Fixes

- include namespace in secret name only when namespace is provided - use username.namespace as key to pgUsers only when namespace is provided - avoid conflict in the role creation in db by checking namespace alongwith the username
2021-05-20 19:22:00 +02:00 · 2021-05-20 19:22:00 +02:00 · 43154baf39
parent af719c07fe
commit 43154baf39
5 changed files with 20 additions and 12 deletions
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -1122,7 +1122,11 @@ func (c *Cluster) initRobotUsers() error {
 			AdminRole: adminRole,
 		}
 		if currentRole, present := c.pgUsers[username]; present {
-			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
+			if namespace == c.pgUsers[username].Namespace {
+				c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
+			} else {
+				c.pgUsers[username+"."+namespace] = newRole
+			}
 		} else {
 			c.pgUsers[username] = newRole
 		}
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@ -1581,10 +1581,13 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser)
 	if username == constants.ConnectionPoolerUserName {
 		lbls = c.connectionPoolerLabels("", false).MatchLabels
 	}
-
+	secret_name := username
+	if pgUser.Namespace != c.Namespace {
+		secret_name = username + "." + pgUser.Namespace
+	}
 	secret := v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        c.credentialSecretName(username),
+			Name:        c.credentialSecretName(secret_name),
 			Namespace:   pgUser.Namespace,
 			Labels:      lbls,
 			Annotations: c.annotationsSet(nil),
--- a/pkg/cluster/resources.go
+++ b/pkg/cluster/resources.go
@ -32,7 +32,7 @@ func (c *Cluster) listResources() error {
 	}

 	for _, obj := range c.Secrets {
-		c.logger.Infof("found secret: %q (uid: %q)", util.NameFromMeta(obj.ObjectMeta), obj.UID)
+		c.logger.Infof("found secret: %q (uid: %q) namesapce: %s", util.NameFromMeta(obj.ObjectMeta), obj.UID, obj.ObjectMeta.Namespace)
 	}

 	for role, endpoint := range c.Endpoints {
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@ -481,12 +481,9 @@ func (c *Cluster) syncSecrets() error {
 	secrets := c.generateUserSecrets()

 	for secretUsername, secretSpec := range secrets {
-		if len(secretSpec.Namespace) < 0 {
-			c.logger.Warningf("found empty namespace for user %s", secretUsername)
-		}
 		if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
 			c.Secrets[secret.UID] = secret
-			c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
+			c.logger.Debugf("created new secret %s, namespace: %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secretSpec.Namespace, secret.UID)
 			continue
 		}
 		if k8sutil.ResourceAlreadyExists(err) {
@ -555,7 +552,11 @@ func (c *Cluster) syncRoles() (err error) {
 	}()

 	for _, u := range c.pgUsers {
-		userNames = append(userNames, u.Name)
+		if u.Namespace != c.Namespace {
+			userNames = append(userNames, u.Name+"."+"u.Namespace")
+		} else {
+			userNames = append(userNames, u.Name)
+		}
 	}

 	if needMasterConnectionPooler(&c.Spec) || needReplicaConnectionPooler(&c.Spec) {
--- a/pkg/spec/types.go
+++ b/pkg/spec/types.go
@ -46,9 +46,9 @@ const (

 // PgUser contains information about a single user.
 type PgUser struct {
-	Origin     RoleOrigin        `yaml:"-"`
-	Name       string            `yaml:"-"`
-	Namespace  string            `yaml:"."`
+	Origin     RoleOrigin `yaml:"-"`
+	Name       string     `yaml:"-"`
+	Namespace  string
 	Password   string            `yaml:"-"`
 	Flags      []string          `yaml:"user_flags"`
 	MemberOf   []string          `yaml:"inrole"`