Allow individual teams to do auto upgrade via operator. (#1699)

* Allow whitelisting of teams to do auto upgrade upgrade via operator.

Co-authored-by: Felix Kunde <felix-kunde@gmx.de>

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -131,6 +131,10 @@ spec:
                   major_version_upgrade_mode:
                     type: string
                     default: "off"
+                  major_version_upgrade_team_allow_list:
+                    type: array
+                    items:
+                      type: string
                   minimal_major_version:
                     type: string
                     default: "9.6"

charts/postgres-operator/values.yaml

@@ -64,6 +64,10 @@ configUsers:
 configMajorVersionUpgrade:
   # "off": no upgrade, "manual": manifest triggers action, "full": minimal version violation triggers too
   major_version_upgrade_mode: "off"
+  # upgrades will only be carried out for clusters of listed teams when mode is "off"
+  # major_version_upgrade_team_allow_list:
+  # - acid
+
   # minimal Postgres major version that will not automatically be upgraded
   minimal_major_version: "9.6"
   # target Postgres major version when upgrading clusters automatically

docs/reference/operator_parameters.md

@@ -184,6 +184,10 @@ CRD-configuration, they are grouped under the `major_version_upgrade` key.
   Note, that with all three modes increasing the version in the manifest will
   trigger a rolling update of the pods. The default is `"off"`.
 
+* **major_version_upgrade_team_allow_list**
+  Upgrades will only be carried out for clusters of listed teams when mode is
+  set to "off". The default is empty.
+
 * **minimal_major_version**
   The minimal Postgres major version that will not automatically be upgraded
   when `major_version_upgrade_mode` is set to `"full"`. The default is `"9.6"`.

docs/user.md

@@ -603,10 +603,9 @@ spec:
 ```
 
 Some extensions require SUPERUSER rights on creation unless they are not
-whitelisted by the [pgextwlist](https://github.com/dimitri/pgextwlist)
+allowed by the [pgextwlist](https://github.com/dimitri/pgextwlist) extension,
-extension, that is shipped with the Spilo image. To see which extensions are
+that is shipped with the Spilo image. To see which extensions are on the list
-on the list check the `extwlist.extension` parameter in the postgresql.conf
+check the `extwlist.extension` parameter in the postgresql.conf file.
-file.
 
 ```bash
 SHOW extwlist.extensions;

manifests/configmap.yaml

@@ -77,6 +77,7 @@ data:
   logical_backup_s3_sse: "AES256"
   logical_backup_schedule: "30 00 * * *"
   major_version_upgrade_mode: "manual"
+  # major_version_upgrade_team_allow_list: ""
   master_dns_name_format: "{cluster}.{team}.{hostedzone}"
   # master_pod_move_timeout: 20m
   # max_instances: "-1"

manifests/operatorconfiguration.crd.yaml

@@ -129,6 +129,10 @@ spec:
                   major_version_upgrade_mode:
                     type: string
                     default: "off"
+                  major_version_upgrade_team_allow_list:
+                    type: array
+                    items:
+                      type: string
                   minimal_major_version:
                     type: string
                     default: "9.6"

manifests/postgresql-operator-default-configuration.yaml

@@ -28,6 +28,8 @@ configuration:
     super_username: postgres
   major_version_upgrade:
     major_version_upgrade_mode: "off"
+    # major_version_upgrade_team_allow_list:
+    # - acid
     minimal_major_version: "9.6"
     target_major_version: "14"
   kubernetes:

pkg/apis/acid.zalan.do/v1/crds.go

@@ -1019,6 +1019,14 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 							"major_version_upgrade_mode": {
 								Type: "string",
 							},
+							"major_version_upgrade_team_allow_list": {
+								Type: "array",
+								Items: &apiextv1.JSONSchemaPropsOrArray{
+									Schema: &apiextv1.JSONSchemaProps{
+										Type: "string",
+									},
+								},
+							},
 							"minimal_major_version": {
 								Type: "string",
 							},

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -43,9 +43,10 @@ type PostgresUsersConfiguration struct {
 
 // MajorVersionUpgradeConfiguration defines how to execute major version upgrades of Postgres.
 type MajorVersionUpgradeConfiguration struct {
-	MajorVersionUpgradeMode string `json:"major_version_upgrade_mode" default:"off"` // off - no actions, manual - manifest triggers action, full - manifest and minimal version violation trigger upgrade
+	MajorVersionUpgradeMode          string   `json:"major_version_upgrade_mode" default:"off"` // off - no actions, manual - manifest triggers action, full - manifest and minimal version violation trigger upgrade
-	MinimalMajorVersion     string `json:"minimal_major_version" default:"9.6"`
+	MajorVersionUpgradeTeamAllowList []string `json:"major_version_upgrade_team_allow_list,omitempty"`
-	TargetMajorVersion      string `json:"target_major_version" default:"14"`
+	MinimalMajorVersion              string   `json:"minimal_major_version" default:"9.6"`
+	TargetMajorVersion               string   `json:"target_major_version" default:"14"`
 }
 
 // KubernetesMetaConfiguration defines k8s conf required for all Postgres clusters and the operator itself

pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go

@@ -318,6 +318,11 @@ func (in *MaintenanceWindow) DeepCopy() *MaintenanceWindow {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MajorVersionUpgradeConfiguration) DeepCopyInto(out *MajorVersionUpgradeConfiguration) {
 	*out = *in
+	if in.MajorVersionUpgradeTeamAllowList != nil {
+		in, out := &in.MajorVersionUpgradeTeamAllowList, &out.MajorVersionUpgradeTeamAllowList
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 
@@ -386,7 +391,7 @@ func (in *OperatorConfigurationData) DeepCopyInto(out *OperatorConfigurationData
 		}
 	}
 	out.PostgresUsersConfiguration = in.PostgresUsersConfiguration
-	out.MajorVersionUpgrade = in.MajorVersionUpgrade
+	in.MajorVersionUpgrade.DeepCopyInto(&out.MajorVersionUpgrade)
 	in.Kubernetes.DeepCopyInto(&out.Kubernetes)
 	out.PostgresPodResources = in.PostgresPodResources
 	out.Timeouts = in.Timeouts

pkg/cluster/majorversionupgrade.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/zalando/postgres-operator/pkg/spec"
+	"github.com/zalando/postgres-operator/pkg/util"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -44,9 +45,25 @@ func (c *Cluster) GetDesiredMajorVersion() string {
 	return c.Spec.PgVersion
 }
 
+func (c *Cluster) isUpgradeAllowedForTeam(owningTeam string) bool {
+	allowedTeams := c.OpConfig.MajorVersionUpgradeTeamAllowList
+
+	if len(allowedTeams) == 0 {
+		return false
+	}
+
+	return util.SliceContains(allowedTeams, owningTeam)
+}
+
+/*
+  Execute upgrade when mode is set to manual or full or when the owning team is allowed for upgrade (and mode is "off").
+
+  Manual upgrade means, it is triggered by the user via manifest version change
+  Full upgrade means, operator also determines the minimal version used accross all clusters and upgrades violators.
+*/
 func (c *Cluster) majorVersionUpgrade() error {
 
-	if c.OpConfig.MajorVersionUpgradeMode == "off" {
+	if c.OpConfig.MajorVersionUpgradeMode == "off" && !c.isUpgradeAllowedForTeam(c.Spec.TeamID) {
 		return nil
 	}
 

pkg/controller/operator_config.go

@@ -56,6 +56,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 
 	// major version upgrade config
 	result.MajorVersionUpgradeMode = util.Coalesce(fromCRD.MajorVersionUpgrade.MajorVersionUpgradeMode, "off")
+	result.MajorVersionUpgradeTeamAllowList = fromCRD.MajorVersionUpgrade.MajorVersionUpgradeTeamAllowList
 	result.MinimalMajorVersion = util.Coalesce(fromCRD.MajorVersionUpgrade.MinimalMajorVersion, "9.6")
 	result.TargetMajorVersion = util.Coalesce(fromCRD.MajorVersionUpgrade.TargetMajorVersion, "14")
 

pkg/util/config/config.go

@@ -212,6 +212,7 @@ type Config struct {
 	EnablePgVersionEnvVar                  bool              `name:"enable_pgversion_env_var" default:"true"`
 	EnableSpiloWalPathCompat               bool              `name:"enable_spilo_wal_path_compat" default:"false"`
 	MajorVersionUpgradeMode                string            `name:"major_version_upgrade_mode" default:"off"`
+	MajorVersionUpgradeTeamAllowList       []string          `name:"major_version_upgrade_team_allow_list" default:""`
 	MinimalMajorVersion                    string            `name:"minimal_major_version" default:"9.6"`
 	TargetMajorVersion                     string            `name:"target_major_version" default:"14"`
 }