create namespaced role instead of using cluster role

[FxKu]

In each namespace operator currently creates an additional ServiceAccount and binds it to the postgres-pod ClusterRole. This PR adds code to create a Role instead and let the RoleBinding reference it.

Next to pod_service_account_definition and pod_service_account_role_binding_definition, a third configuration parameter is added to allow users to configure the role definition as well.

Yet, this PR has now sync strategy for roles. What if you want to change the role's privileges? With one ClusterRole it's easy. Just edit it. But how to sync all roles the operator would create?

[FxKu]

Please tell, if the default name postgres-operator-patroni for ServiceAccount, RoleBinding and Role is fine for you. I could also think of postgres-operator-db-pods, postgres-operator-spilo ...

EDIT: postgres-pod it is now

[machine424]

We're really interested in this feature.

Can I help somehow?

[FxKu]

@machine424 thanks for your interest. I've rebased the branch now, so that you can continue working on it. The big open TODO here is the syncing part. What if you want to change the role? How are the existing roles updated then? That's why we went with another clusterrole instead, because it's one edit there and you are done. At some point we should also revisit the hard coded definitions for service account, role bindings (and roles what this PR adds).

[machine424]

Ok, I'll give it a try, thanks.

[caniko]

I really need this, it won't happen any time soon, right?

However, I am guessing that it is not possible to use the enable_cross_namespace_secret feature in this mode, correct? RBAC is a nightmare sometimes 🏃‍♂️

[rgarcia89]

I would be interested in a namespaced deployment way too. I do have some use-cases where I do not have permission to create clusterroles due to policy. Roles and RoleBindings however would work to at least deploy the clusters into the same cluster or the namespace.