rbac

package
v0.13.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package rbac contains utilities to reconcile RBAC resources for the barman-cloud plugin.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func EnsureRole 

func EnsureRole(
	ctx context.Context,
	c client.Client,
	cluster *cnpgv1.Cluster,
	barmanObjects []barmancloudv1.ObjectStore,
) error

EnsureRole ensures the RBAC Role for the given Cluster matches the desired state derived from the given ObjectStores. On creation, the Cluster is set as the owner of the Role for garbage collection.

This function is called from the Pre hook (gRPC). It creates the Role if it does not exist, then patches rules and labels to match the desired state.

Note: the ObjectStore controller (EnsureRoleRules) can patch the same Role concurrently. Both paths use RetryOnConflict but compute desired rules from their own view of ObjectStores. If the Pre hook reads stale ObjectStore data from the informer cache, it may briefly revert a fresher update. This is self-healing: the next ObjectStore reconcile restores the correct state.

func EnsureRoleBinding added in v0.13.0 

func EnsureRoleBinding(ctx context.Context, c client.Client, cluster *cnpgv1.Cluster) error

EnsureRoleBinding ensures the RoleBinding for the given Cluster is present and carries the recommended labels.

This function is called from the Pre hook (gRPC). It creates the RoleBinding if it does not exist, then reconciles labels and Subjects:

  • Labels are written per-key. Keys the plugin manages overwrite existing values; unrelated keys (anything outside the desired set) are left alone.
  • Subjects are additive. The plugin guarantees its own Subject is bound, but never removes Subjects added by other actors — a Subject is a grant of access, and silently revoking access someone else granted is the wrong default.

RoleRef is immutable in Kubernetes. If the existing RoleBinding points to a different Role, the plugin fails loudly so the operator notices and recreates the object.

func EnsureRoleRules 

func EnsureRoleRules(
	ctx context.Context,
	c client.Client,
	roleKey client.ObjectKey,
	barmanObjects []barmancloudv1.ObjectStore,
) error

EnsureRoleRules updates the rules of an existing Role to match the desired state derived from the given ObjectStores. Unlike EnsureRole, this function does not create Roles or set owner references — it only patches rules on Roles that already exist. It is intended for the ObjectStore controller path where no Cluster object is available. Returns nil if the Role does not exist (the Pre hook has not created it yet).

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.