fixes

2021-05-19 17:39:56 +02:00 · 2021-05-19 17:39:56 +02:00 · af719c07fe
parent 620502010e
commit af719c07fe
3 changed files with 27 additions and 14 deletions
--- a/e2e/tests/test_e2e.py
+++ b/e2e/tests/test_e2e.py
@ -547,7 +547,9 @@ class EndToEndTestCase(unittest.TestCase):
        '''
            Test secrets in different namespace
        '''
+        app_namespace = "appspace"
        k8s = self.k8s
+        k8s.api.core_v1.create_namespace(app_namespace)
        k8s.api.custom_objects_api.patch_namespaced_custom_object(
            'acid.zalan.do', 'v1', 'default',
            'postgresqls', 'acid-minimal-cluster',
@ -558,7 +560,7 @@ class EndToEndTestCase(unittest.TestCase):
                    }
                }
            })
-        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace('appspace'),
+        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace),
                             1, "Secret not created in user namespace")

    @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -924,14 +924,16 @@ func (c *Cluster) initSystemUsers() {
 	// secrets, therefore, setting flags like SUPERUSER or REPLICATION
 	// is not necessary here
 	c.systemUsers[constants.SuperuserKeyName] = spec.PgUser{
-		Origin:   spec.RoleOriginSystem,
-		Name:     c.OpConfig.SuperUsername,
-		Password: util.RandomPassword(constants.PasswordLength),
+		Origin:    spec.RoleOriginSystem,
+		Name:      c.OpConfig.SuperUsername,
+		Namespace: c.Namespace,
+		Password:  util.RandomPassword(constants.PasswordLength),
 	}
 	c.systemUsers[constants.ReplicationUserKeyName] = spec.PgUser{
-		Origin:   spec.RoleOriginSystem,
-		Name:     c.OpConfig.ReplicationUsername,
-		Password: util.RandomPassword(constants.PasswordLength),
+		Origin:    spec.RoleOriginSystem,
+		Name:      c.OpConfig.ReplicationUsername,
+		Namespace: c.Namespace,
+		Password:  util.RandomPassword(constants.PasswordLength),
 	}

 	// Connection pooler user is an exception, if requested it's going to be
@ -959,10 +961,11 @@ func (c *Cluster) initSystemUsers() {

 		// connection pooler application should be able to login with this role
 		connectionPoolerUser := spec.PgUser{
-			Origin:   spec.RoleConnectionPooler,
-			Name:     username,
-			Flags:    []string{constants.RoleFlagLogin},
-			Password: util.RandomPassword(constants.PasswordLength),
+			Origin:    spec.RoleConnectionPooler,
+			Name:      username,
+			Namespace: c.Namespace,
+			Flags:     []string{constants.RoleFlagLogin},
+			Password:  util.RandomPassword(constants.PasswordLength),
 		}

 		if _, exists := c.pgUsers[username]; !exists {
@ -1065,6 +1068,7 @@ func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginBootstrap,
 			Name:       roleName,
+			Namespace:  c.Namespace,
 			Password:   util.RandomPassword(constants.PasswordLength),
 			Flags:      flags,
 			MemberOf:   memberOf,
@ -1090,12 +1094,14 @@ func (c *Cluster) initRobotUsers() error {
 			continue
 		}
 		name := username
-		namespace := "default"
+		namespace := c.Namespace

 		if strings.Contains(username, ".") {
 			splits := strings.Split(username, ".")
 			name = splits[1]
-			namespace = splits[0]
+			if splits[0] != "" {
+				namespace = splits[0]
+			}
 			username = name
 		}

@ -1149,6 +1155,7 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginTeamsAPI,
 			Name:       username,
+			Namespace:  c.Namespace,
 			Flags:      flags,
 			MemberOf:   memberOf,
 			Parameters: c.OpConfig.TeamAPIRoleConfiguration,
@ -1228,6 +1235,7 @@ func (c *Cluster) initInfrastructureRoles() error {
 			return fmt.Errorf("invalid flags for user '%v': %v", username, err)
 		}
 		newRole.Flags = flags
+		newRole.Namespace = c.Namespace

 		if currentRole, present := c.pgUsers[username]; present {
 			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@ -481,6 +481,9 @@ func (c *Cluster) syncSecrets() error {
 	secrets := c.generateUserSecrets()

 	for secretUsername, secretSpec := range secrets {
+		if len(secretSpec.Namespace) < 0 {
+			c.logger.Warningf("found empty namespace for user %s", secretUsername)
+		}
 		if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
 			c.Secrets[secret.UID] = secret
 			c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
@ -521,7 +524,7 @@ func (c *Cluster) syncSecrets() error {
 				userMap[secretUsername] = pwdUser
 			}
 		} else {
-			return fmt.Errorf("could not create secret for user %s: %v", secretUsername, err)
+			return fmt.Errorf("could not create secret for user %s: in namespace %s: %v", secretUsername, secretSpec.Namespace, err)
 		}
 	}