add two more flags to disable CRD and its superuser support

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -319,6 +319,10 @@ spec:
               properties:
                 enable_admin_role_for_users:
                   type: boolean
+                enable_postgres_team_crd:
+                  type: boolean
+                enable_postgres_team_crd_superusers:
+                  type: boolean
                 enable_team_superuser:
                   type: boolean
                 enable_teams_api:

charts/postgres-operator/crds/postgresteams.yaml

@@ -1,3 +1,4 @@
+{{ if .Values.rbac.create }}
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@@ -65,3 +66,4 @@ spec:
                 description: "List of users who will also be added to the Postgres cluster"
                 items:
                   type: string
+{{ end }}

charts/postgres-operator/values-crd.yaml

@@ -256,6 +256,11 @@ configTeamsApi:
   # team_admin_role will have the rights to grant roles coming from PG manifests
   # enable_admin_role_for_users: true
 
+  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
+  enable_postgres_team_crd: true
+  # toogle to create additional superuser teams from PostgresTeam CRs
+  # enable_postgres_team_crd_superusers: "false"
+
   # toggle to grant superuser to team members created from the Teams API
   enable_team_superuser: false
   # toggles usage of the Teams API by the operator

charts/postgres-operator/values.yaml

@@ -245,6 +245,8 @@ configTeamsApi:
   # team_admin_role will have the rights to grant roles coming from PG manifests
   # enable_admin_role_for_users: "true"
 
+  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
+  enable_postgres_team_crd: "true"
   # toggle to grant superuser to team members created from the Teams API
   # enable_team_superuser: "false"
 

docs/administrator.md

@@ -561,9 +561,12 @@ database.
 * **Human users** originate from the [Teams API](user.md#teams-api-roles) that
 returns a list of the team members given a team id. The operator differentiates
 between (a) product teams that own a particular Postgres cluster and are granted
-admin rights to maintain it, and (b) Postgres superuser teams that get the
+admin rights to maintain it, (b) Postgres superuser teams that get superuser
-superuser access to all Postgres databases running in a K8s cluster for the
+access to all Postgres databases running in a K8s cluster for the purposes of
-purposes of maintaining and troubleshooting.
+maintaining and troubleshooting, and (c) additional teams, superuser teams or
+members associated with the owning team. The latter is managed via the
+[PostgresTeam CRD](user.md#additional-teams-and-members-per-cluster).
+
 
 ## Understanding rolling update of Spilo pods
 

docs/reference/operator_parameters.md

@@ -598,8 +598,8 @@ key.
   The default is `"log_statement:all"`
 
 * **enable_team_superuser**
-  whether to grant superuser to team members created from the Teams API.
+  whether to grant superuser to members of the cluster's owning team created
-  The default is `false`.
+  from the Teams API. The default is `false`.
 
 * **team_admin_role**
   role name to grant to team members created from the Teams API. The default is
@@ -632,6 +632,16 @@ key.
   cluster to administer Postgres and maintain infrastructure built around it.
   The default is empty.
 
+* **enable_postgres_team_crd**
+  toggle to make the operator watch for created or updated `PostgresTeam` CRDs
+  and create roles for specified additional teams and members.
+  The default is `true`.
+
+* **enable_postgres_team_crd_superusers**
+  in a `PostgresTeam` CRD additional superuser teams can assigned to teams that
+  own clusters. With this flag set to `false`, it will be ignored.
+  The default is `false`.
+
 ## Logging and REST API
 
 Parameters affecting logging and REST API listener. In the CRD-based

manifests/configmap.yaml

@@ -41,6 +41,8 @@ data:
   enable_master_load_balancer: "false"
   # enable_pod_antiaffinity: "false"
   # enable_pod_disruption_budget: "true"
+  # enable_postgres_team_crd: "true"
+  # enable_postgres_team_crd_superusers: "false"
   enable_replica_load_balancer: "false"
   # enable_shm_volume: "true"
   # enable_sidecars: "true"

manifests/operatorconfiguration.crd.yaml

@@ -325,6 +325,10 @@ spec:
               properties:
                 enable_admin_role_for_users:
                   type: boolean
+                enable_postgres_team_crd:
+                  type: boolean
+                enable_postgres_team_crd_superusers:
+                  type: boolean
                 enable_team_superuser:
                   type: boolean
                 enable_teams_api:

manifests/postgresql-operator-default-configuration.yaml

@@ -122,6 +122,8 @@ configuration:
     enable_database_access: true
   teams_api:
     # enable_admin_role_for_users: true
+    # enable_postgres_team_crd: true
+    # enable_postgres_team_crd_superusers: false
     enable_team_superuser: false
     enable_teams_api: false
     # pam_configuration: ""

pkg/apis/acid.zalan.do/v1/crds.go

@@ -1224,6 +1224,12 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
 							"enable_admin_role_for_users": {
 								Type: "boolean",
 							},
+							"enable_postgres_team_crd": {
+								Type: "boolean",
+							},
+							"enable_postgres_team_crd_superusers": {
+								Type: "boolean",
+							},
 							"enable_team_superuser": {
 								Type: "boolean",
 							},

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -135,16 +135,18 @@ type OperatorDebugConfiguration struct {
 
 // TeamsAPIConfiguration defines the configuration of TeamsAPI
 type TeamsAPIConfiguration struct {
-	EnableTeamsAPI           bool              `json:"enable_teams_api,omitempty"`
+	EnableTeamsAPI                  bool              `json:"enable_teams_api,omitempty"`
-	TeamsAPIUrl              string            `json:"teams_api_url,omitempty"`
+	TeamsAPIUrl                     string            `json:"teams_api_url,omitempty"`
-	TeamAPIRoleConfiguration map[string]string `json:"team_api_role_configuration,omitempty"`
+	TeamAPIRoleConfiguration        map[string]string `json:"team_api_role_configuration,omitempty"`
-	EnableTeamSuperuser      bool              `json:"enable_team_superuser,omitempty"`
+	EnableTeamSuperuser             bool              `json:"enable_team_superuser,omitempty"`
-	EnableAdminRoleForUsers  bool              `json:"enable_admin_role_for_users,omitempty"`
+	EnableAdminRoleForUsers         bool              `json:"enable_admin_role_for_users,omitempty"`
-	TeamAdminRole            string            `json:"team_admin_role,omitempty"`
+	TeamAdminRole                   string            `json:"team_admin_role,omitempty"`
-	PamRoleName              string            `json:"pam_role_name,omitempty"`
+	PamRoleName                     string            `json:"pam_role_name,omitempty"`
-	PamConfiguration         string            `json:"pam_configuration,omitempty"`
+	PamConfiguration                string            `json:"pam_configuration,omitempty"`
-	ProtectedRoles           []string          `json:"protected_role_names,omitempty"`
+	ProtectedRoles                  []string          `json:"protected_role_names,omitempty"`
-	PostgresSuperuserTeams   []string          `json:"postgres_superuser_teams,omitempty"`
+	PostgresSuperuserTeams          []string          `json:"postgres_superuser_teams,omitempty"`
+	EnablePostgresTeamCRD           *bool             `json:"enable_postgres_team_crd,omitempty"`
+	EnablePostgresTeamCRDSuperusers bool              `json:"enable_postgres_team_crd_superusers,omitempty"`
 }
 
 // LoggingRESTAPIConfiguration defines Logging API conf

pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go

@@ -1114,6 +1114,11 @@ func (in *TeamsAPIConfiguration) DeepCopyInto(out *TeamsAPIConfiguration) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.EnablePostgresTeamCRD != nil {
+		in, out := &in.EnablePostgresTeamCRD, &out.EnablePostgresTeamCRD
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 

pkg/cluster/cluster.go

@@ -1102,7 +1102,7 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 		if c.shouldAvoidProtectedOrSystemRole(username, "API role") {
 			continue
 		}
-		if c.OpConfig.EnableTeamSuperuser || isPostgresSuperuserTeam {
+		if (c.OpConfig.EnableTeamSuperuser && teamID == c.Spec.TeamID) || isPostgresSuperuserTeam {
 			flags = append(flags, constants.RoleFlagSuperuser)
 		} else {
 			if c.OpConfig.TeamAdminRole != "" {
@@ -1130,8 +1130,13 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 
 func (c *Cluster) initHumanUsers() error {
 
-	superuserTeams := c.PgTeamMap.GetAdditionalSuperuserTeams(c.Spec.TeamID, true)
 	var clusterIsOwnedBySuperuserTeam bool
+	superuserTeams := []string{}
+
+	if c.OpConfig.EnablePostgresTeamCRDSuperusers {
+		superuserTeams = c.PgTeamMap.GetAdditionalSuperuserTeams(c.Spec.TeamID, true)
+	}
+
 	for _, postgresSuperuserTeam := range c.OpConfig.PostgresSuperuserTeams {
 		if !(util.SliceContains(superuserTeams, postgresSuperuserTeam)) {
 			superuserTeams = append(superuserTeams, postgresSuperuserTeam)

pkg/controller/controller.go

@@ -297,7 +297,12 @@ func (c *Controller) initController() {
 
 	c.initPodServiceAccount()
 	c.initSharedInformers()
-	c.loadPostgresTeams()
+
+	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
+		c.loadPostgresTeams()
+	} else {
+		c.pgTeamMap = teams.PostgresTeamMap{}
+	}
 
 	if c.opConfig.DebugLogging {
 		c.logger.Logger.Level = logrus.DebugLevel
@@ -330,6 +335,7 @@ func (c *Controller) initController() {
 
 func (c *Controller) initSharedInformers() {
 
+	// Postgresqls
 	c.postgresqlInformer = acidv1informer.NewPostgresqlInformer(
 		c.KubeClient.AcidV1ClientSet,
 		c.opConfig.WatchedNamespace,
@@ -342,16 +348,19 @@ func (c *Controller) initSharedInformers() {
 		DeleteFunc: c.postgresqlDelete,
 	})
 
-	c.postgresTeamInformer = acidv1informer.NewPostgresTeamInformer(
+	// PostgresTeams
-		c.KubeClient.AcidV1ClientSet,
+	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
-		c.opConfig.WatchedNamespace,
+		c.postgresTeamInformer = acidv1informer.NewPostgresTeamInformer(
-		constants.QueueResyncPeriodTPR*6, // 30 min
+			c.KubeClient.AcidV1ClientSet,
-		cache.Indexers{})
+			c.opConfig.WatchedNamespace,
+			constants.QueueResyncPeriodTPR*6, // 30 min
+			cache.Indexers{})
 
-	c.postgresTeamInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
+		c.postgresTeamInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc:    c.postgresTeamAdd,
+			AddFunc:    c.postgresTeamAdd,
-		UpdateFunc: c.postgresTeamUpdate,
+			UpdateFunc: c.postgresTeamUpdate,
-	})
+		})
+	}
 
 	// Pods
 	podLw := &cache.ListWatch{
@@ -409,11 +418,14 @@ func (c *Controller) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
 	wg.Add(5)
 	go c.runPodInformer(stopCh, wg)
 	go c.runPostgresqlInformer(stopCh, wg)
-	go c.runPostgresTeamInformer(stopCh, wg)
 	go c.clusterResync(stopCh, wg)
 	go c.apiserver.Run(stopCh, wg)
 	go c.kubeNodesInformer(stopCh, wg)
 
+	if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
+		go c.runPostgresTeamInformer(stopCh, wg)
+	}
+
 	c.logger.Info("started working in background")
 }
 

pkg/controller/operator_config.go

@@ -163,6 +163,8 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.PamConfiguration = util.Coalesce(fromCRD.TeamsAPI.PamConfiguration, "https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees")
 	result.ProtectedRoles = util.CoalesceStrArr(fromCRD.TeamsAPI.ProtectedRoles, []string{"admin"})
 	result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
+	result.EnablePostgresTeamCRD = util.CoalesceBool(fromCRD.TeamsAPI.EnablePostgresTeamCRD, util.True())
+	result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
 
 	// logging REST API config
 	result.APIPort = util.CoalesceInt(fromCRD.LoggingRESTAPI.APIPort, 8080)

pkg/util/config/config.go

@@ -169,6 +169,8 @@ type Config struct {
 	EnableTeamSuperuser                    bool              `name:"enable_team_superuser" default:"false"`
 	TeamAdminRole                          string            `name:"team_admin_role" default:"admin"`
 	EnableAdminRoleForUsers                bool              `name:"enable_admin_role_for_users" default:"true"`
+	EnablePostgresTeamCRD                  *bool             `name:"enable_postgres_team_crd" default:"true"`
+	EnablePostgresTeamCRDSuperusers        bool              `name:"enable_postgres_team_crd_superusers" default:"false"`
 	EnableMasterLoadBalancer               bool              `name:"enable_master_load_balancer" default:"true"`
 	EnableReplicaLoadBalancer              bool              `name:"enable_replica_load_balancer" default:"false"`
 	CustomServiceAnnotations               map[string]string `name:"custom_service_annotations"`