aboutbits · ThoSap · Feb 5, 2026 · Feb 4, 2026 · Feb 4, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -47,10 +47,6 @@ jobs:
         env:
           GITHUB_USER_NAME: ${{ github.actor }}
           GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Patch ClusterRole rolereconciler-cluster-role with secrets permission as the RoleReconciler is watching referenced Secrets
-        run: |
-          yq -i 'select(.metadata.name == "rolereconciler-cluster-role").rules += [{"apiGroups": [""], "resources": ["secrets"], "verbs": ["get", "list", "watch"]}]' operator/build/helm/kubernetes/postgresql-operator/templates/clusterrole.yaml
-        shell: bash
       - name: Package Helm chart
         run: |
           tar -czf operator/build/helm/kubernetes/postgresql-operator-${{ steps.nextVersion.outputs.version }}.tgz -C operator/build/helm/kubernetes postgresql-operator

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # AboutBits PostgreSQL Operator
 
-AboutBits PostgreSQL Operator is a Kubernetes operator that helps you manage PostgreSQL databases, roles (users), and privileges in a declarative way using Custom Resource Definitions (CRDs).
+AboutBits PostgreSQL Operator is a Kubernetes operator that helps you manage PostgreSQL databases, schemas, roles (users), and privileges in a declarative way using Custom Resource Definitions (CRDs).
 
 ## Architecture
 
@@ -130,6 +130,7 @@ metadata:
 spec:
   clusterRef:
     name: my-postgres-connection
+  database: my_app_db
   name: my_app_schema
   reclaimPolicy: Retain
   owner: dba_user
@@ -208,7 +209,7 @@ To build the project, the following prerequisites must be met:
 
 ### Setup
 
-To get started, you first need to configure the GitHub Maven Package registry to be able to pull the [AbouBits Java Checkstyle Config](https://github.com/aboutbits/java-checkstyle-config) from the GitHub Gradle registry.
+To get started, you first need to configure the GitHub Gradle Packages registry to be able to pull the [AbouBits Java Checkstyle Config](https://github.com/aboutbits/java-checkstyle-config) from the GitHub Packages registry.
 
 Follow https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-gradle-registry  
 The guide basically tells you to click on `Generate new token (classic)` on https://github.com/settings/tokens, add the permission `read:packages` and copy the token which we need below.

diff --git a/operator/build.gradle.kts b/operator/build.gradle.kts
@@ -9,11 +9,11 @@ dependencies {
     implementation("io.quarkus:quarkus-arc")
     implementation("io.quarkus:quarkus-config-yaml")
     implementation("io.quarkus:quarkus-jackson")
+    implementation("io.quarkus:quarkus-jdbc-postgresql")
     implementation("io.quarkus:quarkus-kubernetes-client")
     implementation("io.quarkus:quarkus-logging-json")
     implementation("io.quarkus:quarkus-micrometer")
     implementation("io.quarkus:quarkus-micrometer-registry-prometheus")
-    implementation("io.quarkus:quarkus-jdbc-postgresql")
     implementation("io.quarkus:quarkus-smallrye-health")
 
     /**
@@ -49,6 +49,7 @@ dependencies {
      * Quarkiverse Operator SDK
      */
     implementation("io.quarkiverse.operatorsdk:quarkus-operator-sdk")
+    implementation("io.quarkiverse.operatorsdk:quarkus-operator-sdk-annotations")
 
     /**
      * SCRAM

diff --git a/operator/src/main/java/it/aboutbits/postgresql/crd/role/RoleReconciler.java b/operator/src/main/java/it/aboutbits/postgresql/crd/role/RoleReconciler.java
@@ -13,6 +13,8 @@
 import io.javaoperatorsdk.operator.processing.event.source.EventSource;
 import io.javaoperatorsdk.operator.processing.event.source.SecondaryToPrimaryMapper;
 import io.javaoperatorsdk.operator.processing.event.source.informer.InformerEventSource;
+import io.quarkiverse.operatorsdk.annotations.AdditionalRBACRules;
+import io.quarkiverse.operatorsdk.annotations.RBACRule;
 import it.aboutbits.postgresql.core.BaseReconciler;
 import it.aboutbits.postgresql.core.CRPhase;
 import it.aboutbits.postgresql.core.CRStatus;
@@ -32,6 +34,13 @@
 
 @NullMarked
 @Slf4j
+@AdditionalRBACRules({
+        @RBACRule(
+                apiGroups = {""},
+                resources = {"secrets"},
+                verbs = {"get", "list", "watch"}
+        )
+})
 @RequiredArgsConstructor
 public class RoleReconciler
         extends BaseReconciler<Role, CRStatus>

diff --git a/operator/src/main/resources/application.yml b/operator/src/main/resources/application.yml
@@ -162,16 +162,6 @@ quarkus:
         memory: 512Mi
     prometheus:
       generate-service-monitor: false
-    # Report bug as this or adding the ClusterRole and ClusterRoleBinding in operator/src/main/kubernetes/kubernetes.yml does not work, JOSDK simply ignores the ClusterRoleBinding
-    #rbac:
-    #  cluster-roles:
-    #    "rolereconciler-cluster-role":
-    #      name: rolereconciler-cluster-role
-    #      policy-rules:
-    #        "secrets":
-    #          api-groups: [""]
-    #          resources: ["secrets"]
-    #          verbs: ["get", "list", "watch"]
     startup-probe:
       http-action-port-name: http
       initial-delay: PT2S