From af719c07fe4373fb85e0907d73c3568833cef598 Mon Sep 17 00:00:00 2001
From: Rafia Sabih <rafia.sabih@zalando.de>
Date: Wed, 19 May 2021 17:39:56 +0200
Subject: [PATCH] fixes

---
 e2e/tests/test_e2e.py  |  4 +++-
 pkg/cluster/cluster.go | 32 ++++++++++++++++++++------------
 pkg/cluster/sync.go    |  5 ++++-
 3 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/e2e/tests/test_e2e.py b/e2e/tests/test_e2e.py
index 422fec991..b6c36f3e5 100644
--- a/e2e/tests/test_e2e.py
+++ b/e2e/tests/test_e2e.py
@@ -547,7 +547,9 @@ class EndToEndTestCase(unittest.TestCase):
         '''
             Test secrets in different namespace
         '''
+        app_namespace = "appspace"
         k8s = self.k8s
+        k8s.api.core_v1.create_namespace(app_namespace)
         k8s.api.custom_objects_api.patch_namespaced_custom_object(
             'acid.zalan.do', 'v1', 'default',
             'postgresqls', 'acid-minimal-cluster',
@@ -558,7 +560,7 @@ class EndToEndTestCase(unittest.TestCase):
                     }
                 }
             })
-        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace('appspace'),
+        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace),
                              1, "Secret not created in user namespace")
 
     @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 5271ed90b..205f61c9a 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -924,14 +924,16 @@ func (c *Cluster) initSystemUsers() {
 	// secrets, therefore, setting flags like SUPERUSER or REPLICATION
 	// is not necessary here
 	c.systemUsers[constants.SuperuserKeyName] = spec.PgUser{
-		Origin:   spec.RoleOriginSystem,
-		Name:     c.OpConfig.SuperUsername,
-		Password: util.RandomPassword(constants.PasswordLength),
+		Origin:    spec.RoleOriginSystem,
+		Name:      c.OpConfig.SuperUsername,
+		Namespace: c.Namespace,
+		Password:  util.RandomPassword(constants.PasswordLength),
 	}
 	c.systemUsers[constants.ReplicationUserKeyName] = spec.PgUser{
-		Origin:   spec.RoleOriginSystem,
-		Name:     c.OpConfig.ReplicationUsername,
-		Password: util.RandomPassword(constants.PasswordLength),
+		Origin:    spec.RoleOriginSystem,
+		Name:      c.OpConfig.ReplicationUsername,
+		Namespace: c.Namespace,
+		Password:  util.RandomPassword(constants.PasswordLength),
 	}
 
 	// Connection pooler user is an exception, if requested it's going to be
@@ -959,10 +961,11 @@ func (c *Cluster) initSystemUsers() {
 
 		// connection pooler application should be able to login with this role
 		connectionPoolerUser := spec.PgUser{
-			Origin:   spec.RoleConnectionPooler,
-			Name:     username,
-			Flags:    []string{constants.RoleFlagLogin},
-			Password: util.RandomPassword(constants.PasswordLength),
+			Origin:    spec.RoleConnectionPooler,
+			Name:      username,
+			Namespace: c.Namespace,
+			Flags:     []string{constants.RoleFlagLogin},
+			Password:  util.RandomPassword(constants.PasswordLength),
 		}
 
 		if _, exists := c.pgUsers[username]; !exists {
@@ -1065,6 +1068,7 @@ func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginBootstrap,
 			Name:       roleName,
+			Namespace:  c.Namespace,
 			Password:   util.RandomPassword(constants.PasswordLength),
 			Flags:      flags,
 			MemberOf:   memberOf,
@@ -1090,12 +1094,14 @@ func (c *Cluster) initRobotUsers() error {
 			continue
 		}
 		name := username
-		namespace := "default"
+		namespace := c.Namespace
 
 		if strings.Contains(username, ".") {
 			splits := strings.Split(username, ".")
 			name = splits[1]
-			namespace = splits[0]
+			if splits[0] != "" {
+				namespace = splits[0]
+			}
 			username = name
 		}
 
@@ -1149,6 +1155,7 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginTeamsAPI,
 			Name:       username,
+			Namespace:  c.Namespace,
 			Flags:      flags,
 			MemberOf:   memberOf,
 			Parameters: c.OpConfig.TeamAPIRoleConfiguration,
@@ -1228,6 +1235,7 @@ func (c *Cluster) initInfrastructureRoles() error {
 			return fmt.Errorf("invalid flags for user '%v': %v", username, err)
 		}
 		newRole.Flags = flags
+		newRole.Namespace = c.Namespace
 
 		if currentRole, present := c.pgUsers[username]; present {
 			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index 3036a9942..8d4241c37 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -481,6 +481,9 @@ func (c *Cluster) syncSecrets() error {
 	secrets := c.generateUserSecrets()
 
 	for secretUsername, secretSpec := range secrets {
+		if len(secretSpec.Namespace) < 0 {
+			c.logger.Warningf("found empty namespace for user %s", secretUsername)
+		}
 		if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
 			c.Secrets[secret.UID] = secret
 			c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
@@ -521,7 +524,7 @@ func (c *Cluster) syncSecrets() error {
 				userMap[secretUsername] = pwdUser
 			}
 		} else {
-			return fmt.Errorf("could not create secret for user %s: %v", secretUsername, err)
+			return fmt.Errorf("could not create secret for user %s: in namespace %s: %v", secretUsername, secretSpec.Namespace, err)
 		}
 	}