public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[WIP] Extend infrastructure roles handling (#1064) 

Extend infrastructure roles handling

Postgres Operator uses infrastructure roles to provide access to a database for
external users e.g. for monitoring purposes. Such infrastructure roles are
expected to be present in the form of k8s secrets with the following content:

    inrole1: some_encrypted_role
    password1: some_encrypted_password
    user1: some_entrypted_name

    inrole2: some_encrypted_role
    password2: some_encrypted_password
    user2: some_entrypted_name

The format of this content is implied implicitly and not flexible enough. In
case if we do not have possibility to change the format of a secret we want to
use in the Operator, we need to recreate it in this format.

To address this lets make the format of secret content explicitly. The idea is
to introduce a new configuration option for the Operator.

    infrastructure_roles_secrets:
    - secretname: k8s_secret_name
      userkey: some_encrypted_name
      passwordkey: some_encrypted_password
      rolekey: some_encrypted_role

    - secretname: k8s_secret_name
      userkey: some_encrypted_name
      passwordkey: some_encrypted_password
      rolekey: some_encrypted_role

This would allow Operator to use any avalable secrets to prepare infrastructure
roles. To make it backward compatible simulate the old behaviour if the new
option is not present.

The new configuration option is intended be used mainly from CRD, but it's also
available via Operator ConfigMap in a limited fashion. For ConfigMap one can
put there only a string with one secret definition in the following format (as
a string):

    infrastructure_roles_secrets: |
        secretname: k8s_secret_name,
        userkey: some_encrypted_name,
        passwordkey: some_encrypted_password,
        rolekey: some_encrypted_role

Note than only one secret could be specified this way, no multiple secrets are
allowed.

Eventually the resulting list of infrastructure roles would be a total sum of
all supported ways to describe it, namely legacy via
infrastructure_roles_secret_name and infrastructure_roles_secrets from both
ConfigMap and CRD.
This commit is contained in:
Dmitry Dolgov 2020-08-05 14:18:56 +02:00 committed by GitHub
parent f3ddce81d5
commit 7cf2fae6df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 1375 additions and 621 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
charts/postgres-operator/crds/operatorconfigurations.yaml
View File

@ -131,6 +131,28 @@ spec:
type: boolean
infrastructure_roles_secret_name:
type: string
infrastructure_roles_secrets:
type: array
nullable: true
items:
type: object
required:
- secretname
- userkey
- passwordkey
properties:
secretname:
type: string
userkey:
type: string
passwordkey:
type: string
rolekey:
type: string
details:
type: string
template:
type: boolean
inherited_labels:
type: array
items:

10
docs/reference/operator_parameters.md
View File

@ -252,8 +252,14 @@ configuration they are grouped under the `kubernetes` key.
teams API. The default is `postgresql-operator`.
* **infrastructure_roles_secret_name**
namespaced name of the secret containing infrastructure roles names and
passwords.
*deprecated*: namespaced name of the secret containing infrastructure roles
with user names, passwords and role membership.
* **infrastructure_roles_secrets**
array of infrastructure role definitions which reference existing secrets
and specify the key names from which user name, password and role membership
are extracted. For the ConfigMap this has to be a string which allows
referencing only one infrastructure roles secret. The default is empty.
* **pod_role_label**
name of the label assigned to the Postgres pods (and services/endpoints) by

61
docs/user.md
View File

@ -150,23 +150,62 @@ user. There are two ways to define them:
#### Infrastructure roles secret
The infrastructure roles secret is specified by the `infrastructure_roles_secret_name`
parameter. The role definition looks like this (values are base64 encoded):
Infrastructure roles can be specified by the `infrastructure_roles_secrets`
parameter where you can reference multiple existing secrets. Prior to `v1.6.0`
the operator could only reference one secret with the
`infrastructure_roles_secret_name` option. However, this secret could contain
multiple roles using the same set of keys plus incrementing index.
```yaml
user1: ZGJ1c2Vy
password1: c2VjcmV0
inrole1: b3BlcmF0b3I=
apiVersion: v1
kind: Secret
metadata:
name: postgresql-infrastructure-roles
data:
user1: ZGJ1c2Vy
password1: c2VjcmV0
inrole1: b3BlcmF0b3I=
user2: ...
```
The block above describes the infrastructure role 'dbuser' with password
'secret' that is a member of the 'operator' role. For the following definitions
one must increase the index, i.e. the next role will be defined as 'user2' and
so on. The resulting role will automatically be a login role.
'secret' that is a member of the 'operator' role. The resulting role will
automatically be a login role.
Note that with definitions that solely use the infrastructure roles secret
there is no way to specify role options (like superuser or nologin) or role
memberships. This is where the ConfigMap comes into play.
With the new option users can configure the names of secret keys that contain
the user name, password etc. The secret itself is referenced by the
`secretname` key. If the secret uses a template for multiple roles as described
above list them separately.
```yaml
apiVersion: v1
kind: OperatorConfiguration
metadata:
name: postgresql-operator-configuration
configuration:
kubernetes:
infrastructure_roles_secrets:
- secretname: "postgresql-infrastructure-roles"
userkey: "user1"
passwordkey: "password1"
rolekey: "inrole1"
- secretname: "postgresql-infrastructure-roles"
userkey: "user2"
...
```
Note, only the CRD-based configuration allows for referencing multiple secrets.
As of now, the ConfigMap is restricted to either one or the existing template
option with `infrastructure_roles_secret_name`. Please, refer to the example
manifests to understand how `infrastructure_roles_secrets` has to be configured
for the [configmap](../manifests/configmap.yaml) or [CRD configuration](../manifests/postgresql-operator-default-configuration.yaml).
If both `infrastructure_roles_secret_name` and `infrastructure_roles_secrets`
are defined the operator will create roles for both of them. So make sure,
they do not collide. Note also, that with definitions that solely use the
infrastructure roles secret there is no way to specify role options (like
superuser or nologin) or role memberships. This is where the additional
ConfigMap comes into play.
#### Secret plus ConfigMap

3
e2e/Dockerfile
View File

@ -1,7 +1,10 @@
# An image to perform the actual test. Do not forget to copy all necessary test
# files here.
FROM ubuntu:18.04
LABEL maintainer="Team ACID @ Zalando <team-acid@zalando.de>"
COPY manifests ./manifests
COPY exec.sh ./exec.sh
COPY requirements.txt tests ./
RUN apt-get update \

2
e2e/exec.sh Executable file
View File

@ -0,0 +1,2 @@
#!/usr/bin/env bash
kubectl exec -it $1 -- sh -c "$2"

1028
e2e/tests/test_e2e.py
View File

File diff suppressed because it is too large Load Diff

3
manifests/configmap.yaml
View File

@ -47,7 +47,8 @@ data:
# etcd_host: ""
# gcp_credentials: ""
# kubernetes_use_configmaps: "false"
# infrastructure_roles_secret_name: postgresql-infrastructure-roles
# infrastructure_roles_secret_name: "postgresql-infrastructure-roles"
# infrastructure_roles_secrets: "secretname:monitoring-roles,userkey:user,passwordkey:password,rolekey:inrole"
# inherited_labels: application,environment
# kube_iam_role: ""
# log_s3_bucket: ""

14
manifests/infrastructure-roles-new.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
data:
# infrastructure role definition in the new format
# robot_zmon_acid_monitoring_new
user: cm9ib3Rfem1vbl9hY2lkX21vbml0b3JpbmdfbmV3
# robot_zmon_new
role: cm9ib3Rfem1vbl9uZXc=
# foobar_new
password: Zm9vYmFyX25ldw==
kind: Secret
metadata:
name: postgresql-infrastructure-roles-new
namespace: default
type: Opaque

22
manifests/operatorconfiguration.crd.yaml
View File

@ -127,6 +127,28 @@ spec:
type: boolean
infrastructure_roles_secret_name:
type: string
infrastructure_roles_secrets:
type: array
nullable: true
items:
type: object
required:
- secretname
- userkey
- passwordkey
properties:
secretname:
type: string
userkey:
type: string
passwordkey:
type: string
rolekey:
type: string
details:
type: string
template:
type: boolean
inherited_labels:
type: array
items:

8
manifests/postgresql-operator-default-configuration.yaml
View File

@ -39,6 +39,14 @@ configuration:
enable_pod_disruption_budget: true
enable_sidecars: true
# infrastructure_roles_secret_name: "postgresql-infrastructure-roles"
# infrastructure_roles_secrets:
# - secretname: "monitoring-roles"
# userkey: "user"
# passwordkey: "password"
# rolekey: "inrole"
# - secretname: "other-infrastructure-role"
# userkey: "other-user-key"
# passwordkey: "other-password-key"
# inherited_labels:
# - application
# - environment

29
pkg/apis/acid.zalan.do/v1/crds.go
View File

@ -911,6 +911,35 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
"infrastructure_roles_secret_name": {
Type: "string",
},
"infrastructure_roles_secrets": {
Type: "array",
Items: &apiextv1beta1.JSONSchemaPropsOrArray{
Schema: &apiextv1beta1.JSONSchemaProps{
Type: "object",
Required: []string{"secretname", "userkey", "passwordkey"},
Properties: map[string]apiextv1beta1.JSONSchemaProps{
"secretname": {
Type: "string",
},
"userkey": {
Type: "string",
},
"passwordkey": {
Type: "string",
},
"rolekey": {
Type: "string",
},
"details": {
Type: "string",
},
"template": {
Type: "boolean",
},
},
},
},
},
"inherited_labels": {
Type: "array",
Items: &apiextv1beta1.JSONSchemaPropsOrArray{

1
pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
View File

@ -60,6 +60,7 @@ type KubernetesMetaConfiguration struct {
ClusterDomain string `json:"cluster_domain,omitempty"`
OAuthTokenSecretName spec.NamespacedName `json:"oauth_token_secret_name,omitempty"`
InfrastructureRolesSecretName spec.NamespacedName `json:"infrastructure_roles_secret_name,omitempty"`
InfrastructureRolesDefs []*config.InfrastructureRole `json:"infrastructure_roles_secrets,omitempty"`
PodRoleLabel string `json:"pod_role_label,omitempty"`
ClusterLabels map[string]string `json:"cluster_labels,omitempty"`
InheritedLabels []string `json:"inherited_labels,omitempty"`

12
pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
View File

@ -27,6 +27,7 @@ SOFTWARE.
package v1
import (
config "github.com/zalando/postgres-operator/pkg/util/config"
corev1 "k8s.io/api/core/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -168,6 +169,17 @@ func (in *KubernetesMetaConfiguration) DeepCopyInto(out *KubernetesMetaConfigura
}
out.OAuthTokenSecretName = in.OAuthTokenSecretName
out.InfrastructureRolesSecretName = in.InfrastructureRolesSecretName
if in.InfrastructureRolesDefs != nil {
in, out := &in.InfrastructureRolesDefs, &out.InfrastructureRolesDefs
*out = make([]*config.InfrastructureRole, len(*in))
for i := range *in {
if (*in)[i] != nil {
in, out := &(*in)[i], &(*out)[i]
*out = new(config.InfrastructureRole)
**out = **in
}
}
}
if in.ClusterLabels != nil {
in, out := &in.ClusterLabels, &out.ClusterLabels
*out = make(map[string]string, len(*in))

3
pkg/controller/controller.go
View File

@ -300,7 +300,8 @@ func (c *Controller) initController() {
c.logger.Infof("config: %s", c.opConfig.MustMarshal())
if infraRoles, err := c.getInfrastructureRoles(&c.opConfig.InfrastructureRolesSecretName); err != nil {
roleDefs := c.getInfrastructureRoleDefinitions()
if infraRoles, err := c.getInfrastructureRoles(roleDefs); err != nil {
c.logger.Warningf("could not get infrastructure roles: %v", err)
} else {
c.config.InfrastructureRoles = infraRoles

15
pkg/controller/operator_config.go
View File

@ -71,7 +71,22 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
result.InfrastructureRolesSecretName = fromCRD.Kubernetes.InfrastructureRolesSecretName
if fromCRD.Kubernetes.InfrastructureRolesDefs != nil {
result.InfrastructureRoles = []*config.InfrastructureRole{}
for _, secret := range fromCRD.Kubernetes.InfrastructureRolesDefs {
result.InfrastructureRoles = append(
result.InfrastructureRoles,
&config.InfrastructureRole{
SecretName: secret.SecretName,
UserKey: secret.UserKey,
RoleKey: secret.RoleKey,
PasswordKey: secret.PasswordKey,
})
}
}
result.PodRoleLabel = util.Coalesce(fromCRD.Kubernetes.PodRoleLabel, "spilo-role")
result.ClusterLabels = util.CoalesceStrMap(fromCRD.Kubernetes.ClusterLabels, map[string]string{"application": "spilo"})
result.InheritedLabels = fromCRD.Kubernetes.InheritedLabels

248
pkg/controller/util.go
View File

@ -4,6 +4,7 @@ import (
"context"
"encoding/json"
"fmt"
"strings"
v1 "k8s.io/api/core/v1"
apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
@ -109,8 +110,161 @@ func readDecodedRole(s string) (*spec.PgUser, error) {
return &result, nil
}
func (c *Controller) getInfrastructureRoles(rolesSecret *spec.NamespacedName) (map[string]spec.PgUser, error) {
if *rolesSecret == (spec.NamespacedName{}) {
var emptyName = (spec.NamespacedName{})
// Return information about what secrets we need to use to create
// infrastructure roles and in which format are they. This is done in
// compatible way, so that the previous logic is not changed, and handles both
// configuration in ConfigMap & CRD.
func (c *Controller) getInfrastructureRoleDefinitions() []*config.InfrastructureRole {
var roleDef config.InfrastructureRole
rolesDefs := c.opConfig.InfrastructureRoles
if c.opConfig.InfrastructureRolesSecretName == emptyName {
// All the other possibilities require secret name to be present, so if
// it is not, then nothing else to be done here.
return rolesDefs
}
// check if we can extract something from the configmap config option
if c.opConfig.InfrastructureRolesDefs != "" {
// The configmap option could contain either a role description (in the
// form key1: value1, key2: value2), which has to be used together with
// an old secret name.
var secretName spec.NamespacedName
var err error
propertySep := ","
valueSep := ":"
// The field contains the format in which secret is written, let's
// convert it to a proper definition
properties := strings.Split(c.opConfig.InfrastructureRolesDefs, propertySep)
roleDef = config.InfrastructureRole{Template: false}
for _, property := range properties {
values := strings.Split(property, valueSep)
if len(values) < 2 {
continue
}
name := strings.TrimSpace(values[0])
value := strings.TrimSpace(values[1])
switch name {
case "secretname":
if err = secretName.DecodeWorker(value, "default"); err != nil {
c.logger.Warningf("Could not marshal secret name %s: %v", value, err)
} else {
roleDef.SecretName = secretName
}
case "userkey":
roleDef.UserKey = value
case "passwordkey":
roleDef.PasswordKey = value
case "rolekey":
roleDef.RoleKey = value
default:
c.logger.Warningf("Role description is not known: %s", properties)
}
}
} else {
// At this point we deal with the old format, let's replicate it
// via existing definition structure and remember that it's just a
// template, the real values are in user1,password1,inrole1 etc.
roleDef = config.InfrastructureRole{
SecretName: c.opConfig.InfrastructureRolesSecretName,
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: true,
}
}
if roleDef.UserKey != "" &&
roleDef.PasswordKey != "" &&
roleDef.RoleKey != "" {
rolesDefs = append(rolesDefs, &roleDef)
}
return rolesDefs
}
func (c *Controller) getInfrastructureRoles(
rolesSecrets []*config.InfrastructureRole) (
map[string]spec.PgUser, []error) {
var errors []error
var noRolesProvided = true
roles := []spec.PgUser{}
uniqRoles := map[string]spec.PgUser{}
// To be compatible with the legacy implementation we need to return nil if
// the provided secret name is empty. The equivalent situation in the
// current implementation is an empty rolesSecrets slice or all its items
// are empty.
for _, role := range rolesSecrets {
if role.SecretName != emptyName {
noRolesProvided = false
}
}
if noRolesProvided {
return nil, nil
}
for _, secret := range rolesSecrets {
infraRoles, err := c.getInfrastructureRole(secret)
if err != nil || infraRoles == nil {
c.logger.Debugf("Cannot get infrastructure role: %+v", *secret)
if err != nil {
errors = append(errors, err)
}
continue
}
for _, r := range infraRoles {
roles = append(roles, r)
}
}
for _, r := range roles {
if _, exists := uniqRoles[r.Name]; exists {
msg := "Conflicting infrastructure roles: roles[%s] = (%q, %q)"
c.logger.Debugf(msg, r.Name, uniqRoles[r.Name], r)
}
uniqRoles[r.Name] = r
}
return uniqRoles, errors
}
// Generate list of users representing one infrastructure role based on its
// description in various K8S objects. An infrastructure role could be
// described by a secret and optionally a config map. The former should contain
// the secret information, i.e. username, password, role. The latter could
// contain an extensive description of the role and even override an
// information obtained from the secret (except a password).
//
// This function returns a list of users to be compatible with the previous
// behaviour, since we don't know how many users are actually encoded in the
// secret if it's a "template" role. If the provided role is not a template
// one, the result would be a list with just one user in it.
//
// FIXME: This dependency on two different objects is rather unnecessary
// complicated, so let's get rid of it via deprecation process.
func (c *Controller) getInfrastructureRole(
infraRole *config.InfrastructureRole) (
[]spec.PgUser, error) {
rolesSecret := infraRole.SecretName
roles := []spec.PgUser{}
if rolesSecret == emptyName {
// we don't have infrastructure roles defined, bail out
return nil, nil
}
@ -119,22 +273,27 @@ func (c *Controller) getInfrastructureRoles(rolesSecret *spec.NamespacedName) (m
Secrets(rolesSecret.Namespace).
Get(context.TODO(), rolesSecret.Name, metav1.GetOptions{})
if err != nil {
c.logger.Debugf("infrastructure roles secret name: %q", *rolesSecret)
return nil, fmt.Errorf("could not get infrastructure roles secret: %v", err)
msg := "could not get infrastructure roles secret %s/%s: %v"
return nil, fmt.Errorf(msg, rolesSecret.Namespace, rolesSecret.Name, err)
}
secretData := infraRolesSecret.Data
result := make(map[string]spec.PgUser)
Users:
// in worst case we would have one line per user
if infraRole.Template {
Users:
for i := 1; i <= len(secretData); i++ {
properties := []string{"user", "password", "inrole"}
properties := []string{
infraRole.UserKey,
infraRole.PasswordKey,
infraRole.RoleKey,
}
t := spec.PgUser{Origin: spec.RoleOriginInfrastructure}
for _, p := range properties {
key := fmt.Sprintf("%s%d", p, i)
if val, present := secretData[key]; !present {
if p == "user" {
// exit when the user name with the next sequence id is absent
// exit when the user name with the next sequence id is
// absent
break Users
}
} else {
@ -150,21 +309,62 @@ Users:
c.logger.Warningf("unknown key %q", p)
}
}
// XXX: This is a part of the original implementation, which is
// rather obscure. Why do we delete this key? Wouldn't it be
// used later in comparison for configmap?
delete(secretData, key)
}
if t.Name != "" {
if t.Password == "" {
c.logger.Warningf("infrastructure role %q has no password defined and is ignored", t.Name)
continue
if t.Valid() {
roles = append(roles, t)
} else {
msg := "infrastructure role %q is not complete and ignored"
c.logger.Warningf(msg, t)
}
result[t.Name] = t
}
} else {
roleDescr := &spec.PgUser{Origin: spec.RoleOriginInfrastructure}
if details, exists := secretData[infraRole.Details]; exists {
if err := yaml.Unmarshal(details, &roleDescr); err != nil {
return nil, fmt.Errorf("could not decode yaml role: %v", err)
}
} else {
roleDescr.Name = string(secretData[infraRole.UserKey])
roleDescr.Password = string(secretData[infraRole.PasswordKey])
roleDescr.MemberOf = append(roleDescr.MemberOf, string(secretData[infraRole.RoleKey]))
}
// perhaps we have some map entries with usernames, passwords, let's check if we have those users in the configmap
if infraRolesMap, err := c.KubeClient.ConfigMaps(rolesSecret.Namespace).Get(
context.TODO(), rolesSecret.Name, metav1.GetOptions{}); err == nil {
if roleDescr.Valid() {
roles = append(roles, *roleDescr)
} else {
msg := "infrastructure role %q is not complete and ignored"
c.logger.Warningf(msg, roleDescr)
return nil, nil
}
if roleDescr.Name == "" {
msg := "infrastructure role %q has no name defined and is ignored"
c.logger.Warningf(msg, roleDescr.Name)
return nil, nil
}
if roleDescr.Password == "" {
msg := "infrastructure role %q has no password defined and is ignored"
c.logger.Warningf(msg, roleDescr.Name)
return nil, nil
}
roles = append(roles, *roleDescr)
}
// Now plot twist. We need to check if there is a configmap with the same
// name and extract a role description if it exists.
infraRolesMap, err := c.KubeClient.
ConfigMaps(rolesSecret.Namespace).
Get(context.TODO(), rolesSecret.Name, metav1.GetOptions{})
if err == nil {
// we have a configmap with username - json description, let's read and decode it
for role, s := range infraRolesMap.Data {
roleDescr, err := readDecodedRole(s)
@ -182,20 +382,12 @@ Users:
}
roleDescr.Name = role
roleDescr.Origin = spec.RoleOriginInfrastructure
result[role] = *roleDescr
roles = append(roles, *roleDescr)
}
}
if len(secretData) > 0 {
c.logger.Warningf("%d unprocessed entries in the infrastructure roles secret,"+
" checking configmap %v", len(secretData), rolesSecret.Name)
c.logger.Info(`infrastructure role entries should be in the {key}{id} format,` +
` where {key} can be either of "user", "password", "inrole" and the {id}` +
` a monotonically increasing integer starting with 1`)
c.logger.Debugf("unprocessed entries: %#v", secretData)
}
return result, nil
// TODO: check for role collisions
return roles, nil
}
func (c *Controller) podClusterName(pod *v1.Pod) spec.NamespacedName {

291
pkg/controller/util_test.go
View File

@ -8,20 +8,25 @@ import (
b64 "encoding/base64"
"github.com/zalando/postgres-operator/pkg/spec"
"github.com/zalando/postgres-operator/pkg/util/config"
"github.com/zalando/postgres-operator/pkg/util/k8sutil"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
testInfrastructureRolesSecretName = "infrastructureroles-test"
testInfrastructureRolesOldSecretName = "infrastructureroles-old-test"
testInfrastructureRolesNewSecretName = "infrastructureroles-new-test"
)
func newUtilTestController() *Controller {
controller := NewController(&spec.ControllerConfig{}, "util-test")
controller.opConfig.ClusterNameLabel = "cluster-name"
controller.opConfig.InfrastructureRolesSecretName =
spec.NamespacedName{Namespace: v1.NamespaceDefault, Name: testInfrastructureRolesSecretName}
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
}
controller.opConfig.Workers = 4
controller.KubeClient = k8sutil.NewMockKubernetesClient()
return controller
@ -80,24 +85,32 @@ func TestClusterWorkerID(t *testing.T) {
}
}
func TestGetInfrastructureRoles(t *testing.T) {
// Test functionality of getting infrastructure roles from their description in
// corresponding secrets. Here we test only common stuff (e.g. when a secret do
// not exist, or empty) and the old format.
func TestOldInfrastructureRoleFormat(t *testing.T) {
var testTable = []struct {
secretName spec.NamespacedName
expectedRoles map[string]spec.PgUser
expectedError error
expectedErrors []error
}{
{
// empty secret name
spec.NamespacedName{},
nil,
nil,
},
{
// secret does not exist
spec.NamespacedName{Namespace: v1.NamespaceDefault, Name: "null"},
nil,
fmt.Errorf(`could not get infrastructure roles secret: NotFound`),
map[string]spec.PgUser{},
[]error{fmt.Errorf(`could not get infrastructure roles secret default/null: NotFound`)},
},
{
spec.NamespacedName{Namespace: v1.NamespaceDefault, Name: testInfrastructureRolesSecretName},
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
map[string]spec.PgUser{
"testrole": {
Name: "testrole",
@ -116,15 +129,269 @@ func TestGetInfrastructureRoles(t *testing.T) {
},
}
for _, test := range testTable {
roles, err := utilTestController.getInfrastructureRoles(&test.secretName)
if err != test.expectedError {
if err != nil && test.expectedError != nil && err.Error() == test.expectedError.Error() {
roles, errors := utilTestController.getInfrastructureRoles(
[]*config.InfrastructureRole{
&config.InfrastructureRole{
SecretName: test.secretName,
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: true,
},
})
if len(errors) != len(test.expectedErrors) {
t.Errorf("expected error '%v' does not match the actual error '%v'",
test.expectedErrors, errors)
}
for idx := range errors {
err := errors[idx]
expectedErr := test.expectedErrors[idx]
if err != expectedErr {
if err != nil && expectedErr != nil && err.Error() == expectedErr.Error() {
continue
}
t.Errorf("expected error '%v' does not match the actual error '%v'", test.expectedError, err)
t.Errorf("expected error '%v' does not match the actual error '%v'",
expectedErr, err)
}
}
if !reflect.DeepEqual(roles, test.expectedRoles) {
t.Errorf("expected roles output %v does not match the actual %v", test.expectedRoles, roles)
t.Errorf("expected roles output %#v does not match the actual %#v",
test.expectedRoles, roles)
}
}
}
// Test functionality of getting infrastructure roles from their description in
// corresponding secrets. Here we test the new format.
func TestNewInfrastructureRoleFormat(t *testing.T) {
var testTable = []struct {
secrets []spec.NamespacedName
expectedRoles map[string]spec.PgUser
expectedErrors []error
}{
// one secret with one configmap
{
[]spec.NamespacedName{
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesNewSecretName,
},
},
map[string]spec.PgUser{
"new-test-role": {
Name: "new-test-role",
Origin: spec.RoleOriginInfrastructure,
Password: "new-test-password",
MemberOf: []string{"new-test-inrole"},
},
"new-foobar": {
Name: "new-foobar",
Origin: spec.RoleOriginInfrastructure,
Password: b64.StdEncoding.EncodeToString([]byte("password")),
MemberOf: nil,
Flags: []string{"createdb"},
},
},
nil,
},
// multiple standalone secrets
{
[]spec.NamespacedName{
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: "infrastructureroles-new-test1",
},
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: "infrastructureroles-new-test2",
},
},
map[string]spec.PgUser{
"new-test-role1": {
Name: "new-test-role1",
Origin: spec.RoleOriginInfrastructure,
Password: "new-test-password1",
MemberOf: []string{"new-test-inrole1"},
},
"new-test-role2": {
Name: "new-test-role2",
Origin: spec.RoleOriginInfrastructure,
Password: "new-test-password2",
MemberOf: []string{"new-test-inrole2"},
},
},
nil,
},
}
for _, test := range testTable {
definitions := []*config.InfrastructureRole{}
for _, secret := range test.secrets {
definitions = append(definitions, &config.InfrastructureRole{
SecretName: secret,
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: false,
})
}
roles, errors := utilTestController.getInfrastructureRoles(definitions)
if len(errors) != len(test.expectedErrors) {
t.Errorf("expected error does not match the actual error:\n%+v\n%+v",
test.expectedErrors, errors)
// Stop and do not do any further checks
return
}
for idx := range errors {
err := errors[idx]
expectedErr := test.expectedErrors[idx]
if err != expectedErr {
if err != nil && expectedErr != nil && err.Error() == expectedErr.Error() {
continue
}
t.Errorf("expected error '%v' does not match the actual error '%v'",
expectedErr, err)
}
}
if !reflect.DeepEqual(roles, test.expectedRoles) {
t.Errorf("expected roles output/the actual:\n%#v\n%#v",
test.expectedRoles, roles)
}
}
}
// Tests for getting correct infrastructure roles definitions from present
// configuration. E.g. in which secrets for which roles too look. The biggest
// point here is compatibility of old and new formats of defining
// infrastructure roles.
func TestInfrastructureRoleDefinitions(t *testing.T) {
var testTable = []struct {
rolesDefs []*config.InfrastructureRole
roleSecretName spec.NamespacedName
roleSecrets string
expectedDefs []*config.InfrastructureRole
}{
// only new format
{
[]*config.InfrastructureRole{
&config.InfrastructureRole{
SecretName: spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesNewSecretName,
},
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: false,
},
},
spec.NamespacedName{},
"",
[]*config.InfrastructureRole{
&config.InfrastructureRole{
SecretName: spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesNewSecretName,
},
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: false,
},
},
},
// only old format
{
[]*config.InfrastructureRole{},
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
"",
[]*config.InfrastructureRole{
&config.InfrastructureRole{
SecretName: spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
UserKey: "user",
PasswordKey: "password",
RoleKey: "inrole",
Template: true,
},
},
},
// only configmap format
{
[]*config.InfrastructureRole{},
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
"secretname: infrastructureroles-old-test, userkey: test-user, passwordkey: test-password, rolekey: test-role, template: false",
[]*config.InfrastructureRole{
&config.InfrastructureRole{
SecretName: spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
UserKey: "test-user",
PasswordKey: "test-password",
RoleKey: "test-role",
Template: false,
},
},
},
// incorrect configmap format
{
[]*config.InfrastructureRole{},
spec.NamespacedName{
Namespace: v1.NamespaceDefault,
Name: testInfrastructureRolesOldSecretName,
},
"wrong-format",
[]*config.InfrastructureRole{},
},
// configmap without a secret
{
[]*config.InfrastructureRole{},
spec.NamespacedName{},
"userkey: test-user, passwordkey: test-password, rolekey: test-role, template: false",
[]*config.InfrastructureRole{},
},
}
for _, test := range testTable {
t.Logf("Test: %+v", test)
utilTestController.opConfig.InfrastructureRoles = test.rolesDefs
utilTestController.opConfig.InfrastructureRolesSecretName = test.roleSecretName
utilTestController.opConfig.InfrastructureRolesDefs = test.roleSecrets
defs := utilTestController.getInfrastructureRoleDefinitions()
if len(defs) != len(test.expectedDefs) {
t.Errorf("expected definitions does not match the actual:\n%#v\n%#v",
test.expectedDefs, defs)
// Stop and do not do any further checks
return
}
for idx := range defs {
def := defs[idx]
expectedDef := test.expectedDefs[idx]
if !reflect.DeepEqual(def, expectedDef) {
t.Errorf("expected definition/the actual:\n%#v\n%#v",
expectedDef, def)
}
}
}
}

4
pkg/spec/types.go
View File

@ -55,6 +55,10 @@ type PgUser struct {
AdminRole string `yaml:"admin_role"`
}
func (user *PgUser) Valid() bool {
return user.Name != "" && user.Password != ""
}
// PgUserMap maps user names to the definitions.
type PgUserMap map[string]PgUser

26
pkg/util/config/config.go
View File

@ -52,6 +52,30 @@ type Resources struct {
ShmVolume *bool `name:"enable_shm_volume" default:"true"`
}
type InfrastructureRole struct {
// Name of a secret which describes the role, and optionally name of a
// configmap with an extra information
SecretName spec.NamespacedName
UserKey string
PasswordKey string
RoleKey string
// This field point out the detailed yaml definition of the role, if exists
Details string
// Specify if a secret contains multiple fields in the following format:
//
// %(userkey)idx: ...
// %(passwordkey)idx: ...
// %(rolekey)idx: ...
//
// If it does, Name/Password/Role are interpreted not as unique field
// names, but as a template.
Template bool
}
// Auth describes authentication specific configuration parameters
type Auth struct {
SecretNameTemplate StringTemplate `name:"secret_name_template" default:"{username}.{cluster}.credentials.{tprkind}.{tprgroup}"`
@ -60,6 +84,8 @@ type Auth struct {
TeamsAPIUrl string `name:"teams_api_url" default:"https://teams.example.com/api/"`
OAuthTokenSecretName spec.NamespacedName `name:"oauth_token_secret_name" default:"postgresql-operator"`
InfrastructureRolesSecretName spec.NamespacedName `name:"infrastructure_roles_secret_name"`
InfrastructureRoles []*InfrastructureRole `name:"-"`
InfrastructureRolesDefs string `name:"infrastructure_roles_secrets"`
SuperUsername string `name:"super_username" default:"postgres"`
ReplicationUsername string `name:"replication_username" default:"standby"`
}

66
pkg/util/k8sutil/k8sutil.go
View File

@ -271,31 +271,73 @@ func SameLogicalBackupJob(cur, new *batchv1beta1.CronJob) (match bool, reason st
}
func (c *mockSecret) Get(ctx context.Context, name string, options metav1.GetOptions) (*v1.Secret, error) {
if name != "infrastructureroles-test" {
return nil, fmt.Errorf("NotFound")
}
secret := &v1.Secret{}
secret.Name = "testcluster"
secret.Data = map[string][]byte{
oldFormatSecret := &v1.Secret{}
oldFormatSecret.Name = "testcluster"
oldFormatSecret.Data = map[string][]byte{
"user1": []byte("testrole"),
"password1": []byte("testpassword"),
"inrole1": []byte("testinrole"),
"foobar": []byte(b64.StdEncoding.EncodeToString([]byte("password"))),
}
newFormatSecret := &v1.Secret{}
newFormatSecret.Name = "test-secret-new-format"
newFormatSecret.Data = map[string][]byte{
"user": []byte("new-test-role"),
"password": []byte("new-test-password"),
"inrole": []byte("new-test-inrole"),
"new-foobar": []byte(b64.StdEncoding.EncodeToString([]byte("password"))),
}
secrets := map[string]*v1.Secret{
"infrastructureroles-old-test": oldFormatSecret,
"infrastructureroles-new-test": newFormatSecret,
}
for idx := 1; idx <= 2; idx++ {
newFormatStandaloneSecret := &v1.Secret{}
newFormatStandaloneSecret.Name = fmt.Sprintf("test-secret-new-format%d", idx)
newFormatStandaloneSecret.Data = map[string][]byte{
"user": []byte(fmt.Sprintf("new-test-role%d", idx)),
"password": []byte(fmt.Sprintf("new-test-password%d", idx)),
"inrole": []byte(fmt.Sprintf("new-test-inrole%d", idx)),
}
secrets[fmt.Sprintf("infrastructureroles-new-test%d", idx)] =
newFormatStandaloneSecret
}
if secret, exists := secrets[name]; exists {
return secret, nil
}
return nil, fmt.Errorf("NotFound")
}
func (c *mockConfigMap) Get(ctx context.Context, name string, options metav1.GetOptions) (*v1.ConfigMap, error) {
if name != "infrastructureroles-test" {
return nil, fmt.Errorf("NotFound")
}
configmap := &v1.ConfigMap{}
configmap.Name = "testcluster"
configmap.Data = map[string]string{
oldFormatConfigmap := &v1.ConfigMap{}
oldFormatConfigmap.Name = "testcluster"
oldFormatConfigmap.Data = map[string]string{
"foobar": "{}",
}
newFormatConfigmap := &v1.ConfigMap{}
newFormatConfigmap.Name = "testcluster"
newFormatConfigmap.Data = map[string]string{
"new-foobar": "{\"user_flags\": [\"createdb\"]}",
}
configmaps := map[string]*v1.ConfigMap{
"infrastructureroles-old-test": oldFormatConfigmap,
"infrastructureroles-new-test": newFormatConfigmap,
}
if configmap, exists := configmaps[name]; exists {
return configmap, nil
}
return nil, fmt.Errorf("NotFound")
}
// Secrets to be mocked