align config map, operator config, helm chart values and templates

charts/postgres-operator/templates/configmap.yaml

@@ -15,18 +15,15 @@ data:
                             {{- end }}
   api_port: "{{ .Values.configLoggingRestApi.api_port }}"
   cluster_history_entries: "{{ .Values.configLoggingRestApi.cluster_history_entries }}"
-  docker_image: {{ .Values.docker_image }}
   debug_logging: "{{ .Values.configDebug.debug_logging }}"
   enable_database_access: "{{ .Values.configDebug.enable_database_access }}"
-  repair_period: {{ .Values.repair_period }}
-  resync_period: {{ .Values.resync_period }}
   ring_log_lines: "{{ .Values.configLoggingRestApi.ring_log_lines }}"
-  spilo_privileged: "{{ .Values.spilo_privileged }}"
-  workers: "{{ .Values.workers }}"
+{{ toYaml .Values.config | indent 2 }}
 {{ toYaml .Values.configMap | indent 2 }}
 {{ toYaml .Values.configUsers | indent 2 }}
 {{ toYaml .Values.configKubernetes | indent 2 }}
 {{ toYaml .Values.configTimeouts | indent 2 }}
 {{ toYaml .Values.configLoadBalancer | indent 2 }}
 {{ toYaml .Values.configAwsOrGcp | indent 2 }}
+{{ toYaml .Values.configLogicalBackup | indent 2 }}
 {{ toYaml .Values.configTeamsApi | indent 2 }}

charts/postgres-operator/templates/operatorconfiguration.yaml

@@ -8,10 +8,7 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 configuration:
-  docker_image: {{ .Values.docker_image }}
-  repair_period: {{ .Values.repair_period }}
-  resync_period: {{ .Values.resync_period }}
-  workers: {{ .Values.workers }}
+{{ toYaml .Values.config | indent 2 }}
 {{ toYaml .Values.configCRD | indent 2 }}
   users:
 {{ toYaml .Values.configUsers | indent 4 }}

charts/postgres-operator/values.yaml

@@ -1,7 +1,7 @@
 image:
   registry: registry.opensource.zalan.do
   repository: acid/postgres-operator
-  tag: v1.1.0-28-g24d412a
+  tag: v1.1.0-48-g540d58d
   pullPolicy: "IfNotPresent"
 
 # Optionally specify an array of imagePullSecrets.
@@ -14,11 +14,11 @@ podAnnotations: {}
 podLabels: {}
 
 # config shared from ConfigMap and CRD
-docker_image: registry.opensource.zalan.do/acid/spilo-11:1.5-p7
-repair_period: 5m
-resync_period: 5m
-spilo_privileged: false
-workers: 4
+config:
+  etcd_host: ""
+  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.5-p7
+  repair_period: 5m
+  resync_period: 5m
 
 configUsers:
   replication_username: standby
@@ -26,27 +26,27 @@ configUsers:
 
 configKubernetes:
   cluster_domain: cluster.local
-  # inherited_labels: ""
   # infrastructure_roles_secret_name: postgresql-infrastructure-roles
+  # master_pod_move_timeout: 10m
   # node_readiness_label: ""
   # oauth_token_secret_name: postgresql-operator
-  # pod_environment_configmap: ""
-  # spilo_fsgroup: "103"
-  pod_management_policy: "ordered_ready"
   pdb_name_format: "postgres-{cluster}-pdb"
+  pod_antiaffinity_topology_key: "kubernetes.io/hostname"
+  # pod_environment_configmap: ""
+  pod_management_policy: "ordered_ready"
   pod_role_label: spilo-role
   pod_terminate_grace_period: 5m
   secret_name_template: '{username}.{cluster}.credentials'
+  # spilo_fsgroup: "103"
+  watched_namespace: "*" # listen to all namespaces
 
 configPostgresPodResources:
   default_cpu_request: 100m
   default_memory_request: 100Mi
   default_cpu_limit: "3"
   default_memory_limit: 1Gi
-  # set_memory_request_to_limit: true
 
 configTimeouts:
-  # master_pod_move_timeout: 10m
   pod_deletion_wait_timeout: 10m
   pod_label_wait_timeout: 10m
   ready_wait_interval: 3s
@@ -64,13 +64,12 @@ configLoggingRestApi:
   ring_log_lines: 100
 
 configAwsOrGcp:
+  # additional_secret_mount: "some-secret-name"
+  # additional_secret_mount_path: "/some/dir"
   aws_region: eu-central-1
-  db_hosted_zone: db.example.com
   # kube_iam_role: ""
   # log_s3_bucket: ""
   # wal_s3_bucket: ""
-  # additional_secret_mount: "some-secret-name"
-  # additional_secret_mount_path: "/some/dir"
 
 configLogicalBackup:
   logical_backup_schedule: "30 00 * * *"
@@ -81,9 +80,18 @@ configLogicalBackup:
 configMap:
   cluster_labels: application:spilo
   cluster_name_label: version
-  watched_namespace: "*" # listen to all namespaces
+  enable_pod_antiaffinity: false
+  enable_pod_disruption_budget: true
+  # inherited_labels: ""
+  max_instances: "-1"
+  min_instances: "-1"
+  # set_memory_request_to_limit: "true"
+  # sidecar_docker_images: ""
+  spilo_privileged: "false"
+  workers: "4"
 
 configLoadBalancer:
+  db_hosted_zone: db.example.com
   # custom_service_annotations:
   #   "keyx:valuez,keya:valuea"
   enable_master_load_balancer: "true"
@@ -92,21 +100,22 @@ configLoadBalancer:
   replica_dns_name_format: '{cluster}-repl.{team}.staging.{hostedzone}'
 
 configTeamsApi:
-  enable_teams_api: "false"
   # enable_admin_role_for_users: "true"
   # enable_team_superuser: "false"
+  enable_teams_api: "false"
   # pam_configuration: https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees
   # pam_role_name: zalandos
   # postgres_superuser_teams: "postgres_superusers"
+  # protected_role_names: "admin"
   # team_admin_role: "admin"
   # team_api_role_configuration: "log_statement:all"
   # teams_api_url: http://fake-teams-api.default.svc.cluster.local
 
 # config exclusive to CRD
 configCRD:
-  etcd_host: ""
   min_instances: -1
   max_instances: -1
+  # set_memory_request_to_limit: true
   # sidecar_docker_images
   #  example: "exampleimage:exampletag"
 
@@ -115,15 +124,16 @@ configKubernetesCRD:
       application: spilo
   cluster_name_label: cluster-name
   enable_pod_antiaffinity: false
-  pod_antiaffinity_topology_key: "kubernetes.io/hostname"
   enable_pod_disruption_budget: true
   secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+  spilo_privileged: false
   # inherited_labels:
   # - application
   # - app
   # watched_namespace: ""
 
 configLoadBalancerCRD:
+  # db_hosted_zone: ""
   # custom_service_annotations:
   #   keyx: valuez
   #   keya: valuea
@@ -133,6 +143,7 @@ configLoadBalancerCRD:
   replica_dns_name_format: "{cluster}-repl.{team}.{hostedzone}"
 
 configTeamsApiCRD:
+  # enable_admin_role_for_users: true
   enable_teams_api: false
   enable_team_superuser: false
   # pam_configuration: ""

docs/user.md

@@ -351,7 +351,7 @@ metadata:
   name: acid-minimal-cluster
 spec:
   ...
-  init_containers:
+  initContainers:
     - name: "container-name"
       image: "company/image:tag"
       env:
@@ -359,7 +359,7 @@ spec:
           value: "any-k8s-env-things"
 ```
 
-`init_containers` accepts full `v1.Container` definition.
+`initContainers` accepts full `v1.Container` definition.
 
 
 ## Increase volume size

manifests/complete-postgres-manifest.yaml

@@ -4,7 +4,7 @@ kind: postgresql
 metadata:
   name: acid-test-cluster
 spec:
-  init_containers:
+  initContainers:
   - name: date
     image: busybox
     command: [ "/bin/date" ]
@@ -58,7 +58,7 @@ spec:
     loop_wait: &loop_wait 10
     retry_timeout: 10
     maximum_lag_on_failover: 33554432
-  # restore a Postgres DB with point-in-time-recovery 
+  # restore a Postgres DB with point-in-time-recovery
   # with a non-empty timestamp, clone from an S3 bucket using the latest backup before the timestamp
   # with an empty/absent timestamp, clone from an existing alive cluster using pg_basebackup
   # clone:

manifests/configmap.yaml

@@ -3,61 +3,77 @@ kind: ConfigMap
 metadata:
   name: postgres-operator
 data:
-  watched_namespace: "*" # listen to all namespaces
-  cluster_labels: application:spilo
-  cluster_name_label: version
-  pod_role_label: spilo-role
-
-  debug_logging: "true"
-  workers: "4"
-  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.5-p7
-  pod_service_account_name: "zalando-postgres-operator"
-  secret_name_template: '{username}.{cluster}.credentials'
-  cluster_domain: cluster.local
-  super_username: postgres
-  enable_teams_api: "false"
-  spilo_privileged: "false"
-  # custom_service_annotations:
-  #   "keyx:valuez,keya:valuea"
-  # set_memory_request_to_limit: "true"
-  # postgres_superuser_teams: "postgres_superusers"
-  # enable_team_superuser: "false"
-  # team_admin_role: "admin"
-  # enable_admin_role_for_users: "true"
-  # teams_api_url: http://fake-teams-api.default.svc.cluster.local
-  # team_api_role_configuration: "log_statement:all"
-  # infrastructure_roles_secret_name: postgresql-infrastructure-roles
-  # oauth_token_secret_name: postgresql-operator
-  # pam_role_name: zalandos
-  # pam_configuration: |
-  #  https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees
-  # inherited_labels: ""
-  aws_region: eu-central-1
   # additional_secret_mount: "some-secret-name"
   # additional_secret_mount_path: "/some/dir"
-  db_hosted_zone: db.example.com
-  master_dns_name_format: '{cluster}.{team}.staging.{hostedzone}'
-  replica_dns_name_format: '{cluster}-repl.{team}.staging.{hostedzone}'
-  enable_master_load_balancer: "true"
-  enable_replica_load_balancer: "false"
-
-  pdb_name_format: "postgres-{cluster}-pdb"
-
   api_port: "8080"
-  ring_log_lines: "100"
+  aws_region: eu-central-1
+  cluster_domain: cluster.local
   cluster_history_entries: "1000"
-  pod_terminate_grace_period: 5m
+  cluster_labels: application:spilo
+  cluster_name_label: version
+  # custom_service_annotations:
+  #   "keyx:valuez,keya:valuea"
+  db_hosted_zone: db.example.com
+  debug_logging: "true"
+  # default_cpu_limit: "3"
+  # default_cpu_request: 100m
+  # default_memory_limit: 1Gi
+  # default_memory_request: 100Mi
+  docker_image: registry.opensource.zalan.do/acid/spilo-11:1.5-p7
+  # enable_admin_role_for_users: "true"
+  # enable_database_access: "true"
+  enable_master_load_balancer: "true"
+  # enable_pod_antiaffinity: "false"
+  # enable_pod_disruption_budget: "true"
+  enable_replica_load_balancer: "false"
+  # enable_team_superuser: "false"
+  enable_teams_api: "false"
+  # etcd_host: ""
+  # infrastructure_roles_secret_name: postgresql-infrastructure-roles
+  # inherited_labels: ""
+  # kube_iam_role: ""
+  # log_s3_bucket: ""
+  # logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup"
+  # logical_backup_s3_bucket: ""
+  # logical_backup_schedule: "30 00 * * *"
+  master_dns_name_format: '{cluster}.{team}.staging.{hostedzone}'
+  # master_pod_move_timeout: 10m
+  # max_instances: "-1"
+  # min_instances: "-1"
+  # node_readiness_label: ""
+  # oauth_token_secret_name: postgresql-operator
+  # pam_configuration: |
+  #  https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees
+  # pam_role_name: zalandos
+  pdb_name_format: "postgres-{cluster}-pdb"
+  # pod_antiaffinity_topology_key: "kubernetes.io/hostname"
   pod_deletion_wait_timeout: 10m
+  # pod_environment_configmap: ""
   pod_label_wait_timeout: 10m
   pod_management_policy: "ordered_ready"
+  pod_role_label: spilo-role
+  pod_service_account_name: "zalando-postgres-operator"
+  pod_terminate_grace_period: 5m
+  # postgres_superuser_teams: "postgres_superusers"
+  # protected_role_names: "admin"
   ready_wait_interval: 3s
   ready_wait_timeout: 30s
-  #  master_pod_move_timeout: 10m
+  repair_period: 5m
+  replica_dns_name_format: '{cluster}-repl.{team}.staging.{hostedzone}'
   replication_username: standby
   resource_check_interval: 3s
   resource_check_timeout: 10m
   resync_period: 5m
-
-  # logical_backup_schedule: "30 00 * * *"
-  # logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup"
-  # logical_backup_s3_bucket: ""
+  ring_log_lines: "100"
+  secret_name_template: '{username}.{cluster}.credentials'
+  # sidecar_docker_images: ""
+  # set_memory_request_to_limit: "true"
+  spilo_privileged: "false"
+  super_username: postgres
+  # team_admin_role: "admin"
+  # team_api_role_configuration: "log_statement:all"
+  # teams_api_url: http://fake-teams-api.default.svc.cluster.local
+  # toleration: ""
+  # wal_s3_bucket: ""
+  watched_namespace: "*" # listen to all namespaces
+  workers: "4"

manifests/postgresql-operator-default-configuration.yaml

@@ -5,55 +5,56 @@ metadata:
 configuration:
   etcd_host: ""
   docker_image: registry.opensource.zalan.do/acid/spilo-11:1.5-p7
-  workers: 4
-  min_instances: -1
   max_instances: -1
+  min_instances: -1
   resync_period: 30m
   repair_period: 5m
-
-  #sidecar_docker_images:
-  # example: "exampleimage:exampletag"
+  # set_memory_request_to_limit: true
+  # sidecar_docker_images:
+  #   example: "exampleimage:exampletag"
+  workers: 4
   users:
-    super_username: postgres
     replication_username: standby
+    super_username: postgres
   kubernetes:
-    pod_service_account_name: operator
-    pod_terminate_grace_period: 5m
-    pdb_name_format: "postgres-{cluster}-pdb"
-    enable_pod_disruption_budget: true
-    secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
     cluster_domain: cluster.local
-    oauth_token_secret_name: postgresql-operator
-    pod_role_label: spilo-role
-    # spilo_fsgroup: 103
-    spilo_privileged: false
     cluster_labels:
         application: spilo
+    cluster_name_label: cluster-name
+    enable_pod_antiaffinity: false
+    enable_pod_disruption_budget: true
+    # infrastructure_roles_secret_name: ""
     # inherited_labels:
     # - application
     # - app
-    cluster_name_label: cluster-name
-    # watched_namespace:""
     # node_readiness_label: ""
-    # toleration: {}
-    # infrastructure_roles_secret_name: ""
+    oauth_token_secret_name: postgresql-operator
+    pdb_name_format: "postgres-{cluster}-pdb"
+    pod_antiaffinity_topology_key: "kubernetes.io/hostname"
     # pod_environment_configmap: ""
     pod_management_policy: "ordered_ready"
-    enable_pod_antiaffinity: false
-    pod_antiaffinity_topology_key: "kubernetes.io/hostname"
+    pod_role_label: spilo-role
+    pod_service_account_name: operator
+    pod_terminate_grace_period: 5m
+    secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
+    # spilo_fsgroup: 103
+    spilo_privileged: false
+    # toleration: {}
+    # watched_namespace:""
   postgres_pod_resources:
+    default_cpu_limit: 3
     default_cpu_request: 100m
-    default_memory_request: 100Mi
-    default_cpu_limit: "3"
     default_memory_limit: 1Gi
+    default_memory_request: 100Mi
   timeouts:
-    resource_check_interval: 3s
-    resource_check_timeout: 10m
     pod_label_wait_timeout: 10m
     pod_deletion_wait_timeout: 10m
     ready_wait_interval: 4s
     ready_wait_timeout: 30s
+    resource_check_interval: 3s
+    resource_check_timeout: 10m
   load_balancer:
+    # db_hosted_zone: ""
     enable_master_load_balancer: false
     enable_replica_load_balancer: false
     # custom_service_annotations:
@@ -62,41 +63,41 @@ configuration:
     master_dns_name_format: "{cluster}.{team}.{hostedzone}"
     replica_dns_name_format: "{cluster}-repl.{team}.{hostedzone}"
   aws_or_gcp:
-    # db_hosted_zone: ""
-    # wal_s3_bucket: ""
-    # log_s3_bucket: ""
-    # kube_iam_role: ""
-    aws_region: eu-central-1
     # additional_secret_mount: "some-secret-name"
     # additional_secret_mount_path: "/some/dir"
-  debug:
-    debug_logging: true
-    enable_database_access: true
-  teams_api:
-    enable_teams_api: false
-    team_api_role_configuration:
-      log_statement: all
-    enable_team_superuser: false
-    team_admin_role: admin
-    pam_role_name: zalandos
-    # pam_configuration: ""
-    protected_role_names:
-      - admin
-    # teams_api_url: ""
-    # postgres_superuser_teams: "postgres_superusers"
-  logging_rest_api:
-    api_port: 8008
-    ring_log_lines: 100
-    cluster_history_entries: 1000
-  scalyr:
-    scalyr_cpu_request: 100m
-    scalyr_memory_request: 50Mi
-    scalyr_cpu_limit: "1"
-    scalyr_memory_limit: 1Gi
-    # scalyr_api_key: ""
-    # scalyr_image: ""
-    # scalyr_server_url: ""
+    aws_region: eu-central-1
+    # kube_iam_role: ""
+    # log_s3_bucket: ""
+    # wal_s3_bucket: ""
   logical_backup:
     logical_backup_schedule: "30 00 * * *"
     logical_backup_docker_image: "registry.opensource.zalan.do/acid/logical-backup"
     logical_backup_s3_bucket: ""
+  debug:
+    debug_logging: true
+    enable_database_access: true
+  teams_api:
+    # enable_admin_role_for_users: true
+    enable_team_superuser: false
+    enable_teams_api: false
+    # pam_configuration: ""
+    pam_role_name: zalandos
+    # postgres_superuser_teams: "postgres_superusers"
+    protected_role_names:
+      - admin
+    team_admin_role: admin
+    team_api_role_configuration:
+      log_statement: all
+    # teams_api_url: ""
+  logging_rest_api:
+    api_port: 8008
+    cluster_history_entries: 1000
+    ring_log_lines: 100
+  scalyr:
+    # scalyr_api_key: ""
+    scalyr_cpu_limit: 1
+    scalyr_cpu_request: 100m
+    # scalyr_image: ""
+    scalyr_memory_limit: 1Gi
+    scalyr_memory_request: 50Mi
+    # scalyr_server_url: ""

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -121,6 +121,7 @@ type TeamsAPIConfiguration struct {
 	TeamsAPIUrl              string            `json:"teams_api_url,omitempty"`
 	TeamAPIRoleConfiguration map[string]string `json:"team_api_role_configuration,omitempty"`
 	EnableTeamSuperuser      bool              `json:"enable_team_superuser,omitempty"`
+	EnableAdminRoleForUsers  bool              `json:"enable_admin_role_for_users,omitempty"`
 	TeamAdminRole            string            `json:"team_admin_role,omitempty"`
 	PamRoleName              string            `json:"pam_role_name,omitempty"`
 	PamConfiguration         string            `json:"pam_configuration,omitempty"`

pkg/apis/acid.zalan.do/v1/postgresql_type.go

@@ -53,8 +53,8 @@ type PostgresSpec struct {
 	Databases             map[string]string    `json:"databases,omitempty"`
 	Tolerations           []v1.Toleration      `json:"tolerations,omitempty"`
 	Sidecars              []Sidecar            `json:"sidecars,omitempty"`
-	InitContainers        []v1.Container       `json:"init_containers,omitempty"`
-	PodPriorityClassName  string               `json:"pod_priority_class_name,omitempty"`
+	InitContainers        []v1.Container       `json:"initContainers,omitempty"`
+	PodPriorityClassName  string               `json:"podPriorityClassName,omitempty"`
 	ShmVolume             *bool                `json:"enableShmVolume,omitempty"`
 	EnableLogicalBackup   bool                 `json:"enableLogicalBackup,omitempty"`
 	LogicalBackupSchedule string               `json:"logicalBackupSchedule,omitempty"`

pkg/controller/operator_config.go

@@ -95,6 +95,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.TeamsAPIUrl = fromCRD.TeamsAPI.TeamsAPIUrl
 	result.TeamAPIRoleConfiguration = fromCRD.TeamsAPI.TeamAPIRoleConfiguration
 	result.EnableTeamSuperuser = fromCRD.TeamsAPI.EnableTeamSuperuser
+	result.EnableAdminRoleForUsers = fromCRD.TeamsAPI.EnableAdminRoleForUsers
 	result.TeamAdminRole = fromCRD.TeamsAPI.TeamAdminRole
 	result.PamRoleName = fromCRD.TeamsAPI.PamRoleName
 	result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams