# This manifest contains the RBAC resources for the plugin-barman-cloud migration.
#
# IMPORTANT: This manifest should be applied with the namespace flag:
#   kubectl apply -f migration-rbac.yaml -n cnpg-system
#
# If you are using a different namespace, replace 'cnpg-system' with your namespace.
# The namespace-scoped resources (ServiceAccount, Role, RoleBinding) will be created
# in the namespace you specify, while cluster-scoped resources (ClusterRole, ClusterRoleBinding)
# will be created globally but will reference the ServiceAccount in your specified namespace.
#
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: plugin-barman-cloud
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: barman-plugin-leader-election-role
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: barman-plugin-metrics-auth-role
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: barman-plugin-metrics-reader
rules:
- nonResourceURLs:
  - /metrics
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: barman-plugin-objectstore-editor-role
rules:
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores/status
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: barman-plugin-objectstore-viewer-role
rules:
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores/status
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: plugin-barman-cloud
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - watch
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores/finalizers
  verbs:
  - update
- apiGroups:
  - barmancloud.cnpg.io
  resources:
  - objectstores/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - postgresql.cnpg.io
  resources:
  - backups
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - postgresql.cnpg.io
  resources:
  - clusters/finalizers
  verbs:
  - update
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - get
  - list
  - patch
  - update
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: barman-plugin-leader-election-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: barman-plugin-leader-election-role
subjects:
- kind: ServiceAccount
  name: plugin-barman-cloud
  namespace: cnpg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: barman-plugin-metrics-auth-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: barman-plugin-metrics-auth-role
subjects:
- kind: ServiceAccount
  name: plugin-barman-cloud
  namespace: cnpg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/name: plugin-barman-cloud
  name: plugin-barman-cloud-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: plugin-barman-cloud
subjects:
- kind: ServiceAccount
  name: plugin-barman-cloud
  namespace: cnpg-system