Create cross namespace secrets
This commit is contained in:
Rafia Sabih
parent
a993300325
commit
8cf76d8372
|
|
@ -1089,6 +1089,16 @@ func (c *Cluster) initRobotUsers() error {
|
||||||
if c.shouldAvoidProtectedOrSystemRole(username, "manifest robot role") {
|
if c.shouldAvoidProtectedOrSystemRole(username, "manifest robot role") {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
name := username
|
||||||
|
namespace := "default"
|
||||||
|
|
||||||
|
if strings.Contains(username, ".") {
|
||||||
|
splits := strings.Split(username, ".")
|
||||||
|
name = splits[1]
|
||||||
|
namespace = splits[0]
|
||||||
|
username = name
|
||||||
|
}
|
||||||
|
|
||||||
flags, err := normalizeUserFlags(userFlags)
|
flags, err := normalizeUserFlags(userFlags)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("invalid flags for user %q: %v", username, err)
|
return fmt.Errorf("invalid flags for user %q: %v", username, err)
|
||||||
|
|
@ -1099,7 +1109,8 @@ func (c *Cluster) initRobotUsers() error {
|
||||||
}
|
}
|
||||||
newRole := spec.PgUser{
|
newRole := spec.PgUser{
|
||||||
Origin: spec.RoleOriginManifest,
|
Origin: spec.RoleOriginManifest,
|
||||||
Name: username,
|
Name: name,
|
||||||
|
Namespace: namespace,
|
||||||
Password: util.RandomPassword(constants.PasswordLength),
|
Password: util.RandomPassword(constants.PasswordLength),
|
||||||
Flags: flags,
|
Flags: flags,
|
||||||
AdminRole: adminRole,
|
AdminRole: adminRole,
|
||||||
|
|
|
||||||
|
|
@ -1541,10 +1541,11 @@ func (c *Cluster) generateUserSecrets() map[string]*v1.Secret {
|
||||||
namespace := c.Namespace
|
namespace := c.Namespace
|
||||||
for username, pgUser := range c.pgUsers {
|
for username, pgUser := range c.pgUsers {
|
||||||
//Skip users with no password i.e. human users (they'll be authenticated using pam)
|
//Skip users with no password i.e. human users (they'll be authenticated using pam)
|
||||||
secret := c.generateSingleUserSecret(namespace, pgUser)
|
secret := c.generateSingleUserSecret(pgUser.Namespace, pgUser)
|
||||||
if secret != nil {
|
if secret != nil {
|
||||||
secrets[username] = secret
|
secrets[username] = secret
|
||||||
}
|
}
|
||||||
|
namespace = pgUser.Namespace
|
||||||
}
|
}
|
||||||
/* special case for the system user */
|
/* special case for the system user */
|
||||||
for _, systemUser := range c.systemUsers {
|
for _, systemUser := range c.systemUsers {
|
||||||
|
|
@ -1584,7 +1585,7 @@ func (c *Cluster) generateSingleUserSecret(namespace string, pgUser spec.PgUser)
|
||||||
secret := v1.Secret{
|
secret := v1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: c.credentialSecretName(username),
|
Name: c.credentialSecretName(username),
|
||||||
Namespace: namespace,
|
Namespace: pgUser.Namespace,
|
||||||
Labels: lbls,
|
Labels: lbls,
|
||||||
Annotations: c.annotationsSet(nil),
|
Annotations: c.annotationsSet(nil),
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -48,6 +48,7 @@ const (
|
||||||
type PgUser struct {
|
type PgUser struct {
|
||||||
Origin RoleOrigin `yaml:"-"`
|
Origin RoleOrigin `yaml:"-"`
|
||||||
Name string `yaml:"-"`
|
Name string `yaml:"-"`
|
||||||
|
Namespace string `yaml:"."`
|
||||||
Password string `yaml:"-"`
|
Password string `yaml:"-"`
|
||||||
Flags []string `yaml:"user_flags"`
|
Flags []string `yaml:"user_flags"`
|
||||||
MemberOf []string `yaml:"inrole"`
|
MemberOf []string `yaml:"inrole"`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue