Move flag to configmap
This commit is contained in:
Rafia Sabih
parent
54e506c00b
commit
917d421ac7
|
|
@ -72,6 +72,9 @@ spec:
|
||||||
enable_lazy_spilo_upgrade:
|
enable_lazy_spilo_upgrade:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
enable_cross_namespace_secret:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
enable_pgversion_env_var:
|
enable_pgversion_env_var:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: true
|
default: true
|
||||||
|
|
|
||||||
|
|
@ -515,8 +515,6 @@ spec:
|
||||||
type: integer
|
type: integer
|
||||||
useLoadBalancer: # deprecated
|
useLoadBalancer: # deprecated
|
||||||
type: boolean
|
type: boolean
|
||||||
enableNamespacedSecret:
|
|
||||||
type: boolean
|
|
||||||
users:
|
users:
|
||||||
type: object
|
type: object
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
|
|
|
||||||
|
|
@ -151,7 +151,7 @@ configKubernetes:
|
||||||
# template for database user secrets generated by the operator,
|
# template for database user secrets generated by the operator,
|
||||||
# here username contains the namespace in the format namespace.username
|
# here username contains the namespace in the format namespace.username
|
||||||
# if the user is in different namespace than cluster and cross namespace secrets
|
# if the user is in different namespace than cluster and cross namespace secrets
|
||||||
# are enabled via EnableNamespacedSecret flag.
|
# are enabled via EnableCrossNamespaceSecret flag in configmap.
|
||||||
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
|
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
|
||||||
# set user and group for the spilo container (required to run Spilo as non-root process)
|
# set user and group for the spilo container (required to run Spilo as non-root process)
|
||||||
# spilo_runasuser: 101
|
# spilo_runasuser: 101
|
||||||
|
|
|
||||||
|
|
@ -276,7 +276,7 @@ configuration they are grouped under the `kubernetes` key.
|
||||||
* **secret_name_template**
|
* **secret_name_template**
|
||||||
a template for the name of the database user secrets generated by the
|
a template for the name of the database user secrets generated by the
|
||||||
operator. `{namespace}` is replaced with name of the namespace (if cross
|
operator. `{namespace}` is replaced with name of the namespace (if cross
|
||||||
namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the
|
namespace secrets are enabled via EnableCrossNamespaceSecret flag, otherwise the
|
||||||
secret is in cluster's namespace and in that case it is not present in secret
|
secret is in cluster's namespace and in that case it is not present in secret
|
||||||
name), `{username}` is replaced with name of the secret, `{cluster}` with the
|
name), `{username}` is replaced with name of the secret, `{cluster}` with the
|
||||||
name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
|
name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
|
||||||
|
|
|
||||||
|
|
@ -140,7 +140,7 @@ At the moment it is not possible to define membership of the manifest role in
|
||||||
other roles.
|
other roles.
|
||||||
|
|
||||||
To define the secrets for the users in a different namespace than that of the cluster,
|
To define the secrets for the users in a different namespace than that of the cluster,
|
||||||
one can use the flag `EnableNamespacedSecret` and declare the namespace for the
|
one can use the flag `EnableCrossNamespaceSecret` and declare the namespace for the
|
||||||
secrets in the manifest in the following manner,
|
secrets in the manifest in the following manner,
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
|
|
||||||
|
|
@ -598,29 +598,36 @@ class EndToEndTestCase(unittest.TestCase):
|
||||||
self.k8s.api.core_v1.create_namespace(v1_appnamespace)
|
self.k8s.api.core_v1.create_namespace(v1_appnamespace)
|
||||||
self.k8s.wait_for_namespace_creation(app_namespace)
|
self.k8s.wait_for_namespace_creation(app_namespace)
|
||||||
|
|
||||||
|
patch_cross_namespace_secret = {
|
||||||
|
"data": {
|
||||||
|
"enable_cross_namespace_secret": "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
self.k8s.update_config(patch_cross_namespace_secret,
|
||||||
|
step="cross namespace secrets enabled")
|
||||||
|
|
||||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
||||||
'acid.zalan.do', 'v1', 'default',
|
'acid.zalan.do', 'v1', 'default',
|
||||||
'postgresqls', 'acid-minimal-cluster',
|
'postgresqls', 'acid-minimal-cluster',
|
||||||
{
|
{
|
||||||
'spec': {
|
'spec': {
|
||||||
'enableNamespacedSecret': True,
|
|
||||||
'users':{
|
'users':{
|
||||||
'appspace.db_user': [],
|
'appspace.db_user': [],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
|
self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
|
||||||
1, "Secret not created for user in namespace")
|
1, "Secret not created for user in namespace")
|
||||||
|
|
||||||
#reset the flag
|
#reset the flag
|
||||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
unpatch_cross_namespace_secret = {
|
||||||
'acid.zalan.do', 'v1', 'default',
|
"data": {
|
||||||
'postgresqls', 'acid-minimal-cluster',
|
"enable_cross_namespace_secret": "false",
|
||||||
{
|
|
||||||
'spec': {
|
|
||||||
'enableNamespacedSecret': False,
|
|
||||||
}
|
}
|
||||||
})
|
}
|
||||||
|
self.k8s.update_config(unpatch_cross_namespace_secret, step="disable cross namespace secrets")
|
||||||
|
|
||||||
|
|
||||||
@timeout_decorator.timeout(TEST_TIMEOUT_SEC)
|
@timeout_decorator.timeout(TEST_TIMEOUT_SEC)
|
||||||
def test_lazy_spilo_upgrade(self):
|
def test_lazy_spilo_upgrade(self):
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,6 @@ spec:
|
||||||
dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
|
dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
|
||||||
teamId: "acid"
|
teamId: "acid"
|
||||||
numberOfInstances: 2
|
numberOfInstances: 2
|
||||||
enableNamespacedSecret: False
|
|
||||||
users: # Application/Robot users
|
users: # Application/Robot users
|
||||||
zalando:
|
zalando:
|
||||||
- superuser
|
- superuser
|
||||||
|
|
|
||||||
|
|
@ -41,6 +41,7 @@ data:
|
||||||
# enable_ebs_gp3_migration_max_size: "1000"
|
# enable_ebs_gp3_migration_max_size: "1000"
|
||||||
# enable_init_containers: "true"
|
# enable_init_containers: "true"
|
||||||
# enable_lazy_spilo_upgrade: "false"
|
# enable_lazy_spilo_upgrade: "false"
|
||||||
|
# enable_cross_namespace_secret: "false"
|
||||||
enable_master_load_balancer: "false"
|
enable_master_load_balancer: "false"
|
||||||
enable_pgversion_env_var: "true"
|
enable_pgversion_env_var: "true"
|
||||||
# enable_pod_antiaffinity: "false"
|
# enable_pod_antiaffinity: "false"
|
||||||
|
|
|
||||||
|
|
@ -730,9 +730,6 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
Description: "Deprecated",
|
Description: "Deprecated",
|
||||||
},
|
},
|
||||||
"enableNamespacedSecret": {
|
|
||||||
Type: "boolean",
|
|
||||||
},
|
|
||||||
"users": {
|
"users": {
|
||||||
Type: "object",
|
Type: "object",
|
||||||
AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
|
AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
|
||||||
|
|
@ -905,6 +902,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
|
||||||
"enable_lazy_spilo_upgrade": {
|
"enable_lazy_spilo_upgrade": {
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
},
|
},
|
||||||
|
"enable_cross_namespace_secret": {
|
||||||
|
Type: "boolean",
|
||||||
|
},
|
||||||
"enable_shm_volume": {
|
"enable_shm_volume": {
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -214,6 +214,7 @@ type OperatorLogicalBackupConfiguration struct {
|
||||||
type OperatorConfigurationData struct {
|
type OperatorConfigurationData struct {
|
||||||
EnableCRDValidation *bool `json:"enable_crd_validation,omitempty"`
|
EnableCRDValidation *bool `json:"enable_crd_validation,omitempty"`
|
||||||
EnableLazySpiloUpgrade bool `json:"enable_lazy_spilo_upgrade,omitempty"`
|
EnableLazySpiloUpgrade bool `json:"enable_lazy_spilo_upgrade,omitempty"`
|
||||||
|
EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"`
|
||||||
EnablePgVersionEnvVar bool `json:"enable_pgversion_env_var,omitempty"`
|
EnablePgVersionEnvVar bool `json:"enable_pgversion_env_var,omitempty"`
|
||||||
EnableSpiloWalPathCompat bool `json:"enable_spilo_wal_path_compat,omitempty"`
|
EnableSpiloWalPathCompat bool `json:"enable_spilo_wal_path_compat,omitempty"`
|
||||||
EtcdHost string `json:"etcd_host,omitempty"`
|
EtcdHost string `json:"etcd_host,omitempty"`
|
||||||
|
|
|
||||||
|
|
@ -54,7 +54,6 @@ type PostgresSpec struct {
|
||||||
AllowedSourceRanges []string `json:"allowedSourceRanges"`
|
AllowedSourceRanges []string `json:"allowedSourceRanges"`
|
||||||
|
|
||||||
NumberOfInstances int32 `json:"numberOfInstances"`
|
NumberOfInstances int32 `json:"numberOfInstances"`
|
||||||
EnableNamespacedSecret *bool `json:"enableNamespacedSecret,omitempty"`
|
|
||||||
Users map[string]UserFlags `json:"users,omitempty"`
|
Users map[string]UserFlags `json:"users,omitempty"`
|
||||||
MaintenanceWindows []MaintenanceWindow `json:"maintenanceWindows,omitempty"`
|
MaintenanceWindows []MaintenanceWindow `json:"maintenanceWindows,omitempty"`
|
||||||
Clone *CloneDescription `json:"clone,omitempty"`
|
Clone *CloneDescription `json:"clone,omitempty"`
|
||||||
|
|
|
||||||
|
|
@ -1163,8 +1163,7 @@ func (c *Cluster) initRobotUsers() error {
|
||||||
namespace := c.Namespace
|
namespace := c.Namespace
|
||||||
|
|
||||||
//if namespaced secrets are allowed
|
//if namespaced secrets are allowed
|
||||||
if c.Postgresql.Spec.EnableNamespacedSecret != nil &&
|
if c.Config.OpConfig.EnableCrossNamespaceSecret {
|
||||||
*c.Postgresql.Spec.EnableNamespacedSecret {
|
|
||||||
if strings.Contains(username, ".") {
|
if strings.Contains(username, ".") {
|
||||||
splits := strings.Split(username, ".")
|
splits := strings.Split(username, ".")
|
||||||
namespace = splits[0]
|
namespace = splits[0]
|
||||||
|
|
|
||||||
|
|
@ -1024,7 +1024,6 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
||||||
Volume: acidv1.Volume{
|
Volume: acidv1.Volume{
|
||||||
Size: "1Gi",
|
Size: "1Gi",
|
||||||
},
|
},
|
||||||
EnableNamespacedSecret: boolToPointer(true),
|
|
||||||
Users: map[string]acidv1.UserFlags{
|
Users: map[string]acidv1.UserFlags{
|
||||||
"appspace.db_user": {},
|
"appspace.db_user": {},
|
||||||
"db_user": {},
|
"db_user": {},
|
||||||
|
|
@ -1052,6 +1051,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
||||||
DefaultMemoryLimit: "300Mi",
|
DefaultMemoryLimit: "300Mi",
|
||||||
PodRoleLabel: "spilo-role",
|
PodRoleLabel: "spilo-role",
|
||||||
},
|
},
|
||||||
|
EnableCrossNamespaceSecret: true,
|
||||||
},
|
},
|
||||||
}, client, pg, logger, eventRecorder)
|
}, client, pg, logger, eventRecorder)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -207,6 +207,7 @@ type Config struct {
|
||||||
PostgresSuperuserTeams []string `name:"postgres_superuser_teams" default:""`
|
PostgresSuperuserTeams []string `name:"postgres_superuser_teams" default:""`
|
||||||
SetMemoryRequestToLimit bool `name:"set_memory_request_to_limit" default:"false"`
|
SetMemoryRequestToLimit bool `name:"set_memory_request_to_limit" default:"false"`
|
||||||
EnableLazySpiloUpgrade bool `name:"enable_lazy_spilo_upgrade" default:"false"`
|
EnableLazySpiloUpgrade bool `name:"enable_lazy_spilo_upgrade" default:"false"`
|
||||||
|
EnableCrossNamespaceSecret bool `name:"enable_cross_namespace_secret" default:"false"`
|
||||||
EnablePgVersionEnvVar bool `name:"enable_pgversion_env_var" default:"true"`
|
EnablePgVersionEnvVar bool `name:"enable_pgversion_env_var" default:"true"`
|
||||||
EnableSpiloWalPathCompat bool `name:"enable_spilo_wal_path_compat" default:"false"`
|
EnableSpiloWalPathCompat bool `name:"enable_spilo_wal_path_compat" default:"false"`
|
||||||
MajorVersionUpgradeMode string `name:"major_version_upgrade_mode" default:"off"`
|
MajorVersionUpgradeMode string `name:"major_version_upgrade_mode" default:"off"`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue