public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fixes as per review comments

This commit is contained in:
Rafia Sabih 2021-05-31 16:07:30 +02:00
parent 0f31b5bea6
commit 09039e8730
8 changed files with 40 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
charts/postgres-operator/values-crd.yaml
View File

@ -145,8 +145,10 @@ configKubernetes:
# Postgres pods are terminated forcefully after this timeout # Postgres pods are terminated forcefully after this timeout
pod_terminate_grace_period: 5m pod_terminate_grace_period: 5m
# template for database user secrets generated by the operator # template for database user secrets generated by the operator,
secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}" # here username contains the namespace in the format namespace.username
# if the user is in different namespace than cluster
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
# set user and group for the spilo container (required to run Spilo as non-root process) # set user and group for the spilo container (required to run Spilo as non-root process)
# spilo_runasuser: "101" # spilo_runasuser: "101"
# spilo_runasgroup: "103" # spilo_runasgroup: "103"

6
charts/postgres-operator/values.yaml
View File

@ -137,8 +137,10 @@ configKubernetes:
# Postgres pods are terminated forcefully after this timeout # Postgres pods are terminated forcefully after this timeout
pod_terminate_grace_period: 5m pod_terminate_grace_period: 5m
# template for database user secrets generated by the operator # template for database user secrets generated by the operator,
secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}" # here username contains the namespace in the format namespace.username
# if the user is in different namespace than cluster
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
# set user and group for the spilo container (required to run Spilo as non-root process) # set user and group for the spilo container (required to run Spilo as non-root process)
# spilo_runasuser: "101" # spilo_runasuser: "101"
# spilo_runasgroup: "103" # spilo_runasgroup: "103"

7
docs/reference/operator_parameters.md
View File

@ -275,12 +275,13 @@ configuration they are grouped under the `kubernetes` key.
* **secret_name_template** * **secret_name_template**
a template for the name of the database user secrets generated by the a template for the name of the database user secrets generated by the
operator. `{namesapce}` is replaced with name of the namespace (if any, operator. `{namespace}` is replaced with name of the namespace (if any,
otherwise empty), `{username}` is replaced with name of the secret, otherwise the secret is in cluster's namespace and in that case it is not
present in secret name), `{username}` is replaced with name of the secret,
`{cluster}` with the name of the cluster, `{tprkind}` with the kind of CRD `{cluster}` with the name of the cluster, `{tprkind}` with the kind of CRD
(formerly known as TPR) and `{tprgroup}` with the group of the CRD. (formerly known as TPR) and `{tprgroup}` with the group of the CRD.
No other placeholders are allowed. The default is No other placeholders are allowed. The default is
`{namesapce}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`. `{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
* **cluster_domain** * **cluster_domain**
defines the default DNS domain for the kubernetes cluster the operator is defines the default DNS domain for the kubernetes cluster the operator is

10
e2e/tests/test_e2e.py
View File

@ -594,7 +594,13 @@ class EndToEndTestCase(unittest.TestCase):
''' '''
app_namespace = "appspace" app_namespace = "appspace"
k8s = self.k8s k8s = self.k8s
k8s.api.core_v1.create_namespace(app_namespace) v1_appnamespace = client.V1Namespace(metadata=client.V1ObjectMeta(name=app_namespace))
try:
k8s.api.core_v1.create_namespace(v1_appnamespace)
except timeout_decorator.TimeoutError:
print('Operator log: {}'.format(k8s.get_operator_log()))
raise
k8s.api.custom_objects_api.patch_namespaced_custom_object( k8s.api.custom_objects_api.patch_namespaced_custom_object(
'acid.zalan.do', 'v1', 'default', 'acid.zalan.do', 'v1', 'default',
'postgresqls', 'acid-minimal-cluster', 'postgresqls', 'acid-minimal-cluster',
@ -606,7 +612,7 @@ class EndToEndTestCase(unittest.TestCase):
} }
}) })
self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace), self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace),
1, "Secret not created in user namespace") 1, "Secret not created for user in namespace", app_namespace)
@timeout_decorator.timeout(TEST_TIMEOUT_SEC) @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
def test_lazy_spilo_upgrade(self): def test_lazy_spilo_upgrade(self):

2
manifests/configmap.yaml
View File

@ -113,7 +113,7 @@ data:
resync_period: 30m resync_period: 30m
ring_log_lines: "100" ring_log_lines: "100"
role_deletion_suffix: "_deleted" role_deletion_suffix: "_deleted"
secret_name_template: "{namespace}.{username}.{cluster}.credentials" secret_name_template: "{username}.{cluster}.credentials"
# sidecar_docker_images: "" # sidecar_docker_images: ""
# set_memory_request_to_limit: "false" # set_memory_request_to_limit: "false"
spilo_allow_privilege_escalation: "true" spilo_allow_privilege_escalation: "true"

2
manifests/postgresql-operator-default-configuration.yaml
View File

@ -78,7 +78,7 @@ configuration:
pod_service_account_name: postgres-pod pod_service_account_name: postgres-pod
# pod_service_account_role_binding_definition: "" # pod_service_account_role_binding_definition: ""
pod_terminate_grace_period: 5m pod_terminate_grace_period: 5m
secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}" secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
spilo_allow_privilege_escalation: true spilo_allow_privilege_escalation: true
# spilo_runasuser: 101 # spilo_runasuser: 101
# spilo_runasgroup: 103 # spilo_runasgroup: 103

4
pkg/cluster/cluster_test.go
View File

@ -907,7 +907,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
err := cluster.initRobotUsers() err := cluster.initRobotUsers()
if err != nil { if err != nil {
t.Errorf("%s Could not create namespaced users with error: %s", testName, err) t.Errorf("Could not create secret for namespaced users with error: %s", err)
} }
for _, u := range cluster.pgUsers { for _, u := range cluster.pgUsers {
@ -920,7 +920,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
func TestValidUsernames(t *testing.T) { func TestValidUsernames(t *testing.T) {
testName := "test username validity" testName := "test username validity"
invalidUsernames := []string{"_", ".", ".user", "appspace.", "appspace.user.extra", "user_", "_user", "-user", "user-", ",", ",user", "user,", "namespace,user"} invalidUsernames := []string{"_", ".", ".user", "appspace.", "appspace.user.extra", "user_", "_user", "-user", "user-", ",", "-", ",user", "user,", "namespace,user"}
for _, username := range invalidUsernames { for _, username := range invalidUsernames {
if isValidUsername(username) { if isValidUsername(username) {

19
pkg/cluster/sync.go
View File

@ -556,13 +556,26 @@ func (c *Cluster) syncRoles() (err error) {
// create list of database roles to query // create list of database roles to query
for _, u := range c.pgUsers { for _, u := range c.pgUsers {
pg_role := u.Name pgRole := u.Name
if u.Namespace != c.Namespace { if u.Namespace != c.Namespace {
// to avoid the conflict of having multiple users of same name // to avoid the conflict of having multiple users of same name
// but each in different namespace. // but each in different namespace.
pg_role = fmt.Sprintf("%s.%s", u.Name, u.Namespace) pgRole = fmt.Sprintf("%s.%s", u.Name, u.Namespace)
}
userNames = append(userNames, pgRole)
// add team member role name with rename suffix in case we need to rename it back
if u.Origin == spec.RoleOriginTeamsAPI && c.OpConfig.EnableTeamMemberDeprecation {
deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name
userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix)
}
}
// add team members that exist only in cache
// to trigger a rename of the role in ProduceSyncRequests
for _, cachedUser := range c.pgUsersCache {
if _, exists := c.pgUsers[cachedUser.Name]; !exists {
userNames = append(userNames, cachedUser.Name)
} }
userNames = append(userNames, pg_role)
} }
// add pooler user to list of pgUsers, too // add pooler user to list of pgUsers, too