Move flag to configmap
This commit is contained in:
Rafia Sabih
parent
54e506c00b
commit
917d421ac7
|
|
@ -72,6 +72,9 @@ spec:
|
|||
enable_lazy_spilo_upgrade:
|
||||
type: boolean
|
||||
default: false
|
||||
enable_cross_namespace_secret:
|
||||
type: boolean
|
||||
default: false
|
||||
enable_pgversion_env_var:
|
||||
type: boolean
|
||||
default: true
|
||||
|
|
|
|||
|
|
@ -515,8 +515,6 @@ spec:
|
|||
type: integer
|
||||
useLoadBalancer: # deprecated
|
||||
type: boolean
|
||||
enableNamespacedSecret:
|
||||
type: boolean
|
||||
users:
|
||||
type: object
|
||||
additionalProperties:
|
||||
|
|
|
|||
|
|
@ -151,7 +151,7 @@ configKubernetes:
|
|||
# template for database user secrets generated by the operator,
|
||||
# here username contains the namespace in the format namespace.username
|
||||
# if the user is in different namespace than cluster and cross namespace secrets
|
||||
# are enabled via EnableNamespacedSecret flag.
|
||||
# are enabled via EnableCrossNamespaceSecret flag in configmap.
|
||||
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
|
||||
# set user and group for the spilo container (required to run Spilo as non-root process)
|
||||
# spilo_runasuser: 101
|
||||
|
|
|
|||
|
|
@ -276,7 +276,7 @@ configuration they are grouped under the `kubernetes` key.
|
|||
* **secret_name_template**
|
||||
a template for the name of the database user secrets generated by the
|
||||
operator. `{namespace}` is replaced with name of the namespace (if cross
|
||||
namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the
|
||||
namespace secrets are enabled via EnableCrossNamespaceSecret flag, otherwise the
|
||||
secret is in cluster's namespace and in that case it is not present in secret
|
||||
name), `{username}` is replaced with name of the secret, `{cluster}` with the
|
||||
name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ At the moment it is not possible to define membership of the manifest role in
|
|||
other roles.
|
||||
|
||||
To define the secrets for the users in a different namespace than that of the cluster,
|
||||
one can use the flag `EnableNamespacedSecret` and declare the namespace for the
|
||||
one can use the flag `EnableCrossNamespaceSecret` and declare the namespace for the
|
||||
secrets in the manifest in the following manner,
|
||||
|
||||
```yaml
|
||||
|
|
|
|||
|
|
@ -598,29 +598,36 @@ class EndToEndTestCase(unittest.TestCase):
|
|||
self.k8s.api.core_v1.create_namespace(v1_appnamespace)
|
||||
self.k8s.wait_for_namespace_creation(app_namespace)
|
||||
|
||||
patch_cross_namespace_secret = {
|
||||
"data": {
|
||||
"enable_cross_namespace_secret": "true"
|
||||
}
|
||||
}
|
||||
self.k8s.update_config(patch_cross_namespace_secret,
|
||||
step="cross namespace secrets enabled")
|
||||
|
||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
||||
'acid.zalan.do', 'v1', 'default',
|
||||
'postgresqls', 'acid-minimal-cluster',
|
||||
{
|
||||
'spec': {
|
||||
'enableNamespacedSecret': True,
|
||||
'users':{
|
||||
'appspace.db_user': [],
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
|
||||
1, "Secret not created for user in namespace")
|
||||
|
||||
#reset the flag
|
||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
||||
'acid.zalan.do', 'v1', 'default',
|
||||
'postgresqls', 'acid-minimal-cluster',
|
||||
{
|
||||
'spec': {
|
||||
'enableNamespacedSecret': False,
|
||||
unpatch_cross_namespace_secret = {
|
||||
"data": {
|
||||
"enable_cross_namespace_secret": "false",
|
||||
}
|
||||
})
|
||||
}
|
||||
self.k8s.update_config(unpatch_cross_namespace_secret, step="disable cross namespace secrets")
|
||||
|
||||
|
||||
@timeout_decorator.timeout(TEST_TIMEOUT_SEC)
|
||||
def test_lazy_spilo_upgrade(self):
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ spec:
|
|||
dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
|
||||
teamId: "acid"
|
||||
numberOfInstances: 2
|
||||
enableNamespacedSecret: False
|
||||
users: # Application/Robot users
|
||||
zalando:
|
||||
- superuser
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ data:
|
|||
# enable_ebs_gp3_migration_max_size: "1000"
|
||||
# enable_init_containers: "true"
|
||||
# enable_lazy_spilo_upgrade: "false"
|
||||
# enable_cross_namespace_secret: "false"
|
||||
enable_master_load_balancer: "false"
|
||||
enable_pgversion_env_var: "true"
|
||||
# enable_pod_antiaffinity: "false"
|
||||
|
|
|
|||
|
|
@ -730,9 +730,6 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{
|
|||
Type: "boolean",
|
||||
Description: "Deprecated",
|
||||
},
|
||||
"enableNamespacedSecret": {
|
||||
Type: "boolean",
|
||||
},
|
||||
"users": {
|
||||
Type: "object",
|
||||
AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
|
||||
|
|
@ -905,6 +902,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
|
|||
"enable_lazy_spilo_upgrade": {
|
||||
Type: "boolean",
|
||||
},
|
||||
"enable_cross_namespace_secret": {
|
||||
Type: "boolean",
|
||||
},
|
||||
"enable_shm_volume": {
|
||||
Type: "boolean",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -214,6 +214,7 @@ type OperatorLogicalBackupConfiguration struct {
|
|||
type OperatorConfigurationData struct {
|
||||
EnableCRDValidation *bool `json:"enable_crd_validation,omitempty"`
|
||||
EnableLazySpiloUpgrade bool `json:"enable_lazy_spilo_upgrade,omitempty"`
|
||||
EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"`
|
||||
EnablePgVersionEnvVar bool `json:"enable_pgversion_env_var,omitempty"`
|
||||
EnableSpiloWalPathCompat bool `json:"enable_spilo_wal_path_compat,omitempty"`
|
||||
EtcdHost string `json:"etcd_host,omitempty"`
|
||||
|
|
|
|||
|
|
@ -54,7 +54,6 @@ type PostgresSpec struct {
|
|||
AllowedSourceRanges []string `json:"allowedSourceRanges"`
|
||||
|
||||
NumberOfInstances int32 `json:"numberOfInstances"`
|
||||
EnableNamespacedSecret *bool `json:"enableNamespacedSecret,omitempty"`
|
||||
Users map[string]UserFlags `json:"users,omitempty"`
|
||||
MaintenanceWindows []MaintenanceWindow `json:"maintenanceWindows,omitempty"`
|
||||
Clone *CloneDescription `json:"clone,omitempty"`
|
||||
|
|
|
|||
|
|
@ -1163,8 +1163,7 @@ func (c *Cluster) initRobotUsers() error {
|
|||
namespace := c.Namespace
|
||||
|
||||
//if namespaced secrets are allowed
|
||||
if c.Postgresql.Spec.EnableNamespacedSecret != nil &&
|
||||
*c.Postgresql.Spec.EnableNamespacedSecret {
|
||||
if c.Config.OpConfig.EnableCrossNamespaceSecret {
|
||||
if strings.Contains(username, ".") {
|
||||
splits := strings.Split(username, ".")
|
||||
namespace = splits[0]
|
||||
|
|
|
|||
|
|
@ -1024,7 +1024,6 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
|||
Volume: acidv1.Volume{
|
||||
Size: "1Gi",
|
||||
},
|
||||
EnableNamespacedSecret: boolToPointer(true),
|
||||
Users: map[string]acidv1.UserFlags{
|
||||
"appspace.db_user": {},
|
||||
"db_user": {},
|
||||
|
|
@ -1052,6 +1051,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
|||
DefaultMemoryLimit: "300Mi",
|
||||
PodRoleLabel: "spilo-role",
|
||||
},
|
||||
EnableCrossNamespaceSecret: true,
|
||||
},
|
||||
}, client, pg, logger, eventRecorder)
|
||||
|
||||
|
|
|
|||
|
|
@ -207,6 +207,7 @@ type Config struct {
|
|||
PostgresSuperuserTeams []string `name:"postgres_superuser_teams" default:""`
|
||||
SetMemoryRequestToLimit bool `name:"set_memory_request_to_limit" default:"false"`
|
||||
EnableLazySpiloUpgrade bool `name:"enable_lazy_spilo_upgrade" default:"false"`
|
||||
EnableCrossNamespaceSecret bool `name:"enable_cross_namespace_secret" default:"false"`
|
||||
EnablePgVersionEnvVar bool `name:"enable_pgversion_env_var" default:"true"`
|
||||
EnableSpiloWalPathCompat bool `name:"enable_spilo_wal_path_compat" default:"false"`
|
||||
MajorVersionUpgradeMode string `name:"major_version_upgrade_mode" default:"off"`
|
||||
|
|
|
|||
Loading…
Reference in New Issue