Merge branch 'master' into cluster-status-map2

charts/postgres-operator/values.yaml

@@ -25,6 +25,7 @@ config:
   secret_name_template: '{username}.{cluster}.credentials'
   super_username: postgres
   enable_teams_api: "false"
+  spilo_privileged: "false"
   # set_memory_request_to_limit: "true"
   # postgres_superuser_teams: "postgres_superusers"
   # enable_team_superuser: "false"

docs/reference/operator_parameters.md

@@ -213,6 +213,9 @@ configuration they are grouped under the `kubernetes` key.
   that should be assigned to the Postgres pods. The priority class itself must be defined in advance.
   Default is empty (use the default priority class).
 
+* **spilo_privileged**
+  whether the Spilo container should run in privileged mode. Privileged mode is used for AWS volume resizing and not required if you don't need that capability. The default is `false`.
+  
  * **master_pod_move_timeout**
    The period of time to wait for the success of migration of master pods from an unschedulable node.
    The migration includes Patroni switchovers to respective replicas on healthy nodes. The situation where master pods still exist on the old node after this timeout expires has to be fixed manually. The default is 20 minutes.

docs/user.md

@@ -43,13 +43,25 @@ $ kubectl get pods -w --show-labels
 
 ## Connect to PostgreSQL
 
-We can use the generated secret of the `postgres` robot user to connect to our `acid-minimal-cluster` master running in Minikube:
+With a `port-forward` on one of the database pods (e.g. the master) you can
+connect to the PostgreSQL database. Use labels to filter for the master pod of
+our test cluster.
+
+```bash
+# get name of master pod of acid-minimal-cluster
+export PGMASTER=$(kubectl get pods -o jsonpath={.items..metadata.name} -l application=spilo,version=acid-minimal-cluster,spilo-role=master)
+
+# set up port forward
+kubectl port-forward $PGMASTER 6432:5432
+```
+
+Open another CLI and connect to the database. Use the generated secret of the
+`postgres` robot user to connect to our `acid-minimal-cluster` master running
+in Minikube:
 
 ```bash
-$ export PGHOST=db_host
-$ export PGPORT=db_port
 $ export PGPASSWORD=$(kubectl get secret postgres.acid-minimal-cluster.credentials -o 'jsonpath={.data.password}' | base64 -d)
-$ psql -U postgres
+$ psql -U postgres -p 6432
 ```
 
 # Defining database roles in the operator

manifests/configmap.yaml

@@ -15,6 +15,7 @@ data:
   secret_name_template: '{username}.{cluster}.credentials'
   super_username: postgres
   enable_teams_api: "false"
+  spilo_privileged: "false"
   # custom_service_annotations:
   #   "keyx:valuez,keya:valuea"
   # set_memory_request_to_limit: "true"

manifests/postgresql-operator-default-configuration.yaml

@@ -23,6 +23,7 @@ configuration:
     secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
     oauth_token_secret_name: postgresql-operator
     pod_role_label: spilo-role
+    spilo_privileged: false
     cluster_labels:
         application: spilo
     # inherited_labels:

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -45,6 +45,7 @@ type KubernetesMetaConfiguration struct {
 	PodServiceAccountDefinition            string                `json:"pod_service_account_definition,omitempty"`
 	PodServiceAccountRoleBindingDefinition string                `json:"pod_service_account_role_binding_definition,omitempty"`
 	PodTerminateGracePeriod                Duration              `json:"pod_terminate_grace_period,omitempty"`
+	SpiloPrivileged                        bool                  `json:"spilo_privileged,omitemty"`
 	WatchedNamespace                       string                `json:"watched_namespace,omitempty"`
 	PDBNameFormat                          config.StringTemplate `json:"pdb_name_format,omitempty"`
 	SecretNameTemplate                     config.StringTemplate `json:"secret_name_template,omitempty"`

pkg/cluster/k8sres.go

@@ -358,8 +358,8 @@ func generateSpiloContainer(
 	resourceRequirements *v1.ResourceRequirements,
 	envVars []v1.EnvVar,
 	volumeMounts []v1.VolumeMount,
+	privilegedMode bool,
 ) *v1.Container {
-	privilegedMode := true
 	return &v1.Container{
 		Name:            name,
 		Image:           *dockerImage,
@@ -797,6 +797,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*v1beta1.State
 		resourceRequirements,
 		spiloEnvVars,
 		volumeMounts,
+		c.OpConfig.Resources.SpiloPrivileged,
 	)
 
 	// resolve conflicts between operator-global and per-cluster sidecars

pkg/controller/operator_config.go

@@ -41,6 +41,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.PodServiceAccountRoleBindingDefinition = fromCRD.Kubernetes.PodServiceAccountRoleBindingDefinition
 	result.PodEnvironmentConfigMap = fromCRD.Kubernetes.PodEnvironmentConfigMap
 	result.PodTerminateGracePeriod = time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod)
+	result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged
 	result.WatchedNamespace = fromCRD.Kubernetes.WatchedNamespace
 	result.PDBNameFormat = fromCRD.Kubernetes.PDBNameFormat
 	result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate

pkg/util/config/config.go

@@ -26,6 +26,7 @@ type Resources struct {
 	PodDeletionWaitTimeout  time.Duration     `name:"pod_deletion_wait_timeout" default:"10m"`
 	PodTerminateGracePeriod time.Duration     `name:"pod_terminate_grace_period" default:"5m"`
 	PodPriorityClassName    string            `name:"pod_priority_class_name"`
+	SpiloPrivileged         bool              `name:"spilo_privileged" default:"false"`
 	ClusterLabels           map[string]string `name:"cluster_labels" default:"application:spilo"`
 	InheritedLabels         []string          `name:"inherited_labels" default:""`
 	ClusterNameLabel        string            `name:"cluster_name_label" default:"cluster-name"`