fixes

e2e/tests/test_e2e.py

@@ -547,7 +547,9 @@ class EndToEndTestCase(unittest.TestCase):
         '''
             Test secrets in different namespace
         '''
+        app_namespace = "appspace"
         k8s = self.k8s
+        k8s.api.core_v1.create_namespace(app_namespace)
         k8s.api.custom_objects_api.patch_namespaced_custom_object(
             'acid.zalan.do', 'v1', 'default',
             'postgresqls', 'acid-minimal-cluster',
@@ -558,7 +560,7 @@ class EndToEndTestCase(unittest.TestCase):
                     }
                 }
             })
-        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace('appspace'),
+        self.eventuallyEqual(lambda: k8s.count_secrets_in_namespace(app_namespace),
                              1, "Secret not created in user namespace")
 
     @timeout_decorator.timeout(TEST_TIMEOUT_SEC)

pkg/cluster/cluster.go

@@ -926,11 +926,13 @@ func (c *Cluster) initSystemUsers() {
 	c.systemUsers[constants.SuperuserKeyName] = spec.PgUser{
 		Origin:    spec.RoleOriginSystem,
 		Name:      c.OpConfig.SuperUsername,
+		Namespace: c.Namespace,
 		Password:  util.RandomPassword(constants.PasswordLength),
 	}
 	c.systemUsers[constants.ReplicationUserKeyName] = spec.PgUser{
 		Origin:    spec.RoleOriginSystem,
 		Name:      c.OpConfig.ReplicationUsername,
+		Namespace: c.Namespace,
 		Password:  util.RandomPassword(constants.PasswordLength),
 	}
 
@@ -961,6 +963,7 @@ func (c *Cluster) initSystemUsers() {
 		connectionPoolerUser := spec.PgUser{
 			Origin:    spec.RoleConnectionPooler,
 			Name:      username,
+			Namespace: c.Namespace,
 			Flags:     []string{constants.RoleFlagLogin},
 			Password:  util.RandomPassword(constants.PasswordLength),
 		}
@@ -1065,6 +1068,7 @@ func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginBootstrap,
 			Name:       roleName,
+			Namespace:  c.Namespace,
 			Password:   util.RandomPassword(constants.PasswordLength),
 			Flags:      flags,
 			MemberOf:   memberOf,
@@ -1090,12 +1094,14 @@ func (c *Cluster) initRobotUsers() error {
 			continue
 		}
 		name := username
-		namespace := "default"
+		namespace := c.Namespace
 
 		if strings.Contains(username, ".") {
 			splits := strings.Split(username, ".")
 			name = splits[1]
+			if splits[0] != "" {
 				namespace = splits[0]
+			}
 			username = name
 		}
 
@@ -1149,6 +1155,7 @@ func (c *Cluster) initTeamMembers(teamID string, isPostgresSuperuserTeam bool) e
 		newRole := spec.PgUser{
 			Origin:     spec.RoleOriginTeamsAPI,
 			Name:       username,
+			Namespace:  c.Namespace,
 			Flags:      flags,
 			MemberOf:   memberOf,
 			Parameters: c.OpConfig.TeamAPIRoleConfiguration,
@@ -1228,6 +1235,7 @@ func (c *Cluster) initInfrastructureRoles() error {
 			return fmt.Errorf("invalid flags for user '%v': %v", username, err)
 		}
 		newRole.Flags = flags
+		newRole.Namespace = c.Namespace
 
 		if currentRole, present := c.pgUsers[username]; present {
 			c.pgUsers[username] = c.resolveNameConflict(&currentRole, &newRole)

pkg/cluster/sync.go

@@ -481,6 +481,9 @@ func (c *Cluster) syncSecrets() error {
 	secrets := c.generateUserSecrets()
 
 	for secretUsername, secretSpec := range secrets {
+		if len(secretSpec.Namespace) < 0 {
+			c.logger.Warningf("found empty namespace for user %s", secretUsername)
+		}
 		if secret, err = c.KubeClient.Secrets(secretSpec.Namespace).Create(context.TODO(), secretSpec, metav1.CreateOptions{}); err == nil {
 			c.Secrets[secret.UID] = secret
 			c.logger.Debugf("created new secret %s, uid: %s", util.NameFromMeta(secret.ObjectMeta), secret.UID)
@@ -521,7 +524,7 @@ func (c *Cluster) syncSecrets() error {
 				userMap[secretUsername] = pwdUser
 			}
 		} else {
-			return fmt.Errorf("could not create secret for user %s: %v", secretUsername, err)
+			return fmt.Errorf("could not create secret for user %s: in namespace %s: %v", secretUsername, secretSpec.Namespace, err)
 		}
 	}