add two more flags to disable CRD and its superuser support

2020-10-26 11:49:27 +01:00 · 2020-10-26 11:49:27 +01:00 · 130504bbb0
parent ed2b3239b6
commit 130504bbb0
16 changed files with 96 additions and 28 deletions
--- a/charts/postgres-operator/crds/operatorconfigurations.yaml
+++ b/charts/postgres-operator/crds/operatorconfigurations.yaml
@ -319,6 +319,10 @@ spec:
              properties:
                enable_admin_role_for_users:
                  type: boolean
                enable_postgres_team_crd:
                  type: boolean
                enable_postgres_team_crd_superusers:
                  type: boolean
                enable_team_superuser:
                  type: boolean
                enable_teams_api:
--- a/charts/postgres-operator/crds/postgresteams.yaml
+++ b/charts/postgres-operator/crds/postgresteams.yaml
@ -1,3 +1,4 @@
 {{ if .Values.rbac.create }}
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@ -65,3 +66,4 @@ spec:
                description: "List of users who will also be added to the Postgres cluster"
                items:
                  type: string
 {{ end }}
--- a/charts/postgres-operator/values-crd.yaml
+++ b/charts/postgres-operator/values-crd.yaml
@ -256,6 +256,11 @@ configTeamsApi:
  # team_admin_role will have the rights to grant roles coming from PG manifests
  # enable_admin_role_for_users: true
  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
  enable_postgres_team_crd: true
  # toogle to create additional superuser teams from PostgresTeam CRs
  # enable_postgres_team_crd_superusers: "false"
  # toggle to grant superuser to team members created from the Teams API
  enable_team_superuser: false
  # toggles usage of the Teams API by the operator
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@ -245,6 +245,8 @@ configTeamsApi:
  # team_admin_role will have the rights to grant roles coming from PG manifests
  # enable_admin_role_for_users: "true"
  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
  enable_postgres_team_crd: "true"
  # toggle to grant superuser to team members created from the Teams API
  # enable_team_superuser: "false"
--- a/docs/administrator.md
+++ b/docs/administrator.md
@ -561,9 +561,12 @@ database.
 * **Human users** originate from the [Teams API](user.md#teams-api-roles) that
 returns a list of the team members given a team id. The operator differentiates
 between (a) product teams that own a particular Postgres cluster and are granted
-admin rights to maintain it, and (b) Postgres superuser teams that get the
+admin rights to maintain it, (b) Postgres superuser teams that get superuser
-superuser access to all Postgres databases running in a K8s cluster for the
+access to all Postgres databases running in a K8s cluster for the purposes of
-purposes of maintaining and troubleshooting.
+maintaining and troubleshooting, and (c) additional teams, superuser teams or
 members associated with the owning team. The latter is managed via the
 [PostgresTeam CRD](user.md#additional-teams-and-members-per-cluster).
 ## Understanding rolling update of Spilo pods
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@ -598,8 +598,8 @@ key.
  The default is `"log_statement:all"`
 * **enable_team_superuser**
-  whether to grant superuser to team members created from the Teams API.
+  whether to grant superuser to members of the cluster's owning team created
-  The default is `false`.
+  from the Teams API. The default is `false`.
 * **team_admin_role**
  role name to grant to team members created from the Teams API. The default is
@ -632,6 +632,16 @@ key.
  cluster to administer Postgres and maintain infrastructure built around it.
  The default is empty.
 * **enable_postgres_team_crd**
  toggle to make the operator watch for created or updated `PostgresTeam` CRDs
  and create roles for specified additional teams and members.
  The default is `true`.
 * **enable_postgres_team_crd_superusers**
  in a `PostgresTeam` CRD additional superuser teams can assigned to teams that
  own clusters. With this flag set to `false`, it will be ignored.
  The default is `false`.
 ## Logging and REST API
 Parameters affecting logging and REST API listener. In the CRD-based
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -41,6 +41,8 @@ data:
  enable_master_load_balancer: "false"
  # enable_pod_antiaffinity: "false"
  # enable_pod_disruption_budget: "true"
  # enable_postgres_team_crd: "true"
  # enable_postgres_team_crd_superusers: "false"
  enable_replica_load_balancer: "false"
  # enable_shm_volume: "true"
  # enable_sidecars: "true"
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@ -325,6 +325,10 @@ spec:
              properties:
                enable_admin_role_for_users:
                  type: boolean
                enable_postgres_team_crd:
                  type: boolean
                enable_postgres_team_crd_superusers:
                  type: boolean
                enable_team_superuser:
                  type: boolean
                enable_teams_api:
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@ -122,6 +122,8 @@ configuration:
    enable_database_access: true
  teams_api:
    # enable_admin_role_for_users: true
    # enable_postgres_team_crd: true
    # enable_postgres_team_crd_superusers: false
    enable_team_superuser: false
    enable_teams_api: false
    # pam_configuration: ""
--- a/pkg/apis/acid.zalan.do/v1/crds.go
+++ b/pkg/apis/acid.zalan.do/v1/crds.go
@ -1224,6 +1224,12 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
 							"enable_admin_role_for_users": {
 								Type: "boolean",
 							},
 							"enable_postgres_team_crd": {
 								Type: "boolean",
 							},
 							"enable_postgres_team_crd_superusers": {
 								Type: "boolean",
 							},
 							"enable_team_superuser": {
 								Type: "boolean",
 							},
--- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
+++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@ -145,6 +145,8 @@ type TeamsAPIConfiguration struct {
 	PamConfiguration                string            `json:"pam_configuration,omitempty"`
 	ProtectedRoles                  []string          `json:"protected_role_names,omitempty"`
 	PostgresSuperuserTeams          []string          `json:"postgres_superuser_teams,omitempty"`
 	EnablePostgresTeamCRD           *bool             `json:"enable_postgres_team_crd,omitempty"`
 	EnablePostgresTeamCRDSuperusers bool              `json:"enable_postgres_team_crd_superusers,omitempty"`
 }
 // LoggingRESTAPIConfiguration defines Logging API conf
--- a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
@ -1114,6 +1114,11 @@ func (in *TeamsAPIConfiguration) DeepCopyInto(out *TeamsAPIConfiguration) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
 	if in.EnablePostgresTeamCRD != nil {
 		in, out := &in.EnablePostgresTeamCRD, &out.EnablePostgresTeamCRD
 		*out = new(bool)
 		**out = **in
 	}
 	return
 }
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -1102,7 +1102,7 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 		if c.shouldAvoidProtectedOrSystemRole(username, "API role") {
 			continue
 		}
-		if c.OpConfig.EnableTeamSuperuser || isPostgresSuperuserTeam {
+		if (c.OpConfig.EnableTeamSuperuser && teamID == c.Spec.TeamID) || isPostgresSuperuserTeam {
 			flags = append(flags, constants.RoleFlagSuperuser)
 		} else {
 			if c.OpConfig.TeamAdminRole != "" {
@ -1130,8 +1130,13 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 func (c *Cluster) initHumanUsers() error {
 	superuserTeams := c.PgTeamMap.GetAdditionalSuperuserTeams(c.Spec.TeamID, true)
 	var clusterIsOwnedBySuperuserTeam bool
 	superuserTeams := []string{}
 	if c.OpConfig.EnablePostgresTeamCRDSuperusers {
 		superuserTeams = c.PgTeamMap.GetAdditionalSuperuserTeams(c.Spec.TeamID, true)
 	}
 	for _, postgresSuperuserTeam := range c.OpConfig.PostgresSuperuserTeams {
 		if !(util.SliceContains(superuserTeams, postgresSuperuserTeam)) {
 			superuserTeams = append(superuserTeams, postgresSuperuserTeam)
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -297,7 +297,12 @@ func (c *Controller) initController() {
 	c.initPodServiceAccount()
 	c.initSharedInformers()
 	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
 		c.loadPostgresTeams()
 	} else {
 		c.pgTeamMap = teams.PostgresTeamMap{}
 	}
 	if c.opConfig.DebugLogging {
 		c.logger.Logger.Level = logrus.DebugLevel
@ -330,6 +335,7 @@ func (c *Controller) initController() {
 func (c *Controller) initSharedInformers() {
 	// Postgresqls
 	c.postgresqlInformer = acidv1informer.NewPostgresqlInformer(
 		c.KubeClient.AcidV1ClientSet,
 		c.opConfig.WatchedNamespace,
@ -342,6 +348,8 @@ func (c *Controller) initSharedInformers() {
 		DeleteFunc: c.postgresqlDelete,
 	})
 	// PostgresTeams
 	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
 		c.postgresTeamInformer = acidv1informer.NewPostgresTeamInformer(
 			c.KubeClient.AcidV1ClientSet,
 			c.opConfig.WatchedNamespace,
@ -352,6 +360,7 @@ func (c *Controller) initSharedInformers() {
 			AddFunc:    c.postgresTeamAdd,
 			UpdateFunc: c.postgresTeamUpdate,
 		})
 	}
 	// Pods
 	podLw := &cache.ListWatch{
@ -409,11 +418,14 @@ func (c *Controller) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
 	wg.Add(5)
 	go c.runPodInformer(stopCh, wg)
 	go c.runPostgresqlInformer(stopCh, wg)
 	go c.runPostgresTeamInformer(stopCh, wg)
 	go c.clusterResync(stopCh, wg)
 	go c.apiserver.Run(stopCh, wg)
 	go c.kubeNodesInformer(stopCh, wg)
 	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
 		go c.runPostgresTeamInformer(stopCh, wg)
 	}
 	c.logger.Info("started working in background")
 }
--- a/pkg/controller/operator_config.go
+++ b/pkg/controller/operator_config.go
@ -163,6 +163,8 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.PamConfiguration = util.Coalesce(fromCRD.TeamsAPI.PamConfiguration, "https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees")
 	result.ProtectedRoles = util.CoalesceStrArr(fromCRD.TeamsAPI.ProtectedRoles, []string{"admin"})
 	result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
 	result.EnablePostgresTeamCRD = util.CoalesceBool(fromCRD.TeamsAPI.EnablePostgresTeamCRD, util.True())
 	result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
 	// logging REST API config
 	result.APIPort = util.CoalesceInt(fromCRD.LoggingRESTAPI.APIPort, 8080)
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@ -169,6 +169,8 @@ type Config struct {
 	EnableTeamSuperuser                    bool              `name:"enable_team_superuser" default:"false"`
 	TeamAdminRole                          string            `name:"team_admin_role" default:"admin"`
 	EnableAdminRoleForUsers                bool              `name:"enable_admin_role_for_users" default:"true"`
 	EnablePostgresTeamCRD                  *bool             `name:"enable_postgres_team_crd" default:"true"`
 	EnablePostgresTeamCRDSuperusers        bool              `name:"enable_postgres_team_crd_superusers" default:"false"`
 	EnableMasterLoadBalancer               bool              `name:"enable_master_load_balancer" default:"true"`
 	EnableReplicaLoadBalancer              bool              `name:"enable_replica_load_balancer" default:"false"`
 	CustomServiceAnnotations               map[string]string `name:"custom_service_annotations"`