Fixes
- include namespace in secret name only when namespace is provided - use username.namespace as key to pgUsers only when namespace is provided - avoid conflict in the role creation in db by checking namespace alongwith the username
This commit is contained in:
Rafia Sabih
parent
af719c07fe
commit
43154baf39
|
|
@ -1122,7 +1122,11 @@ func (c *Cluster) initRobotUsers() error {
|
|||
AdminRole: adminRole,
|
||||
}
|
||||
if currentRole, present := c.pgUsers[username]; present {
|
||||
if namespace == c.pgUsers[username].Namespace {
|
||||
c.pgUsers[username] = c.resolveNameConflict(¤tRole, &newRole)
|
||||
} else {
|
||||
c.pgUsers[username+"."+namespace] = newRole
|
||||
}
|
||||
} else {
|
||||
c.pgUsers[username] = newRole
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1581,10 +1581,13 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser)
|
|||
if username == constants.ConnectionPoolerUserName {
|
||||
lbls = c.connectionPoolerLabels("", false).MatchLabels
|
||||
}
|
||||
|
||||
secret_name := username
|
||||
if pgUser.Namespace != c.Namespace {
|
||||
secret_name = username + "." + pgUser.Namespace
|
||||
}
|
||||
secret := v1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: c.credentialSecretName(username),
|
||||
Name: c.credentialSecretName(secret_name),
|
||||
Namespace: pgUser.Namespace,
|
||||
Labels: lbls,
|
||||
Annotations: c.annotationsSet(nil),
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ func (c *Cluster) listResources() error {
|
|||
}
|
||||
|
||||
for _, obj := range c.Secrets {
|
||||
c.logger.Infof("found secret: %q (uid: %q)", util.NameFromMeta(obj.ObjectMeta), obj.UID)
|
||||
c.logger.Infof("found secret: %q (uid: %q) namesapce: %s", util.NameFromMeta(obj.ObjectMeta), obj.UID, obj.ObjectMeta.Namespace)
|
||||
}
|
||||
|
||||
for role, endpoint := range c.Endpoints {
|
||||
|
|
|
|||
|
|
@ -481,12 +481,9 @@ func (c *Cluster) syncSecrets() error {
|
|||
secrets := c.generateUserSecrets()
|
||||
|
||||
for secretUsername, secretSpec := range secrets {
|
||||
if len(secretSpec.Namespace) < 0 {
|
||||
c.logger.Warningf("found empty namespace for user %s", secretUsername)
|
||||
}
|
||||
if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
|
||||
c.Secrets[secret.UID] = secret
|
||||
c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
|
||||
c.logger.Debugf("created new secret %s, namespace: %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secretSpec.Namespace, secret.UID)
|
||||
continue
|
||||
}
|
||||
if k8sutil.ResourceAlreadyExists(err) {
|
||||
|
|
@ -555,8 +552,12 @@ func (c *Cluster) syncRoles() (err error) {
|
|||
}()
|
||||
|
||||
for _, u := range c.pgUsers {
|
||||
if u.Namespace != c.Namespace {
|
||||
userNames = append(userNames, u.Name+"."+"u.Namespace")
|
||||
} else {
|
||||
userNames = append(userNames, u.Name)
|
||||
}
|
||||
}
|
||||
|
||||
if needMasterConnectionPooler(&c.Spec) || needReplicaConnectionPooler(&c.Spec) {
|
||||
connectionPoolerUser := c.systemUsers[constants.ConnectionPoolerUserKeyName]
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ const (
|
|||
type PgUser struct {
|
||||
Origin RoleOrigin `yaml:"-"`
|
||||
Name string `yaml:"-"`
|
||||
Namespace string `yaml:"."`
|
||||
Namespace string
|
||||
Password string `yaml:"-"`
|
||||
Flags []string `yaml:"user_flags"`
|
||||
MemberOf []string `yaml:"inrole"`
|
||||
|
|
|
|||
Loading…
Reference in New Issue