fixes as per review comments

2021-05-31 16:07:30 +02:00 · 2021-05-31 16:07:30 +02:00 · 09039e8730
parent 0f31b5bea6
commit 09039e8730
8 changed files with 40 additions and 16 deletions
--- a/charts/postgres-operator/values-crd.yaml
+++ b/charts/postgres-operator/values-crd.yaml
@ -145,8 +145,10 @@ configKubernetes:

  # Postgres pods are terminated forcefully after this timeout
  pod_terminate_grace_period: 5m
-  # template for database user secrets generated by the operator
-  secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+  # template for database user secrets generated by the operator,
+  # here username contains the namespace in the format namespace.username
+  # if the user is in different namespace than cluster
+  secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
  # set user and group for the spilo container (required to run Spilo as non-root process)
  # spilo_runasuser: "101"
  # spilo_runasgroup: "103"
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@ -137,8 +137,10 @@ configKubernetes:

  # Postgres pods are terminated forcefully after this timeout
  pod_terminate_grace_period: 5m
-  # template for database user secrets generated by the operator
-  secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+  # template for database user secrets generated by the operator,
+  # here username contains the namespace in the format namespace.username
+  # if the user is in different namespace than cluster
+  secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
  # set user and group for the spilo container (required to run Spilo as non-root process)
  # spilo_runasuser: "101"
  # spilo_runasgroup: "103"
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@ -275,12 +275,13 @@ configuration they are grouped under the `kubernetes` key.

 * **secret_name_template**
  a template for the name of the database user secrets generated by the
-  operator. `{namesapce}` is replaced with name of the namespace (if any,
-  otherwise empty), `{username}` is replaced with name of the secret,
+  operator. `{namespace}` is replaced with name of the namespace (if any,
+  otherwise the secret is in cluster's namespace and in that case it is not
+  present in secret name), `{username}` is replaced with name of the secret,
  `{cluster}` with the name of the cluster, `{tprkind}` with the kind of CRD
  (formerly known as TPR) and `{tprgroup}` with the group of the CRD.
  No other placeholders are allowed. The default is
-  `{namesapce}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
+  `{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.

 * **cluster_domain**
  defines the default DNS domain for the kubernetes cluster the operator is
--- a/e2e/tests/test_e2e.py
+++ b/e2e/tests/test_e2e.py
@ -594,7 +594,13 @@ class EndToEndTestCase(unittest.TestCase):
        '''
        app_namespace = "appspace"
        k8s = self.k8s
-        k8s.api.core_v1.create_namespace(app_namespace)
+        v1_appnamespace = client.V1Namespace(metadata=client.V1ObjectMeta(name=app_namespace))
+        try:
+            k8s.api.core_v1.create_namespace(v1_appnamespace)
+        except timeout_decorator.TimeoutError:
+            print('Operator log: {}'.format(k8s.get_operator_log()))
+            raise
+
        k8s.api.custom_objects_api.patch_namespaced_custom_object(
            'acid.zalan.do', 'v1', 'default',
            'postgresqls', 'acid-minimal-cluster',
@ -606,7 +612,7 @@ class EndToEndTestCase(unittest.TestCase):
                }
            })
        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace),
-                             1, "Secret not created in user namespace")
+                             1, "Secret not created for user in namespace", app_namespace)

    @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
    def test_lazy_spilo_upgrade(self):
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -113,7 +113,7 @@ data:
  resync_period: 30m
  ring_log_lines: "100"
  role_deletion_suffix: "_deleted"
-  secret_name_template: "{namespace}.{username}.{cluster}.credentials"
+  secret_name_template: "{username}.{cluster}.credentials"
  # sidecar_docker_images: ""
  # set_memory_request_to_limit: "false"
  spilo_allow_privilege_escalation: "true"
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@ -78,7 +78,7 @@ configuration:
    pod_service_account_name: postgres-pod
    # pod_service_account_role_binding_definition: ""
    pod_terminate_grace_period: 5m
-    secret_name_template: "{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+    secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
    spilo_allow_privilege_escalation: true
    # spilo_runasuser: 101
    # spilo_runasgroup: 103
--- a/pkg/cluster/cluster_test.go
+++ b/pkg/cluster/cluster_test.go
@ -907,7 +907,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {

 	err := cluster.initRobotUsers()
 	if err != nil {
-		t.Errorf("%s Could not create namespaced users with error: %s", testName, err)
+		t.Errorf("Could not create secret for namespaced users with error: %s", err)
 	}

 	for _, u := range cluster.pgUsers {
@ -920,7 +920,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
 func TestValidUsernames(t *testing.T) {
 	testName := "test username validity"

-	invalidUsernames := []string{"_", ".", ".user", "appspace.", "appspace.user.extra", "user_", "_user", "-user", "user-", ",", ",user", "user,", "namespace,user"}
+	invalidUsernames := []string{"_", ".", ".user", "appspace.", "appspace.user.extra", "user_", "_user", "-user", "user-", ",", "-", ",user", "user,", "namespace,user"}

 	for _, username := range invalidUsernames {
 		if isValidUsername(username) {
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@ -556,13 +556,26 @@ func (c *Cluster) syncRoles() (err error) {

 	// create list of database roles to query
 	for _, u := range c.pgUsers {
-		pg_role := u.Name
+		pgRole := u.Name
 		if u.Namespace != c.Namespace {
 			// to avoid the conflict of having multiple users of same name
 			// but each in different namespace.
-			pg_role = fmt.Sprintf("%s.%s", u.Name, u.Namespace)
+			pgRole = fmt.Sprintf("%s.%s", u.Name, u.Namespace)
+		}
+		userNames = append(userNames, pgRole)
+		// add team member role name with rename suffix in case we need to rename it back
+		if u.Origin == spec.RoleOriginTeamsAPI && c.OpConfig.EnableTeamMemberDeprecation {
+			deletedUsers[u.Name+c.OpConfig.RoleDeletionSuffix] = u.Name
+			userNames = append(userNames, u.Name+c.OpConfig.RoleDeletionSuffix)
+		}
+	}
+
+	// add team members that exist only in cache
+	// to trigger a rename of the role in ProduceSyncRequests
+	for _, cachedUser := range c.pgUsersCache {
+		if _, exists := c.pgUsers[cachedUser.Name]; !exists {
+			userNames = append(userNames, cachedUser.Name)
 		}
-		userNames = append(userNames, pg_role)
 	}

 	// add pooler user to list of pgUsers, too