feat: prepare GhostCMS
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Peter 2023-10-31 19:14:58 +01:00
parent a31774336f
commit c592010f90
No known key found for this signature in database
28 changed files with 17256 additions and 2 deletions

View file

@ -3,6 +3,9 @@ kind: pipeline
type: docker type: docker
name: default name: default
platform:
arch: arm64
steps: steps:
- name: keydb - name: keydb
image: quay.io/buildah/stable image: quay.io/buildah/stable
@ -24,4 +27,96 @@ steps:
from_secret: gitea_token from_secret: gitea_token
IMAGE_REGISTRY: code.icb4dc0.de IMAGE_REGISTRY: code.icb4dc0.de
IMAGE_REPO: prskr/infrastructure/keydb IMAGE_REPO: prskr/infrastructure/keydb
IMAGE_TAG: v6.3.3 IMAGE_TAG: v6.3.3
---
kind: pipeline
type: docker
name: arm64
platform:
arch: arm64
steps:
- name: manifest
image: quay.io/buildah/stable
network_mode: host
privileged: true
commands:
- |
buildah login "$${IMAGE_REGISTRY}" --username "$${GITEA_USER}" --password "$${GITEA_TOKEN}"
buildah bud \
--tag "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}" \
--arch $${IMAGE_ARCH} \
apps/ghostcms
buildah push "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}"
environment:
GITEA_USER: prskr
GITEA_TOKEN:
from_secret: gitea_token
IMAGE_REGISTRY: code.icb4dc0.de
IMAGE_REPO: prskr/ghostcms
IMAGE_TAG: 5.71.0-alpine_arm64
IMAGE_ARCH: arm64
---
kind: pipeline
type: docker
name: amd64
platform:
arch: amd64
steps:
- name: manifest
image: quay.io/buildah/stable
network_mode: host
privileged: true
commands:
- |
buildah login "$${IMAGE_REGISTRY}" --username "$${GITEA_USER}" --password "$${GITEA_TOKEN}"
buildah bud \
--tag "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}" \
--arch $${IMAGE_ARCH} \
apps/ghostcms
buildah push "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}"
environment:
GITEA_USER: prskr
GITEA_TOKEN:
from_secret: gitea_token
IMAGE_REGISTRY: code.icb4dc0.de
IMAGE_REPO: prskr/ghostcms
IMAGE_TAG: 5.71.0-alpine_amd64
IMAGE_ARCH: amd64
---
kind: pipeline
type: docker
name: manifest
platform:
arch: arm64
depends_on:
- amd64
- arm64
steps:
- name: manifest
image: quay.io/buildah/stable
network_mode: host
privileged: true
commands:
- |
buildah login "$${IMAGE_REGISTRY}" --username "$${GITEA_USER}" --password "$${GITEA_TOKEN}"
buildah manifest create "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}"
buildah pull --arch amd64 "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}_amd64"
buildah pull --arch arm64 "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}_arm64"
buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}_amd64"
buildah manifest add "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}_arm64"
buildah manifest push --all "$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${DRONE_COMMIT_SHA}" "docker://$${IMAGE_REGISTRY}/$${IMAGE_REPO}:$${IMAGE_TAG}"
environment:
GITEA_USER: prskr
GITEA_TOKEN:
from_secret: gitea_token
IMAGE_REGISTRY: code.icb4dc0.de
IMAGE_REPO: prskr/ghostcms
IMAGE_TAG: 5.71.0-alpine

View file

@ -8,7 +8,6 @@ service:
ingress: ingress:
enabled: true enabled: true
apiVersion: networking.k8s.io/v1
annotations: annotations:
gethomepage.dev/description: where to code goes to gethomepage.dev/description: where to code goes to
gethomepage.dev/enabled: "true" gethomepage.dev/enabled: "true"

View file

@ -14,6 +14,9 @@ helmCharts:
namespace: forgejo namespace: forgejo
version: "0.13.0" version: "0.13.0"
valuesFile: config/values.forgejo.yaml valuesFile: config/values.forgejo.yaml
skipTests: true
apiVersions:
- "networking.k8s.io/v1/Ingress"
generators: generators:
- ./secret-generator.yaml - ./secret-generator.yaml

1
apps/ghostcms/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

11
apps/ghostcms/Dockerfile Normal file
View file

@ -0,0 +1,11 @@
ARG GHOST_IMAGE_TAG=5.71.0-alpine
FROM docker.io/node:18-alpine AS s3-storage-adapter
WORKDIR /s3
RUN npm install ghos3
FROM docker.io/ghost:${GHOST_IMAGE_TAG}
COPY --from=s3-storage-adapter /s3/node_modules/ghos3/* ./content/adapters/storage/s3

View file

@ -0,0 +1,15 @@
database__client=mysql
database__connection__host=ghostcms-db
database__connection__database=ghostcms
server__host=0.0.0.0
server__port=2368
storage__active=s3
storage__media__adapter=s3
storage__files__adapter=s3
storage__s3__region=us-east-1
storage__s3__bucket=ghostcms
storage__s3__endpoint=minio.minio.svc.cluster.local:9000
storage__s3__forcePathStyle=true
cache__imageSizes__adapter=Redis
cache__Redis__host=ghostcms-keydb.ghostcms.svc
cache__Redis__port=6379

View file

@ -0,0 +1,33 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.3
nodes: 3
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 250m
memory: 256Mi
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi
serviceMonitor:
enabled: true
labels:
prometheus: default

View file

@ -0,0 +1,36 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ghostcms
images:
- name: ghostcms
newName: code.icb4dc0.de/prskr/ghostcms
newTag: 5.71.0-alpine
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- resources/namespace.yaml
- resources/db.yaml
- resources/deployment.yaml
- resources/service.yaml
- resources/ingress.yaml
generators:
- ./secret-generator.yaml
secretGenerator:
- name: ghostcms-base-config
envs:
- "config/base.env"
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: ghostcms-keydb
namespace: ghostcms
version: "0.48.0"
valuesFile: config/values.keydb.yaml

View file

@ -0,0 +1,39 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-secret-config
type: Opaque
stringData:
database__connection__user: ENC[AES256_GCM,data:RB9Ne7UwdiE=,iv:i+qC2xTv2I6iQfJnzui1V+M3YOCu7OD9qmtY6G1pp3A=,tag:PPe9wMGHeM7fItM+GJhchA==,type:str]
database__connection__password: ENC[AES256_GCM,data:EH5AnurBZlQPpybbS+mbFgMQk2H6GXrXlw2nDDChoaU=,iv:wShvZE2GEUG4OVBoSydE9MbFPO9T70QG4H65lf4itWw=,tag:J7fKtAVGWEYvXDWfC7ZNIQ==,type:str]
adapters__storage__s3__accessKeyId: ENC[AES256_GCM,data:zRnYiP0OGRJhYYuYGwjwgw==,iv:3S53/I21EW+ONOdU5lriqcnwEfCa74GK2NVwbOfnUlg=,tag:+Aljr4KLvC0/38LmYbSfpw==,type:str]
adapters__storage__s3__secretAccessKey: ENC[AES256_GCM,data:lK3nL/2VwcA1znIol0mtZOdbTEXoplnh7kb30xj8A/hLUVeWhDXf5EqGXlI5tsBHme2i51KjDTzk+taFEZkb,iv:0nwuVhcoW+7HB9EreZ6jlpzXkxYSAMNbX4wUAHzH0yU=,tag:frst/SlL3sgmM+wRAgQBJQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRkFMcWRyNE9tMU5NVkVs
UmNsSFVDN3k4SDJxK2tva1Rza2xuR2ExcUhVCndua28xNUZBaVlGeTJ0TG0xMlpo
cTB5ZTBkMzZ4NW03T1ZacmVGRnZMUXMKLS0tIEYyVGdMZlVCTHREdnBOR3h3NU4x
UzBWYXdMS3RadXpEQmN6cVBBUUpHWkUKugUfHbVc5+0597P5r8k8bAIcXHx2BfFe
DVdOoxLasWTXvz1GWTFuzvin3Z42GB9zCnjfzkEnwXbATwQy26MhaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndE9JcHB5NWtBRDZLYTQ4
QXhJRG93bEtXYUlmRWhKWC93Mng2YUtDN2ljCmE3RklOdTN2dE42Q0RSc0djSXpX
UzBkdXRPVHJ2YUFDR0REeSt5YS9NNEUKLS0tIGJGR0pBWUp3Vm5tMVNneUtaQ1NB
UnE2NTVSSUp1OEVFVDd5bHJYOEZpaVkKqmw9GLZavqaPQOJjGhLqXo4ggfmFDgXz
C9HNxeDVr2kY452gleVS/YFTPWo0QPevl0SjpZg2gvnz28qLDSNXYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-31T17:51:51Z"
mac: ENC[AES256_GCM,data:MMIdx3HIiclIbWDpMkxNiC9cGpzZysYtqZCObA8jBB39GdokRbIFaNS1JQuZ/6u3KyTj2X15HDvgphUWzjTIgl1nYvEumEj6ZyI82VqKP59BBOQ3jCz3rTvLqcqkI+HHd6CUzHehElS11xFZ1VV8CmcGrzhNtoGfIcpFr/7W0/E=,iv:HySrtTaz23uYOOOEnEDY34AGxFYyFRQ92xaD4kCQxe8=,tag:VqBbHcQIxJZRig+Krl3EFg==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-db-creds
type: Opaque
stringData:
root-password: ENC[AES256_GCM,data:tCCuYiHneNQMbWk9JYBOQT0fq+M3yjSJpg5MeMVl7Bw=,iv:EAX8seGBIUtaG2/S5SDUKYBkY57g4UKJdMFjCTBBZIs=,tag:giYe8hiyk8dSbcNT9fHJhQ==,type:str]
password: ENC[AES256_GCM,data:ae7q5C9RyPZJEpMSYc11Rdx0fgyxZSdW0QPrrhd4EXU=,iv:PZd/tVfoh3xetvov/BVdRPeev2MKRG+6uVLmi1YkHRA=,tag:H2fe2T0TWLV93yhcNheYhg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFREpwa1VjOHZOa1Rmc3M3
R001d0cxZjNYMUNLeGdxODlmMWI2bVVJd0RBCmxuOVl2cGg1dHpHU2tSMDJGSVpQ
TU5udWpEdjZZQVR5RnE3djFxZWcyRHMKLS0tICtCK1k5V0JTVy9PamViL3BtYTZk
WEo0RU5seTZvR2E2ZnhwdTNwUGF4K00KHItzwS/FL1N3iB5880SqBCAzogk2mvJo
frkb2ysHPA3e6mC/iYEJwENYTjHqi4tfkwYQmYErAFnNeD28690q1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaHJPb1FORk5NL2Q3Y2Fx
S3FzQjBmUmNTdVRiYkJqOE94THB6Q0ZwU3pzCmtLT0ZsZ2NEQVVVSy9IMFEyTnNN
QUVCQ1IxQjYvVGV5U1lHcUJveHk5ZU0KLS0tIFo5eWZIUzFma3BYWnlaZ08xVFkv
Y2YwMThRcUlTSVJmSDArbzdudGs3a1UKqfdWZlKDD3qsYAAKYts51XS41a52O5w1
Rivz1sRaMg7deBAMcERU9ACH7NmatWSTvehkKBWpGdkQuiGIcMCEBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-31T14:40:10Z"
mac: ENC[AES256_GCM,data:mK71CK+Cp/BbobMrCr5nHpb/bdXQLFB1mxhq1vzw8FZqGQzvYQ2X5pQFeJe8Z3jOYBaR+EUIETdWnBqp7kpaci0QLYw7DnrANpAPmQxczyvITh2m1RNgkHiQxkzF7ywmmdQjr8jrm79p7viy488HLgyrCuiB5zcSW6Cu1D3RT+Y=,iv:Hsafop14fyk3cKpI9TJKHwBjVDR7v92vcHB72Qf14Nw=,tag:eM2QkUKJVN9h27ccw3Zt1w==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

View file

@ -0,0 +1,51 @@
---
apiVersion: mariadb.mmontes.io/v1alpha1
kind: MariaDB
metadata:
name: ghostcms-db
spec:
rootPasswordSecretKeyRef:
name: ghostcms-db-creds
key: root-password
image: mariadb:11.1.2
port: 3306
database: ghostcms
username: ghostcms
passwordSecretKeyRef:
name: ghostcms-db-creds
key: password
volumeClaimTemplate:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
accessModes:
- ReadWriteOnce
securityContext:
allowPrivilegeEscalation: false
livenessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5

View file

@ -0,0 +1,41 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ghostcms
spec:
selector:
matchLabels:
app.kubernetes.io/name: ghostcms
template:
metadata:
labels:
app.kubernetes.io/name: ghostcms
spec:
containers:
- name: ghostcms
image: ghostcms
ports:
- containerPort: 2368
env:
- name: NODE_ENV
value: production
envFrom:
- secretRef:
name: ghostcms-base-config
- secretRef:
name: ghostcms-secret-config
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
privileged: false
runAsUser: 1000
runAsGroup: 1000
resources:
limits:
memory: "384Mi"
cpu: "100m"

View file

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ghostcms
annotations:
gethomepage.dev/description: GhostCMS blog
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: ghost.png
gethomepage.dev/name: GhostCMS
spec:
rules:
- host: blog.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: ghostcms
port:
number: 2368

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ghostcms
labels:
prometheus: default

View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: ghostcms
spec:
selector:
app.kubernetes.io/name: ghostcms
ports:
- protocol: TCP
port: 2368
targetPort: 2368

View file

@ -0,0 +1,12 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: ghostcms-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/db-cred.enc.yaml
- ./resources/creds.enc.yaml

1
apps/mariadb-operator/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

View file

@ -0,0 +1,2 @@
metrics:
enabled: true

View file

@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: mariadb-system
resources:
- resources/namespace.yaml
helmCharts:
- name: mariadb-operator
releaseName: mariadb-operator
repo: https://mariadb-operator.github.io/mariadb-operator
namespace: mariadb-system
version: "0.22.0"
valuesFile: config/mariadb-operator.values.yaml
includeCRDs: true
skipTests: true

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: mariadb-system
labels:
prometheus: default

View file

@ -0,0 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: postgres-system
labels:
- includeTemplates: true
pairs:
app.kubernetes.io/name: pgo
# The version below should match the version on the PostgresCluster CRD
app.kubernetes.io/version: 5.4.3
postgres-operator.crunchydata.com/control-plane: postgres-operator
images:
- name: postgres-operator
newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
newTag: ubi8-5.4.3-0
resources:
- resources/namespace.yaml
- resources/crd/postgresclusters.yaml
- resources/crd/pgupgrades.yaml
- resources/rbac/service_account.yaml
- resources/rbac/role.yaml
- resources/rbac/role_binding.yaml
- resources/manager.yaml

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,62 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgo
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
spec:
replicas: 1
strategy: { type: Recreate }
selector:
matchLabels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
template:
metadata:
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
spec:
containers:
- name: operator
image: postgres-operator
env:
- name: PGO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CRUNCHY_DEBUG
value: "true"
- name: RELATED_IMAGE_POSTGRES_14
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.9-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.1
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.1-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.2
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.2-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.3-1"
- name: RELATED_IMAGE_POSTGRES_15
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1"
- name: RELATED_IMAGE_POSTGRES_15_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.4-3.3-1"
- name: RELATED_IMAGE_POSTGRES_16
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.0-0"
- name: RELATED_IMAGE_POSTGRES_16_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.0-3.3-0"
- name: RELATED_IMAGE_POSTGRES_16_GIS_3.4
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.0-3.4-0"
- name: RELATED_IMAGE_PGADMIN
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-18"
- name: RELATED_IMAGE_PGBACKREST
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1"
- name: RELATED_IMAGE_PGBOUNCER
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.19-5"
- name: RELATED_IMAGE_PGEXPORTER
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.4.3-0"
- name: RELATED_IMAGE_PGUPGRADE
value: "registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.4.3-0"
securityContext:
allowPrivilegeEscalation: false
capabilities: { drop: [ALL] }
readOnlyRootFilesystem: true
runAsNonRoot: true
serviceAccountName: pgo

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: postgres-system
labels:
prometheus: default

View file

@ -0,0 +1,156 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: postgres-operator
rules:
- apiGroups:
- ''
resources:
- configmaps
- persistentvolumeclaims
- secrets
- services
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- endpoints
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- endpoints/restricted
- pods/exec
verbs:
- create
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ''
resources:
- pods
verbs:
- delete
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- serviceaccounts
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades
verbs:
- get
- list
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades/finalizers
verbs:
- patch
- update
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades/status
verbs:
- get
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters
verbs:
- get
- list
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters/finalizers
verbs:
- update
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters/status
verbs:
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- get
- list
- patch
- watch

View file

@ -0,0 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: postgres-operator
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: postgres-operator
subjects:
- kind: ServiceAccount
name: pgo

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pgo
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator