add documentation and update rbac

2020-10-20 15:37:39 +02:00 · 2020-10-20 15:37:39 +02:00 · 3e7e99039b
parent 7add4dc105
commit 3e7e99039b
5 changed files with 83 additions and 6 deletions
--- a/charts/postgres-operator/crds/postgresteams.yaml
+++ b/charts/postgres-operator/crds/postgresteams.yaml
@ -40,11 +40,11 @@ spec:
          properties:
            additionalSuperuserTeams:
              type: object
-              description: "Map for teamId and associted additional admin teams"
+              description: "Map for teamId and associted additional superuser teams"
              additionalProperties:
                type: array
                nullable: true
-                description: "List of teams to become Postgres admins"
+                description: "List of teams to become Postgres superusers"
                items:
                  type: string
            additionalTeams:
--- a/charts/postgres-operator/templates/clusterrole.yaml
+++ b/charts/postgres-operator/templates/clusterrole.yaml
@ -15,7 +15,6 @@ rules:
  resources:
  - postgresqls
  - postgresqls/status
-  - postgresteams
  - operatorconfigurations
  verbs:
  - create
@ -26,6 +25,15 @@ rules:
  - patch
  - update
  - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
 # to create or get/update CRDs when starting up
 - apiGroups:
  - apiextensions.k8s.io
--- a/docs/user.md
+++ b/docs/user.md
@ -269,6 +269,67 @@ to choose superusers, group roles, [PAM configuration](https://github.com/CyberD
 etc. An OAuth2 token can be passed to the Teams API via a secret. The name for
 this secret is configurable with the `oauth_token_secret_name` parameter.

+### Additional teams and members per cluster
+
+Postgres clusters are associated with one team by providing the `teamID` in
+the manifest. Additional superuser teams can be configured as mentioned in
+the previous paragraph. However, this is a global setting. To assign
+additional teams, superuser teams and single users to clusters of a given
+team, use the [PostgresTeam CRD](../manifests/postgresteam.yaml). It provides
+a simple mapping structure.
+
+
+```yaml
+apiVersion: "acid.zalan.do/v1"
+kind: PostgresTeam
+metadata:
+  name: custom-team-membership
+spec:
+  additionalSuperuserTeams:
+    acid:
+    - "postgres_superusers"
+  additionalTeams:
+    acid: []
+  additionalMembers:
+    acid:
+    - "elephant"
+```
+
+One `PostgresTeam` resource could contain mappings of multiple teams but you
+can choose to create separate CRDs, alternatively. On each CRD creation or
+update the operator will gather all mappings to create additional human users
+in databases the next time they are synced. Additional teams are resolved
+transitively, meaning you will also add users for their `additionalTeams`
+or (not and) `additionalSuperuserTeams`.
+
+For each additional team the Teams API would be queried. Additional members
+will be added either way. There can be "virtual teams" that do not exists in
+your Teams API but users of associated teams as well as members will get
+created. With `PostgresTeams` it's also easy to cover team name changes. Just
+add the mapping between old and new team name and the rest can stay the same.
+
+```yaml
+apiVersion: "acid.zalan.do/v1"
+kind: PostgresTeam
+metadata:
+  name: virtualteam-membership
+spec:
+  additionalSuperuserTeams:
+    acid:
+    - "virtual_superusers"
+    virtual_superusers:
+    - "real_teamA"
+    - "real_teamB"
+    real_teamA:
+    - "real_teamA_renamed"
+  additionalTeams:
+    real_teamA:
+    - "real_teamA_renamed"
+  additionalMembers:
+    virtual_superusers:
+    - "foo"
+```
+
 ## Prepared databases with roles and default privileges

 The `users` section in the manifests only allows for creating database roles
--- a/manifests/operator-service-account-rbac.yaml
+++ b/manifests/operator-service-account-rbac.yaml
@ -16,7 +16,6 @@ rules:
  resources:
  - postgresqls
  - postgresqls/status
-  - postgresteams
  - operatorconfigurations
  verbs:
  - create
@ -27,6 +26,15 @@ rules:
  - patch
  - update
  - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
 # to create or get/update CRDs when starting up
 - apiGroups:
  - apiextensions.k8s.io
--- a/manifests/postgresteam.crd.yaml
+++ b/manifests/postgresteam.crd.yaml
@ -36,11 +36,11 @@ spec:
          properties:
            additionalSuperuserTeams:
              type: object
-              description: "Map for teamId and associted additional admin teams"
+              description: "Map for teamId and associted additional superuser teams"
              additionalProperties:
                type: array
                nullable: true
-                description: "List of teams to become Postgres admins"
+                description: "List of teams to become Postgres superusers"
                items:
                  type: string
            additionalTeams: