diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 205f61c9a..42366781f 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -1122,7 +1122,11 @@ func (c *Cluster) initRobotUsers() error { AdminRole: adminRole, } if currentRole, present := c.pgUsers[username]; present { - c.pgUsers[username] = c.resolveNameConflict(¤tRole, &newRole) + if namespace == c.pgUsers[username].Namespace { + c.pgUsers[username] = c.resolveNameConflict(¤tRole, &newRole) + } else { + c.pgUsers[username+"."+namespace] = newRole + } } else { c.pgUsers[username] = newRole } diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go index 98f64449b..af01bd1b9 100644 --- a/pkg/cluster/k8sres.go +++ b/pkg/cluster/k8sres.go @@ -1581,10 +1581,13 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser) if username == constants.ConnectionPoolerUserName { lbls = c.connectionPoolerLabels("", false).MatchLabels } - + secret_name := username + if pgUser.Namespace != c.Namespace { + secret_name = username + "." + pgUser.Namespace + } secret := v1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: c.credentialSecretName(username), + Name: c.credentialSecretName(secret_name), Namespace: pgUser.Namespace, Labels: lbls, Annotations: c.annotationsSet(nil), diff --git a/pkg/cluster/resources.go b/pkg/cluster/resources.go index 48b17f532..f078c6434 100644 --- a/pkg/cluster/resources.go +++ b/pkg/cluster/resources.go @@ -32,7 +32,7 @@ func (c *Cluster) listResources() error { } for _, obj := range c.Secrets { - c.logger.Infof("found secret: %q (uid: %q)", util.NameFromMeta(obj.ObjectMeta), obj.UID) + c.logger.Infof("found secret: %q (uid: %q) namesapce: %s", util.NameFromMeta(obj.ObjectMeta), obj.UID, obj.ObjectMeta.Namespace) } for role, endpoint := range c.Endpoints { diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go index 8d4241c37..112a0cf1f 100644 --- a/pkg/cluster/sync.go +++ b/pkg/cluster/sync.go @@ -481,12 +481,9 @@ func (c *Cluster) syncSecrets() error { secrets := c.generateUserSecrets() for secretUsername, secretSpec := range secrets { - if len(secretSpec.Namespace) < 0 { - c.logger.Warningf("found empty namespace for user %s", secretUsername) - } if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil { c.Secrets[secret.UID] = secret - c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID) + c.logger.Debugf("created new secret %s, namespace: %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secretSpec.Namespace, secret.UID) continue } if k8sutil.ResourceAlreadyExists(err) { @@ -555,7 +552,11 @@ func (c *Cluster) syncRoles() (err error) { }() for _, u := range c.pgUsers { - userNames = append(userNames, u.Name) + if u.Namespace != c.Namespace { + userNames = append(userNames, u.Name+"."+"u.Namespace") + } else { + userNames = append(userNames, u.Name) + } } if needMasterConnectionPooler(&c.Spec) || needReplicaConnectionPooler(&c.Spec) { diff --git a/pkg/spec/types.go b/pkg/spec/types.go index 06203bd46..66b4465cb 100644 --- a/pkg/spec/types.go +++ b/pkg/spec/types.go @@ -46,9 +46,9 @@ const ( // PgUser contains information about a single user. type PgUser struct { - Origin RoleOrigin `yaml:"-"` - Name string `yaml:"-"` - Namespace string `yaml:"."` + Origin RoleOrigin `yaml:"-"` + Name string `yaml:"-"` + Namespace string Password string `yaml:"-"` Flags []string `yaml:"user_flags"` MemberOf []string `yaml:"inrole"`