disable PostgresTeam by default
This commit is contained in:
Felix Kunde
parent
e10e0fec9e
commit
7ed296d562
|
|
@ -257,7 +257,7 @@ configTeamsApi:
|
||||||
# enable_admin_role_for_users: true
|
# enable_admin_role_for_users: true
|
||||||
|
|
||||||
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
||||||
enable_postgres_team_crd: true
|
enable_postgres_team_crd: false
|
||||||
# toogle to create additional superuser teams from PostgresTeam CRs
|
# toogle to create additional superuser teams from PostgresTeam CRs
|
||||||
# enable_postgres_team_crd_superusers: "false"
|
# enable_postgres_team_crd_superusers: "false"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -249,7 +249,7 @@ configTeamsApi:
|
||||||
# enable_admin_role_for_users: "true"
|
# enable_admin_role_for_users: "true"
|
||||||
|
|
||||||
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
# operator watches for PostgresTeam CRs to assign additional teams and members to clusters
|
||||||
enable_postgres_team_crd: "true"
|
enable_postgres_team_crd: "false"
|
||||||
# toogle to create additional superuser teams from PostgresTeam CRs
|
# toogle to create additional superuser teams from PostgresTeam CRs
|
||||||
# enable_postgres_team_crd_superusers: "false"
|
# enable_postgres_team_crd_superusers: "false"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -635,7 +635,7 @@ key.
|
||||||
* **enable_postgres_team_crd**
|
* **enable_postgres_team_crd**
|
||||||
toggle to make the operator watch for created or updated `PostgresTeam` CRDs
|
toggle to make the operator watch for created or updated `PostgresTeam` CRDs
|
||||||
and create roles for specified additional teams and members.
|
and create roles for specified additional teams and members.
|
||||||
The default is `true`.
|
The default is `false`.
|
||||||
|
|
||||||
* **enable_postgres_team_crd_superusers**
|
* **enable_postgres_team_crd_superusers**
|
||||||
in a `PostgresTeam` CRD additional superuser teams can assigned to teams that
|
in a `PostgresTeam` CRD additional superuser teams can assigned to teams that
|
||||||
|
|
|
||||||
|
|
@ -330,6 +330,11 @@ spec:
|
||||||
- "foo"
|
- "foo"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Note, by default the `PostgresTeam` support is disabled in the configuration.
|
||||||
|
Switch `enable_postgres_team_crd` flag to `true` and the operator will start to
|
||||||
|
watch for this CRD. Make sure, the cluster role is up to date and contains a
|
||||||
|
section for [PostgresTeam](../manifests/operator-service-account-rbac.yaml#L30).
|
||||||
|
|
||||||
## Prepared databases with roles and default privileges
|
## Prepared databases with roles and default privileges
|
||||||
|
|
||||||
The `users` section in the manifests only allows for creating database roles
|
The `users` section in the manifests only allows for creating database roles
|
||||||
|
|
|
||||||
|
|
@ -41,7 +41,7 @@ data:
|
||||||
enable_master_load_balancer: "false"
|
enable_master_load_balancer: "false"
|
||||||
# enable_pod_antiaffinity: "false"
|
# enable_pod_antiaffinity: "false"
|
||||||
# enable_pod_disruption_budget: "true"
|
# enable_pod_disruption_budget: "true"
|
||||||
# enable_postgres_team_crd: "true"
|
# enable_postgres_team_crd: "false"
|
||||||
# enable_postgres_team_crd_superusers: "false"
|
# enable_postgres_team_crd_superusers: "false"
|
||||||
enable_replica_load_balancer: "false"
|
enable_replica_load_balancer: "false"
|
||||||
# enable_shm_volume: "true"
|
# enable_shm_volume: "true"
|
||||||
|
|
|
||||||
|
|
@ -122,7 +122,7 @@ configuration:
|
||||||
enable_database_access: true
|
enable_database_access: true
|
||||||
teams_api:
|
teams_api:
|
||||||
# enable_admin_role_for_users: true
|
# enable_admin_role_for_users: true
|
||||||
# enable_postgres_team_crd: true
|
# enable_postgres_team_crd: false
|
||||||
# enable_postgres_team_crd_superusers: false
|
# enable_postgres_team_crd_superusers: false
|
||||||
enable_team_superuser: false
|
enable_team_superuser: false
|
||||||
enable_teams_api: false
|
enable_teams_api: false
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ type TeamsAPIConfiguration struct {
|
||||||
PamConfiguration string `json:"pam_configuration,omitempty"`
|
PamConfiguration string `json:"pam_configuration,omitempty"`
|
||||||
ProtectedRoles []string `json:"protected_role_names,omitempty"`
|
ProtectedRoles []string `json:"protected_role_names,omitempty"`
|
||||||
PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"`
|
PostgresSuperuserTeams []string `json:"postgres_superuser_teams,omitempty"`
|
||||||
EnablePostgresTeamCRD *bool `json:"enable_postgres_team_crd,omitempty"`
|
EnablePostgresTeamCRD bool `json:"enable_postgres_team_crd,omitempty"`
|
||||||
EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"`
|
EnablePostgresTeamCRDSuperusers bool `json:"enable_postgres_team_crd_superusers,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1114,11 +1114,6 @@ func (in *TeamsAPIConfiguration) DeepCopyInto(out *TeamsAPIConfiguration) {
|
||||||
*out = make([]string, len(*in))
|
*out = make([]string, len(*in))
|
||||||
copy(*out, *in)
|
copy(*out, *in)
|
||||||
}
|
}
|
||||||
if in.EnablePostgresTeamCRD != nil {
|
|
||||||
in, out := &in.EnablePostgresTeamCRD, &out.EnablePostgresTeamCRD
|
|
||||||
*out = new(bool)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -329,7 +329,7 @@ func (c *Controller) initController() {
|
||||||
|
|
||||||
c.initSharedInformers()
|
c.initSharedInformers()
|
||||||
|
|
||||||
if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
|
if c.opConfig.EnablePostgresTeamCRD {
|
||||||
c.loadPostgresTeams()
|
c.loadPostgresTeams()
|
||||||
} else {
|
} else {
|
||||||
c.pgTeamMap = teams.PostgresTeamMap{}
|
c.pgTeamMap = teams.PostgresTeamMap{}
|
||||||
|
|
@ -380,7 +380,7 @@ func (c *Controller) initSharedInformers() {
|
||||||
})
|
})
|
||||||
|
|
||||||
// PostgresTeams
|
// PostgresTeams
|
||||||
if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
|
if c.opConfig.EnablePostgresTeamCRD {
|
||||||
c.postgresTeamInformer = acidv1informer.NewPostgresTeamInformer(
|
c.postgresTeamInformer = acidv1informer.NewPostgresTeamInformer(
|
||||||
c.KubeClient.AcidV1ClientSet,
|
c.KubeClient.AcidV1ClientSet,
|
||||||
c.opConfig.WatchedNamespace,
|
c.opConfig.WatchedNamespace,
|
||||||
|
|
@ -453,7 +453,7 @@ func (c *Controller) Run(stopCh <-chan struct{}, wg *sync.WaitGroup) {
|
||||||
go c.apiserver.Run(stopCh, wg)
|
go c.apiserver.Run(stopCh, wg)
|
||||||
go c.kubeNodesInformer(stopCh, wg)
|
go c.kubeNodesInformer(stopCh, wg)
|
||||||
|
|
||||||
if c.opConfig.EnablePostgresTeamCRD != nil && *c.opConfig.EnablePostgresTeamCRD {
|
if c.opConfig.EnablePostgresTeamCRD {
|
||||||
go c.runPostgresTeamInformer(stopCh, wg)
|
go c.runPostgresTeamInformer(stopCh, wg)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -163,7 +163,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
|
||||||
result.PamConfiguration = util.Coalesce(fromCRD.TeamsAPI.PamConfiguration, "https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees")
|
result.PamConfiguration = util.Coalesce(fromCRD.TeamsAPI.PamConfiguration, "https://info.example.com/oauth2/tokeninfo?access_token= uid realm=/employees")
|
||||||
result.ProtectedRoles = util.CoalesceStrArr(fromCRD.TeamsAPI.ProtectedRoles, []string{"admin"})
|
result.ProtectedRoles = util.CoalesceStrArr(fromCRD.TeamsAPI.ProtectedRoles, []string{"admin"})
|
||||||
result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
|
result.PostgresSuperuserTeams = fromCRD.TeamsAPI.PostgresSuperuserTeams
|
||||||
result.EnablePostgresTeamCRD = util.CoalesceBool(fromCRD.TeamsAPI.EnablePostgresTeamCRD, util.True())
|
result.EnablePostgresTeamCRD = fromCRD.TeamsAPI.EnablePostgresTeamCRD
|
||||||
result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
|
result.EnablePostgresTeamCRDSuperusers = fromCRD.TeamsAPI.EnablePostgresTeamCRDSuperusers
|
||||||
|
|
||||||
// logging REST API config
|
// logging REST API config
|
||||||
|
|
|
||||||
|
|
@ -169,7 +169,7 @@ type Config struct {
|
||||||
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
|
EnableTeamSuperuser bool `name:"enable_team_superuser" default:"false"`
|
||||||
TeamAdminRole string `name:"team_admin_role" default:"admin"`
|
TeamAdminRole string `name:"team_admin_role" default:"admin"`
|
||||||
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
|
EnableAdminRoleForUsers bool `name:"enable_admin_role_for_users" default:"true"`
|
||||||
EnablePostgresTeamCRD *bool `name:"enable_postgres_team_crd" default:"true"`
|
EnablePostgresTeamCRD bool `name:"enable_postgres_team_crd" default:"false"`
|
||||||
EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`
|
EnablePostgresTeamCRDSuperusers bool `name:"enable_postgres_team_crd_superusers" default:"false"`
|
||||||
EnableMasterLoadBalancer bool `name:"enable_master_load_balancer" default:"true"`
|
EnableMasterLoadBalancer bool `name:"enable_master_load_balancer" default:"true"`
|
||||||
EnableReplicaLoadBalancer bool `name:"enable_replica_load_balancer" default:"false"`
|
EnableReplicaLoadBalancer bool `name:"enable_replica_load_balancer" default:"false"`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue