public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add documentation and update rbac

This commit is contained in:
Felix Kunde 2020-10-20 15:37:39 +02:00
parent 7add4dc105
commit 3e7e99039b
5 changed files with 83 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/postgres-operator/crds/postgresteams.yaml
View File

@ -40,11 +40,11 @@ spec:
properties: properties:
additionalSuperuserTeams: additionalSuperuserTeams:
type: object type: object
description: "Map for teamId and associted additional admin teams" description: "Map for teamId and associted additional superuser teams"
additionalProperties: additionalProperties:
type: array type: array
nullable: true nullable: true
description: "List of teams to become Postgres admins" description: "List of teams to become Postgres superusers"
items: items:
type: string type: string
additionalTeams: additionalTeams:

10
charts/postgres-operator/templates/clusterrole.yaml
View File

@ -15,7 +15,6 @@ rules:
resources: resources:
- postgresqls - postgresqls
- postgresqls/status - postgresqls/status
- postgresteams
- operatorconfigurations - operatorconfigurations
verbs: verbs:
- create - create
@ -26,6 +25,15 @@ rules:
- patch - patch
- update - update
- watch - watch
# operator only reads PostgresTeams
- apiGroups:
- acid.zalan.do
resources:
- postgresteams
verbs:
- get
- list
- watch
# to create or get/update CRDs when starting up # to create or get/update CRDs when starting up
- apiGroups: - apiGroups:
- apiextensions.k8s.io - apiextensions.k8s.io

61
docs/user.md
View File

@ -269,6 +269,67 @@ to choose superusers, group roles, [PAM configuration](https://github.com/CyberD
etc. An OAuth2 token can be passed to the Teams API via a secret. The name for etc. An OAuth2 token can be passed to the Teams API via a secret. The name for
this secret is configurable with the `oauth_token_secret_name` parameter. this secret is configurable with the `oauth_token_secret_name` parameter.
### Additional teams and members per cluster
Postgres clusters are associated with one team by providing the `teamID` in
the manifest. Additional superuser teams can be configured as mentioned in
the previous paragraph. However, this is a global setting. To assign
additional teams, superuser teams and single users to clusters of a given
team, use the [PostgresTeam CRD](../manifests/postgresteam.yaml). It provides
a simple mapping structure.
```yaml
apiVersion: "acid.zalan.do/v1"
kind: PostgresTeam
metadata:
name: custom-team-membership
spec:
additionalSuperuserTeams:
acid:
- "postgres_superusers"
additionalTeams:
acid: []
additionalMembers:
acid:
- "elephant"
```
One `PostgresTeam` resource could contain mappings of multiple teams but you
can choose to create separate CRDs, alternatively. On each CRD creation or
update the operator will gather all mappings to create additional human users
in databases the next time they are synced. Additional teams are resolved
transitively, meaning you will also add users for their `additionalTeams`
or (not and) `additionalSuperuserTeams`.
For each additional team the Teams API would be queried. Additional members
will be added either way. There can be "virtual teams" that do not exists in
your Teams API but users of associated teams as well as members will get
created. With `PostgresTeams` it's also easy to cover team name changes. Just
add the mapping between old and new team name and the rest can stay the same.
```yaml
apiVersion: "acid.zalan.do/v1"
kind: PostgresTeam
metadata:
name: virtualteam-membership
spec:
additionalSuperuserTeams:
acid:
- "virtual_superusers"
virtual_superusers:
- "real_teamA"
- "real_teamB"
real_teamA:
- "real_teamA_renamed"
additionalTeams:
real_teamA:
- "real_teamA_renamed"
additionalMembers:
virtual_superusers:
- "foo"
```
## Prepared databases with roles and default privileges ## Prepared databases with roles and default privileges
The `users` section in the manifests only allows for creating database roles The `users` section in the manifests only allows for creating database roles

10
manifests/operator-service-account-rbac.yaml
View File

@ -16,7 +16,6 @@ rules:
resources: resources:
- postgresqls - postgresqls
- postgresqls/status - postgresqls/status
- postgresteams
- operatorconfigurations - operatorconfigurations
verbs: verbs:
- create - create
@ -27,6 +26,15 @@ rules:
- patch - patch
- update - update
- watch - watch
# operator only reads PostgresTeams
- apiGroups:
- acid.zalan.do
resources:
- postgresteams
verbs:
- get
- list
- watch
# to create or get/update CRDs when starting up # to create or get/update CRDs when starting up
- apiGroups: - apiGroups:
- apiextensions.k8s.io - apiextensions.k8s.io

4
manifests/postgresteam.crd.yaml
View File

@ -36,11 +36,11 @@ spec:
properties: properties:
additionalSuperuserTeams: additionalSuperuserTeams:
type: object type: object
description: "Map for teamId and associted additional admin teams" description: "Map for teamId and associted additional superuser teams"
additionalProperties: additionalProperties:
type: array type: array
nullable: true nullable: true
description: "List of teams to become Postgres admins" description: "List of teams to become Postgres superusers"
items: items:
type: string type: string
additionalTeams: additionalTeams: