Add log messages for usernames (#1692)

* add log messages for usernames * document behavior better in logs Co-authored-by: Felix Kunde <felix-kunde@gmx.de>
2021-11-18 09:55:33 +01:00 · 2021-11-18 09:55:33 +01:00 · e98439e5b6
parent f9150aa6db
commit e98439e5b6
2 changed files with 10 additions and 4 deletions
--- a/docs/user.md
+++ b/docs/user.md
@ -141,14 +141,18 @@ other roles.

 To define the secrets for the users in a different namespace than that of the
 cluster, one can set `enable_cross_namespace_secret` and declare the namespace
-for the secrets in the manifest in the following manner,
+for the secrets in the manifest in the following manner (note, that it has to
+be reflected in the `database` section, too),

 ```yaml
 spec:
  users:
-  #users with secret in dfferent namespace
-   appspace.db_user:
+    # users with secret in different namespace
+    appspace.db_user:
    - createdb
+  databases:
+    # namespace notation is part of user name
+    app_db: appspace.db_user
 ```

 Here, anything before the first dot is considered the namespace and the text after
@ -554,7 +558,8 @@ schema creation. This means they are currently not set when `defaultUsers`
 For all LOGIN roles the operator will create K8s secrets in the namespace
 specified in `secretNamespace`, if `enable_cross_namespace_secret` is set to
 `true` in the config. Otherwise, they are created in the same namespace like
-the Postgres cluster.
+the Postgres cluster. Unlike roles specified with `namespace.username` under
+`users`, the namespace will not be part of the role name here.

 ```yaml
 spec:
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@ -1176,6 +1176,7 @@ func (c *Cluster) initRobotUsers() error {
 			if strings.Contains(username, ".") {
 				splits := strings.Split(username, ".")
 				namespace = splits[0]
+				c.logger.Warningf("enable_cross_namespace_secret is set. Database role name contains the respective namespace i.e. %s is the created user", username)
 			}
 		}