPACE
     roleRef:
       apiGroup: rbac.authorization.k8s.io
-      kind: ClusterRole
+      kind: Role
       name: clickhouse-operator-NAMESPACE
     subjects:
     - kind: ServiceAccount

diff --git a/...ests/clickhouse-operator/clusterrole.yaml → ...sthog/tests/clickhouse-operator/role.yaml b/...ests/clickhouse-operator/clusterrole.yaml → ...sthog/tests/clickhouse-operator/role.yaml
@@ -1,6 +1,6 @@
-suite: ClickHouse cluster role definition
+suite: ClickHouse role definition
 templates:
-  - templates/clickhouse-operator/clusterrole.yaml
+  - templates/clickhouse-operator/role.yaml
 
 tests:
   - it: should be empty if clickhouse.enabled is set to false
@@ -16,7 +16,7 @@ tests:
           count: 1
       - matchSnapshot: {}
 
-  - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
+  - it: Role/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -27,7 +27,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace
 
-  - it: ClusterRole/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
+  - it: Role/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0

diff --git a/...ickhouse-operator/clusterrolebinding.yaml → ...ests/clickhouse-operator/rolebinding.yaml b/...ickhouse-operator/clusterrolebinding.yaml → ...ests/clickhouse-operator/rolebinding.yaml
@@ -1,6 +1,6 @@
-suite: ClickHouse cluster role binding definition
+suite: ClickHouse role binding definition
 templates:
-  - templates/clickhouse-operator/clusterrolebinding.yaml
+  - templates/clickhouse-operator/rolebinding.yaml
 
 tests:
   - it: should be empty if clickhouse.enabled is set to false
@@ -16,7 +16,7 @@ tests:
           count: 1
       - matchSnapshot: {}
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -27,7 +27,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog metadata.namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0
@@ -38,7 +38,7 @@ tests:
           path: metadata.namespace
           value: custom-namespace-from-release
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via clickhouse.namespace should work
     set:
       clickhouse.namespace: "custom-namespace"
     documentIndex: 0
@@ -49,7 +49,7 @@ tests:
           path: subjects[0].namespace
           value: custom-namespace
 
-  - it: ClusterRoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work
+  - it: RoleBinding/clickhouse-operator-posthog subjects[0].namespace override via Release.Namespace should work
     release:
       namespace: custom-namespace-from-release
     documentIndex: 0