diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index b156b1c26..ec5e6d6f2 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -139,7 +139,8 @@ configKubernetes: pod_terminate_grace_period: 5m # template for database user secrets generated by the operator, # here username contains the namespace in the format namespace.username - # if the user is in different namespace than cluster + # if the user is in different namespace than cluster and cross namespace secrets + # are enabled via EnableNamespacedSecret flag. secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" # set user and group for the spilo container (required to run Spilo as non-root process) # spilo_runasuser: "101" diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index ed8ab3259..1b1ae852e 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -275,12 +275,13 @@ configuration they are grouped under the `kubernetes` key. * **secret_name_template** a template for the name of the database user secrets generated by the - operator. `{namespace}` is replaced with name of the namespace (if any, - otherwise the secret is in cluster's namespace and in that case it is not - present in secret name), `{username}` is replaced with name of the secret, - `{cluster}` with the name of the cluster, `{tprkind}` with the kind of CRD - (formerly known as TPR) and `{tprgroup}` with the group of the CRD. - No other placeholders are allowed. The default is + operator. `{namespace}` is replaced with name of the namespace (if cross + namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the + secret is in cluster's namespace and in that case it is not present in secret + name), `{username}` is replaced with name of the secret, `{cluster}` with the + name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR) + and `{tprgroup}` with the group of the CRD. No other placeholders are allowed. + The default is `{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`. * **cluster_domain** diff --git a/docs/user.md b/docs/user.md index 8e406ec00..8194d2ced 100644 --- a/docs/user.md +++ b/docs/user.md @@ -139,6 +139,25 @@ secret, without ever sharing it outside of the cluster. At the moment it is not possible to define membership of the manifest role in other roles. +To define the secrets for the users in a different namespace than that of the cluster, +one can use the flag `EnableNamespacedSecret` and declare the namespace for the +secrets in the manifest in the following manner, + +```yaml +spec: + users: + #users with secret in dfferent namespace + appspace.db_user: + - createdb +``` +Here, anything before the first dot is taken as the namespace and the text after +the first dot is the username. Also, the postgres roles of these usernames would +be in the form of `namespace.username`. + +For such usernames, the secret is created in the given namespace and its name is +of the following form, +`{namespace}.{username}.{team}-{clustername}.credentials.postgresql.acid.zalan.do` + ### Infrastructure roles An infrastructure role is a role that should be present on every PostgreSQL @@ -330,7 +349,7 @@ spec: This creates roles for members of the `c-team` team not only in all clusters owned by `a-team`, but as well in cluster owned by `b-team`, as `a-team` is -an `additionalTeam` to `b-team` +an `additionalTeam` to `b-team` Not, you can also define `additionalSuperuserTeams` in the `PostgresTeam` manifest. By default, this option is disabled and must be configured with