Create cross namespace secrets

2021-05-14 17:10:51 +02:00 · 2021-05-14 17:10:51 +02:00 · 8cf76d8372
parent a993300325
commit 8cf76d8372
3 changed files with 16 additions and 3 deletions
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -1089,6 +1089,16 @@ func (c *Cluster) initRobotUsers() error {
 		if c.shouldAvoidProtectedOrSystemRole(username, "manifest robot role") {
 			continue
 		}
+		name := username
+		namespace := "default"
+
+		if strings.Contains(username, ".") {
+			splits := strings.Split(username, ".")
+			name = splits[1]
+			namespace = splits[0]
+			username = name
+		}
+
 		flags, err := normalizeUserFlags(userFlags)
 		if err != nil {
 			return fmt.Errorf("invalid flags for user %q: %v", username, err)
@ -1099,7 +1109,8 @@ func (c *Cluster) initRobotUsers() error {
 		}
 		newRole := spec.PgUser{
 			Origin:    spec.RoleOriginManifest,
-			Name:      username,
+			Name:      name,
+			Namespace: namespace,
 			Password:  util.RandomPassword(constants.PasswordLength),
 			Flags:     flags,
 			AdminRole: adminRole,
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@ -1541,10 +1541,11 @@ func (c *Cluster) generateUserSecrets() map[string]*v1.Secret {
 	namespace := c.Namespace
 	for username, pgUser := range c.pgUsers {
 		//Skip users with no password i.e. human users (they'll be authenticated using pam)
-		secret := c.generateSingleUserSecret(namespace, pgUser)
+		secret := c.generateSingleUserSecret(pgUser.Namespace, pgUser)
 		if secret != nil {
 			secrets[username] = secret
 		}
+		namespace = pgUser.Namespace
 	}
 	/* special case for the system user */
 	for _, systemUser := range c.systemUsers {
@ -1584,7 +1585,7 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser)
 	secret := v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        c.credentialSecretName(username),
-			Namespace:   namespace,
+			Namespace:   pgUser.Namespace,
 			Labels:      lbls,
 			Annotations: c.annotationsSet(nil),
 		},
--- a/pkg/spec/types.go
+++ b/pkg/spec/types.go
@ -48,6 +48,7 @@ const (
 type PgUser struct {
 	Origin     RoleOrigin        `yaml:"-"`
 	Name       string            `yaml:"-"`
+	Namespace  string            `yaml:"."`
 	Password   string            `yaml:"-"`
 	Flags      []string          `yaml:"user_flags"`
 	MemberOf   []string          `yaml:"inrole"`