add global toggle and enum field for schema

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -217,16 +217,21 @@ spec:
             load_balancer:
               type: object
               properties:
+                allow_public_load_balancers:
+                  type: boolean
                 custom_service_annotations:
                   type: object
                   additionalProperties:
                     type: string
                 db_hosted_zone:
                   type: string
+                default_load_balancer_schema:
+                  type: string
+                  enum:
+                    - "internal"
+                    - "public"
                 enable_master_load_balancer:
                   type: boolean
-                enable_public_load_balancer:
-                  type: boolean
                 enable_replica_load_balancer:
                   type: boolean
                 master_dns_name_format:

charts/postgres-operator/crds/postgresqls.yaml

@@ -190,8 +190,6 @@ spec:
               type: boolean
             enableMasterLoadBalancer:
               type: boolean
-            enablePublicLoadBalancer:
-              type: boolean
             enableReplicaLoadBalancer:
               type: boolean
             enableShmVolume:
@@ -208,6 +206,11 @@ spec:
               items:
                 type: object
                 additionalProperties: true
+            loadBalancerSchema:
+              type: string
+              enum:
+                - "internal"
+                - "public"
             logicalBackupSchedule:
               type: string
               pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'

charts/postgres-operator/values-crd.yaml

@@ -159,6 +159,8 @@ configTimeouts:
 
 # configure behavior of load balancers
 configLoadBalancer:
+  # global toggle to allow public load balancers
+  allow_public_load_balancers: "false"
   # annotations to apply to service when load balancing is enabled
   # custom_service_annotations:
   #   keyx: valuez
@@ -166,10 +168,10 @@ configLoadBalancer:
 
   # DNS zone for cluster DNS name when load balancer is configured for cluster
   db_hosted_zone: db.example.com
+  # internal will set the annotation service.beta.kubernetes.io/aws-load-balancer-internal, public not
+  default_load_balancer_schema: "internal"
   # toggles service type load balancer pointing to the master pod of the cluster
   enable_master_load_balancer: false
-  # toggles load balancer annotation service.beta.kubernetes.io/aws-load-balancer-internal
-  enable_public_load_balancer: false
   # toggles service type load balancer pointing to the replica pod of the cluster
   enable_replica_load_balancer: false
   # defines the DNS name string template for the master load balancer cluster

charts/postgres-operator/values.yaml

@@ -150,15 +150,17 @@ configTimeouts:
 
 # configure behavior of load balancers
 configLoadBalancer:
+  # global toggle to allow public load balancers
+  allow_public_load_balancers: "false"
   # annotations to apply to service when load balancing is enabled
   # custom_service_annotations: "keyx:valuez,keya:valuea"
 
   # DNS zone for cluster DNS name when load balancer is configured for cluster
   db_hosted_zone: db.example.com
+  # internal will set the annotation service.beta.kubernetes.io/aws-load-balancer-internal, public not
+  default_load_balancer_schema: "internal"
   # toggles service type load balancer pointing to the master pod of the cluster
   enable_master_load_balancer: "false"
-  # toggles load balancer annotation service.beta.kubernetes.io/aws-load-balancer-internal
-  enable_public_load_balancer: "false"
   # toggles service type load balancer pointing to the replica pod of the cluster
   enable_replica_load_balancer: "false"
   # defines the DNS name string template for the master load balancer cluster

docs/administrator.md

@@ -400,8 +400,9 @@ services:
   config parameter `custom_service_annotations` or the  cluster parameter
   `serviceAnnotations`.
 
-If `enable_public_load_balancer` is disabled (default) another annotation is
+If `allow_public_load_balancer` is disabled or the the `loadBalancerSchema` is
-added to indicate the usage of an internal ELB:
+set to `"internal"` another annotation is added to indicate the usage of an
+internal ELB:
 
 - `service.beta.kubernetes.io/aws-load-balancer-internal: "true"`
 

docs/reference/cluster_manifest.md

@@ -82,10 +82,10 @@ These parameters are grouped directly under  the `spec` key in the manifest.
   `enable_replica_load_balancer` parameter) to define whether to enable the
   load balancer pointing to the Postgres standby instances. Optional.
 
-* **enablePublicLoadBalancer**
+* **loadBalancerSchema**
-  boolean flag to override the operator defaults (set by the
+  can be either `internal` or `public`. Overrides the configured default schema
-  `enable_public_load_balancer` parameter) to define whether to use an internal
+  but will not work for `public`, if this is forbidden with
-  or public ELB. Optional.
+  `allow_public_load_balancers` set to false. Optional.
 
 * **allowedSourceRanges**
   when one or more load balancers are enabled for the cluster, this parameter

docs/reference/operator_parameters.md

@@ -418,12 +418,16 @@ In the CRD-based configuration they are grouped under the `load_balancer` key.
   cluster.  Can be overridden by individual cluster settings. The default is
   `false`.
 
-* **enable_public_load_balancer**
+* **default_load_balancer_schema**
-  when using load balancer services they can be internal or public which can be
+  when using load balancer services they can be `internal` or `public` which can
-  toggled with this option. The default is `false`.  
+  be toggled with this option. Note, that public load balancers must be allowed
+  via configuration (see next option). The default is `internal`.
+
+* **allow_public_load_balancers**
+  global toggle to allow usage of public load balancers. The default is `true`.
 
 * **custom_service_annotations**
-  This key/value map provides a list of annotations that get attached to each
+  this key/value map provides a list of annotations that get attached to each
   service of a cluster created by the operator. If the annotation key is also
   provided by the cluster definition, the manifest value is used.
   Optional.

manifests/complete-postgres-manifest.yaml

@@ -16,7 +16,7 @@ spec:
     - createdb
   enableMasterLoadBalancer: false
   enableReplicaLoadBalancer: false
-  enablePublicLoadBalancer: false
+#  loadBalancerSchema: "internal"
 #  enableConnectionPooler: true  # not needed when connectionPooler section is present (see below)
   allowedSourceRanges:  # load balancers' source ranges for both master and replica services
   - 127.0.0.1/32

manifests/configmap.yaml

@@ -5,6 +5,7 @@ metadata:
 data:
   # additional_secret_mount: "some-secret-name"
   # additional_secret_mount_path: "/some/dir"
+  allow_public_load_balancers: "false"
   api_port: "8080"
   aws_region: eu-central-1
   cluster_domain: cluster.local
@@ -29,6 +30,7 @@ data:
   # default_cpu_request: 100m
   # default_memory_limit: 500Mi
   # default_memory_request: 100Mi
+  default_load_balancer_schema: "internal"
   docker_image: registry.opensource.zalan.do/acid/spilo-12:1.6-p3
   # downscaler_annotations: "deployment-time,downscaler/*"
   # enable_admin_role_for_users: "true"
@@ -39,7 +41,6 @@ data:
   enable_master_load_balancer: "false"
   # enable_pod_antiaffinity: "false"
   # enable_pod_disruption_budget: "true"
-  enable_public_load_balancer: "false"
   enable_replica_load_balancer: "false"
   # enable_shm_volume: "true"
   # enable_sidecars: "true"

manifests/operatorconfiguration.crd.yaml

@@ -193,16 +193,19 @@ spec:
             load_balancer:
               type: object
               properties:
+                allow_public_load_balancers:
+                  type: boolean
                 custom_service_annotations:
                   type: object
                   additionalProperties:
                     type: string
                 db_hosted_zone:
                   type: string
-                enable_master_load_balancer:
+                default_load_balancer_schema:
-                  type: boolean
+                  type: string
-                enable_public_load_balancer:
+                  enum:
-                  type: boolean
+                    - "internal"
+                    - "public"
                 enable_replica_load_balancer:
                   type: boolean
                 master_dns_name_format:

manifests/postgresql-operator-default-configuration.yaml

@@ -76,12 +76,13 @@ configuration:
     resource_check_interval: 3s
     resource_check_timeout: 10m
   load_balancer:
+    allow_public_load_balancers: false
     # custom_service_annotations:
     #   keyx: valuex
     #   keyy: valuey
     # db_hosted_zone: ""
+    default_load_balancer_schema: "internal"
     enable_master_load_balancer: false
-    enable_public_load_balancer: false
     enable_replica_load_balancer: false
     master_dns_name_format: "{cluster}.{team}.{hostedzone}"
     replica_dns_name_format: "{cluster}-repl.{team}.{hostedzone}"

manifests/postgresql.crd.yaml

@@ -154,8 +154,6 @@ spec:
               type: boolean
             enableMasterLoadBalancer:
               type: boolean
-            enablePublicLoadBalancer:
-              type: boolean
             enableReplicaLoadBalancer:
               type: boolean
             enableShmVolume:
@@ -172,6 +170,11 @@ spec:
               items:
                 type: object
                 additionalProperties: true
+            loadBalancerSchema:
+              type: string
+              enum:
+                - "internal"
+                - "public"
             logicalBackupSchedule:
               type: string
               pattern: '^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$'

pkg/apis/acid.zalan.do/v1/crds.go

@@ -268,9 +268,6 @@ var PostgresCRDResourceValidation = apiextv1beta1.CustomResourceValidation{
 					"enableMasterLoadBalancer": {
 						Type: "boolean",
 					},
-					"enablePublicLoadBalancer": {
-						Type: "boolean",
-					},
 					"enableReplicaLoadBalancer": {
 						Type: "boolean",
 					},
@@ -300,6 +297,17 @@ var PostgresCRDResourceValidation = apiextv1beta1.CustomResourceValidation{
 							},
 						},
 					},
+					"loadBalancerSchema": {
+						Type: "string",
+						Enum: []apiextv1beta1.JSON{
+							{
+								Raw: []byte(`"internal"`),
+							},
+							{
+								Raw: []byte(`"public"`),
+							},
+						},
+					},
 					"logicalBackupSchedule": {
 						Type:    "string",
 						Pattern: "^(\\d+|\\*)(/\\d+)?(\\s+(\\d+|\\*)(/\\d+)?){4}$",
@@ -1051,6 +1059,9 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
 					"load_balancer": {
 						Type: "object",
 						Properties: map[string]apiextv1beta1.JSONSchemaProps{
+							"allow_public_load_balancers": {
+								Type: "boolean",
+							},
 							"custom_service_annotations": {
 								Type: "object",
 								AdditionalProperties: &apiextv1beta1.JSONSchemaPropsOrBool{
@@ -1062,10 +1073,18 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
 							"db_hosted_zone": {
 								Type: "string",
 							},
-							"enable_master_load_balancer": {
+							"default_load_balancer_schema": {
-								Type: "boolean",
+								Type: "string",
+								Enum: []apiextv1beta1.JSON{
+									{
+										Raw: []byte(`"internal"`),
+									},
+									{
+										Raw: []byte(`"public"`),
+									},
+								},
 							},
-							"enable_public_load_balancer": {
+							"enable_master_load_balancer": {
 								Type: "boolean",
 							},
 							"enable_replica_load_balancer": {

pkg/apis/acid.zalan.do/v1/operator_configuration_type.go

@@ -100,8 +100,9 @@ type OperatorTimeouts struct {
 type LoadBalancerConfiguration struct {
 	DbHostedZone              string                `json:"db_hosted_zone,omitempty"`
 	EnableMasterLoadBalancer  bool                  `json:"enable_master_load_balancer,omitempty"`
-	EnablePublicLoadBalancer  bool                  `json:"enable_public_load_balancer,omitempty"`
 	EnableReplicaLoadBalancer bool                  `json:"enable_replica_load_balancer,omitempty"`
+	AllowPublicLoadBalancers  *bool                 `json:"allow_public_load_balancers,omitempty"`
+	DefaultLoadBalancerSchema string                `json:"default_load_balancer_schema,omitempty"`
 	CustomServiceAnnotations  map[string]string     `json:"custom_service_annotations,omitempty"`
 	MasterDNSNameFormat       config.StringTemplate `json:"master_dns_name_format,omitempty"`
 	ReplicaDNSNameFormat      config.StringTemplate `json:"replica_dns_name_format,omitempty"`

pkg/apis/acid.zalan.do/v1/postgresql_type.go

@@ -39,9 +39,9 @@ type PostgresSpec struct {
 
 	// vars that enable load balancers are pointers because it is important to know if any of them is omitted from the Postgres manifest
 	// in that case the var evaluates to nil and the value is taken from the operator config
-	EnableMasterLoadBalancer  *bool `json:"enableMasterLoadBalancer,omitempty"`
+	EnableMasterLoadBalancer  *bool  `json:"enableMasterLoadBalancer,omitempty"`
-	EnablePublicLoadBalancer  *bool `json:"enablePublicLoadBalancer,omitempty"`
+	EnableReplicaLoadBalancer *bool  `json:"enableReplicaLoadBalancer,omitempty"`
-	EnableReplicaLoadBalancer *bool `json:"enableReplicaLoadBalancer,omitempty"`
+	LoadBalancerSchema        string `json:"loadBalancerSchema,omitempty"`
 
 	// deprecated load balancer settings maintained for backward compatibility
 	// see "Load balancers" operator docs

pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go

@@ -223,6 +223,11 @@ func (in *KubernetesMetaConfiguration) DeepCopy() *KubernetesMetaConfiguration {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBalancerConfiguration) DeepCopyInto(out *LoadBalancerConfiguration) {
 	*out = *in
+	if in.AllowPublicLoadBalancers != nil {
+		in, out := &in.AllowPublicLoadBalancers, &out.AllowPublicLoadBalancers
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CustomServiceAnnotations != nil {
 		in, out := &in.CustomServiceAnnotations, &out.CustomServiceAnnotations
 		*out = make(map[string]string, len(*in))
@@ -525,11 +530,6 @@ func (in *PostgresSpec) DeepCopyInto(out *PostgresSpec) {
 		*out = new(bool)
 		**out = **in
 	}
-	if in.EnablePublicLoadBalancer != nil {
-		in, out := &in.EnablePublicLoadBalancer, &out.EnablePublicLoadBalancer
-		*out = new(bool)
-		**out = **in
-	}
 	if in.EnableReplicaLoadBalancer != nil {
 		in, out := &in.EnableReplicaLoadBalancer, &out.EnableReplicaLoadBalancer
 		*out = new(bool)

pkg/cluster/cluster_test.go

@@ -403,8 +403,9 @@ func TestServiceAnnotations(t *testing.T) {
 		enableMasterLoadBalancerOC    bool
 		enableReplicaLoadBalancerSpec *bool
 		enableReplicaLoadBalancerOC   bool
-		enablePublicLoadBalancerSpec  *bool
+		allowPublicLoadBalancersOC    *bool
-		enablePublicLoadBalancerOC    bool
+		loadBalancerSchemaSpec        string
+		defaultLoadBalancerSchemaOC   string
 		operatorAnnotations           map[string]string
 		clusterAnnotations            map[string]string
 		expect                        map[string]string
@@ -681,11 +682,12 @@ func TestServiceAnnotations(t *testing.T) {
 		},
 		//PUBLIC
 		{
-			about:                        "Public ELB disabled in spec and OperatorConfig",
+			about:                        "Internal ELB set in spec and OperatorConfig, but public LB allowed",
 			role:                         "master",
 			enableMasterLoadBalancerSpec: &enabled,
-			enablePublicLoadBalancerSpec: &disabled,
+			allowPublicLoadBalancersOC:   &enabled,
-			enablePublicLoadBalancerOC:   false,
+			loadBalancerSchemaSpec:       "internal",
+			defaultLoadBalancerSchemaOC:  "internal",
 			operatorAnnotations:          make(map[string]string),
 			clusterAnnotations:           make(map[string]string),
 			expect: map[string]string{
@@ -695,11 +697,12 @@ func TestServiceAnnotations(t *testing.T) {
 			},
 		},
 		{
-			about:                        "Enable public ELB with EnablePublicLoadBalancer in spec but disabled in OperatorConfig",
+			about:                        "Internal ELB set in OperatorConfig overwritten by spec. Public LB allowed",
 			role:                         "master",
 			enableMasterLoadBalancerSpec: &enabled,
-			enablePublicLoadBalancerSpec: &enabled,
+			allowPublicLoadBalancersOC:   &enabled,
-			enablePublicLoadBalancerOC:   false,
+			loadBalancerSchemaSpec:       "public",
+			defaultLoadBalancerSchemaOC:  "internal",
 			operatorAnnotations:          make(map[string]string),
 			clusterAnnotations:           make(map[string]string),
 			expect: map[string]string{
@@ -708,15 +711,32 @@ func TestServiceAnnotations(t *testing.T) {
 			},
 		},
 		{
-			about:                        "Enable public ELB with enable_public_load_balancer in OperatorConfig",
+			about:                        "Public ELB set in OperatorConfig overwritten by spec. Public LB allowed",
 			role:                         "master",
 			enableMasterLoadBalancerSpec: &enabled,
-			enablePublicLoadBalancerOC:   true,
+			allowPublicLoadBalancersOC:   &enabled,
+			loadBalancerSchemaSpec:       "internal",
+			defaultLoadBalancerSchemaOC:  "public",
 			operatorAnnotations:          make(map[string]string),
 			clusterAnnotations:           make(map[string]string),
 			expect: map[string]string{
 				"external-dns.alpha.kubernetes.io/hostname":                            "test.acid.db.example.com",
 				"service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout": "3600",
+				"service.beta.kubernetes.io/aws-load-balancer-internal":                "true",
+			},
+		},
+		{
+			about:                        "Public ELB set in spec, but not globally not allowed",
+			role:                         "master",
+			enableMasterLoadBalancerSpec: &enabled,
+			allowPublicLoadBalancersOC:   &disabled,
+			loadBalancerSchemaSpec:       "public",
+			operatorAnnotations:          make(map[string]string),
+			clusterAnnotations:           make(map[string]string),
+			expect: map[string]string{
+				"external-dns.alpha.kubernetes.io/hostname":                            "test.acid.db.example.com",
+				"service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout": "3600",
+				"service.beta.kubernetes.io/aws-load-balancer-internal":                "true",
 			},
 		},
 		// COMMON
@@ -743,7 +763,8 @@ func TestServiceAnnotations(t *testing.T) {
 			cl.OpConfig.CustomServiceAnnotations = tt.operatorAnnotations
 			cl.OpConfig.EnableMasterLoadBalancer = tt.enableMasterLoadBalancerOC
 			cl.OpConfig.EnableReplicaLoadBalancer = tt.enableReplicaLoadBalancerOC
-			cl.OpConfig.EnablePublicLoadBalancer = tt.enablePublicLoadBalancerOC
+			cl.OpConfig.AllowPublicLoadBalancers = tt.allowPublicLoadBalancersOC
+			cl.OpConfig.DefaultLoadBalancerSchema = tt.defaultLoadBalancerSchemaOC
 			cl.OpConfig.MasterDNSNameFormat = "{cluster}.{team}.{hostedzone}"
 			cl.OpConfig.ReplicaDNSNameFormat = "{cluster}-repl.{team}.{hostedzone}"
 			cl.OpConfig.DbHostedZone = "db.example.com"
@@ -753,7 +774,7 @@ func TestServiceAnnotations(t *testing.T) {
 			cl.Postgresql.Spec.ServiceAnnotations = tt.clusterAnnotations
 			cl.Postgresql.Spec.EnableMasterLoadBalancer = tt.enableMasterLoadBalancerSpec
 			cl.Postgresql.Spec.EnableReplicaLoadBalancer = tt.enableReplicaLoadBalancerSpec
-			cl.Postgresql.Spec.EnablePublicLoadBalancer = tt.enablePublicLoadBalancerSpec
+			cl.Postgresql.Spec.LoadBalancerSchema = tt.loadBalancerSchemaSpec
 
 			got := cl.generateServiceAnnotations(tt.role, &cl.Postgresql.Spec)
 			if len(tt.expect) != len(got) {

pkg/cluster/k8sres.go

@@ -1527,13 +1527,18 @@ func (c *Cluster) shouldCreateLoadBalancerForService(role PostgresRole, spec *ac
 
 func (c *Cluster) shouldUseInternalLoadBalancerForService(spec *acidv1.PostgresSpec) bool {
 
+	// check if public load balancers are even allowed
+	if c.OpConfig.AllowPublicLoadBalancers == nil || !(*c.OpConfig.AllowPublicLoadBalancers) {
+		return true
+	}
+
 	// if the value is explicitly set in a Postgresql manifest, follow this setting
-	if spec.EnablePublicLoadBalancer != nil {
+	if spec.LoadBalancerSchema != "" {
-		return !(*spec.EnablePublicLoadBalancer)
+		return spec.LoadBalancerSchema == "internal"
 	}
 
 	// otherwise, follow the operator configuration
-	return !c.OpConfig.EnablePublicLoadBalancer
+	return c.OpConfig.DefaultLoadBalancerSchema == "internal"
 }
 
 func (c *Cluster) generateService(role PostgresRole, spec *acidv1.PostgresSpec) *v1.Service {

pkg/controller/operator_config.go

@@ -101,8 +101,9 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	// load balancer config
 	result.DbHostedZone = fromCRD.LoadBalancer.DbHostedZone
 	result.EnableMasterLoadBalancer = fromCRD.LoadBalancer.EnableMasterLoadBalancer
-	result.EnablePublicLoadBalancer = fromCRD.LoadBalancer.EnablePublicLoadBalancer
 	result.EnableReplicaLoadBalancer = fromCRD.LoadBalancer.EnableReplicaLoadBalancer
+	result.AllowPublicLoadBalancers = util.CoalesceBool(fromCRD.LoadBalancer.AllowPublicLoadBalancers, util.True())
+	result.DefaultLoadBalancerSchema = util.Coalesce(fromCRD.LoadBalancer.DefaultLoadBalancerSchema, "internal")
 	result.CustomServiceAnnotations = fromCRD.LoadBalancer.CustomServiceAnnotations
 	result.MasterDNSNameFormat = fromCRD.LoadBalancer.MasterDNSNameFormat
 	result.ReplicaDNSNameFormat = fromCRD.LoadBalancer.ReplicaDNSNameFormat

pkg/util/config/config.go

@@ -135,8 +135,9 @@ type Config struct {
 	TeamAdminRole                          string            `name:"team_admin_role" default:"admin"`
 	EnableAdminRoleForUsers                bool              `name:"enable_admin_role_for_users" default:"true"`
 	EnableMasterLoadBalancer               bool              `name:"enable_master_load_balancer" default:"false"`
-	EnablePublicLoadBalancer               bool              `name:"enable_public_load_balancer" default:"false"`
 	EnableReplicaLoadBalancer              bool              `name:"enable_replica_load_balancer" default:"false"`
+	AllowPublicLoadBalancers               *bool             `name:"allow_public_load_balancers" default:"true"`
+	DefaultLoadBalancerSchema              string            `name:"default_load_balancer_schema" default:"true"`
 	CustomServiceAnnotations               map[string]string `name:"custom_service_annotations"`
 	CustomPodAnnotations                   map[string]string `name:"custom_pod_annotations"`
 	EnablePodAntiAffinity                  bool              `name:"enable_pod_antiaffinity" default:"false"`