Fixes

- include namespace in secret name only when namespace is provided
- use username.namespace as key to pgUsers only when namespace is
  provided
- avoid conflict in the role creation in db by checking namespace
  alongwith the username

pkg/cluster/cluster.go

@@ -1122,7 +1122,11 @@ func (c *Cluster) initRobotUsers() error {
 			AdminRole: adminRole,
 		}
 		if currentRole, present := c.pgUsers[username]; present {
+			if namespace == c.pgUsers[username].Namespace {
 				c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
+			} else {
+				c.pgUsers[username+"."+namespace] = newRole
+			}
 		} else {
 			c.pgUsers[username] = newRole
 		}

pkg/cluster/k8sres.go

@@ -1581,10 +1581,13 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser)
 	if username == constants.ConnectionPoolerUserName {
 		lbls = c.connectionPoolerLabels("", false).MatchLabels
 	}
-
+	secret_name := username
+	if pgUser.Namespace != c.Namespace {
+		secret_name = username + "." + pgUser.Namespace
+	}
 	secret := v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        c.credentialSecretName(username),
+			Name:        c.credentialSecretName(secret_name),
 			Namespace:   pgUser.Namespace,
 			Labels:      lbls,
 			Annotations: c.annotationsSet(nil),

pkg/cluster/resources.go

@@ -32,7 +32,7 @@ func (c *Cluster) listResources() error {
 	}
 
 	for _, obj := range c.Secrets {
-		c.logger.Infof("found secret: %q (uid: %q)", util.NameFromMeta(obj.ObjectMeta), obj.UID)
+		c.logger.Infof("found secret: %q (uid: %q) namesapce: %s", util.NameFromMeta(obj.ObjectMeta), obj.UID, obj.ObjectMeta.Namespace)
 	}
 
 	for role, endpoint := range c.Endpoints {

pkg/cluster/sync.go

@@ -481,12 +481,9 @@ func (c *Cluster) syncSecrets() error {
 	secrets := c.generateUserSecrets()
 
 	for secretUsername, secretSpec := range secrets {
-		if len(secretSpec.Namespace) < 0 {
-			c.logger.Warningf("found empty namespace for user %s", secretUsername)
-		}
 		if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
 			c.Secrets[secret.UID] = secret
-			c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
+			c.logger.Debugf("created new secret %s, namespace: %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secretSpec.Namespace, secret.UID)
 			continue
 		}
 		if k8sutil.ResourceAlreadyExists(err) {
@@ -555,8 +552,12 @@ func (c *Cluster) syncRoles() (err error) {
 	}()
 
 	for _, u := range c.pgUsers {
+		if u.Namespace != c.Namespace {
+			userNames = append(userNames, u.Name+"."+"u.Namespace")
+		} else {
 			userNames = append(userNames, u.Name)
 		}
+	}
 
 	if needMasterConnectionPooler(&c.Spec) || needReplicaConnectionPooler(&c.Spec) {
 		connectionPoolerUser := c.systemUsers[constants.ConnectionPoolerUserKeyName]

pkg/spec/types.go

@@ -48,7 +48,7 @@ const (
 type PgUser struct {
 	Origin     RoleOrigin `yaml:"-"`
 	Name       string     `yaml:"-"`
-	Namespace  string            `yaml:"."`
+	Namespace  string
 	Password   string            `yaml:"-"`
 	Flags      []string          `yaml:"user_flags"`
 	MemberOf   []string          `yaml:"inrole"`