From e98439e5b672a2510b9344ec963586ce037ab8eb Mon Sep 17 00:00:00 2001
From: Rafia Sabih <rafia.sabih@gmail.com>
Date: Thu, 18 Nov 2021 09:55:33 +0100
Subject: [PATCH] Add log messages for usernames (#1692)

* add log messages for usernames
* document behavior better in logs

Co-authored-by: Felix Kunde <felix-kunde@gmx.de>
---
 docs/user.md           | 13 +++++++++----
 pkg/cluster/cluster.go |  1 +
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/docs/user.md b/docs/user.md
index d8783c42f..e0873f274 100644
--- a/docs/user.md
+++ b/docs/user.md
@@ -141,14 +141,18 @@ other roles.
 
 To define the secrets for the users in a different namespace than that of the
 cluster, one can set `enable_cross_namespace_secret` and declare the namespace
-for the secrets in the manifest in the following manner,
+for the secrets in the manifest in the following manner (note, that it has to
+be reflected in the `database` section, too),
 
 ```yaml
 spec:
   users:
-  #users with secret in dfferent namespace
-   appspace.db_user:
+    # users with secret in different namespace
+    appspace.db_user:
     - createdb
+  databases:
+    # namespace notation is part of user name
+    app_db: appspace.db_user
 ```
 
 Here, anything before the first dot is considered the namespace and the text after
@@ -554,7 +558,8 @@ schema creation. This means they are currently not set when `defaultUsers`
 For all LOGIN roles the operator will create K8s secrets in the namespace
 specified in `secretNamespace`, if `enable_cross_namespace_secret` is set to
 `true` in the config. Otherwise, they are created in the same namespace like
-the Postgres cluster.
+the Postgres cluster. Unlike roles specified with `namespace.username` under
+`users`, the namespace will not be part of the role name here.
 
 ```yaml
 spec:
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 8e1dcb22e..967f9d530 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -1176,6 +1176,7 @@ func (c *Cluster) initRobotUsers() error {
 			if strings.Contains(username, ".") {
 				splits := strings.Split(username, ".")
 				namespace = splits[0]
+				c.logger.Warningf("enable_cross_namespace_secret is set. Database role name contains the respective namespace i.e. %s is the created user", username)
 			}
 		}