Move flag to configmap (#1540)
* Move flag to configmap Co-authored-by: Rafia Sabih <rafia.sabih@zalando.de> Co-authored-by: Felix Kunde <felix-kunde@gmx.de>
This commit is contained in:
Rafia Sabih
GitHub
parent
330c2c4c0b
commit
fa604027cf
|
|
@ -173,6 +173,9 @@ spec:
|
||||||
enable_init_containers:
|
enable_init_containers:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: true
|
default: true
|
||||||
|
enable_cross_namespace_secret:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
enable_pod_antiaffinity:
|
enable_pod_antiaffinity:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
|
|
||||||
|
|
@ -515,8 +515,6 @@ spec:
|
||||||
type: integer
|
type: integer
|
||||||
useLoadBalancer: # deprecated
|
useLoadBalancer: # deprecated
|
||||||
type: boolean
|
type: boolean
|
||||||
enableNamespacedSecret:
|
|
||||||
type: boolean
|
|
||||||
users:
|
users:
|
||||||
type: object
|
type: object
|
||||||
additionalProperties:
|
additionalProperties:
|
||||||
|
|
|
||||||
|
|
@ -97,6 +97,8 @@ configKubernetes:
|
||||||
# - deployment-time
|
# - deployment-time
|
||||||
# - downscaler/*
|
# - downscaler/*
|
||||||
|
|
||||||
|
# allow user secrets in other namespaces than the Postgres cluster
|
||||||
|
enable_cross_namespace_secret: false
|
||||||
# enables initContainers to run actions before Spilo is started
|
# enables initContainers to run actions before Spilo is started
|
||||||
enable_init_containers: true
|
enable_init_containers: true
|
||||||
# toggles pod anti affinity on the Postgres pods
|
# toggles pod anti affinity on the Postgres pods
|
||||||
|
|
@ -151,7 +153,7 @@ configKubernetes:
|
||||||
# template for database user secrets generated by the operator,
|
# template for database user secrets generated by the operator,
|
||||||
# here username contains the namespace in the format namespace.username
|
# here username contains the namespace in the format namespace.username
|
||||||
# if the user is in different namespace than cluster and cross namespace secrets
|
# if the user is in different namespace than cluster and cross namespace secrets
|
||||||
# are enabled via EnableNamespacedSecret flag.
|
# are enabled via `enable_cross_namespace_secret` flag in the configuration.
|
||||||
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
|
secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
|
||||||
# set user and group for the spilo container (required to run Spilo as non-root process)
|
# set user and group for the spilo container (required to run Spilo as non-root process)
|
||||||
# spilo_runasuser: 101
|
# spilo_runasuser: 101
|
||||||
|
|
|
||||||
|
|
@ -264,6 +264,13 @@ configuration they are grouped under the `kubernetes` key.
|
||||||
[admin docs](../administrator.md#pod-disruption-budget) for more information.
|
[admin docs](../administrator.md#pod-disruption-budget) for more information.
|
||||||
Default is true.
|
Default is true.
|
||||||
|
|
||||||
|
* **enable_cross_namespace_secrets**
|
||||||
|
To allow secrets in a different namespace other than the Postgres cluster
|
||||||
|
namespace. Once enabled, specify the namespace in the user name under the
|
||||||
|
`users` section in the form `{namespace}.{username}`. The operator will then
|
||||||
|
create the user secret in that namespace. The part after the first `.` is
|
||||||
|
considered to be the user name. The default is `false`.
|
||||||
|
|
||||||
* **enable_init_containers**
|
* **enable_init_containers**
|
||||||
global option to allow for creating init containers in the cluster manifest to
|
global option to allow for creating init containers in the cluster manifest to
|
||||||
run actions before Spilo is started. Default is true.
|
run actions before Spilo is started. Default is true.
|
||||||
|
|
@ -275,13 +282,12 @@ configuration they are grouped under the `kubernetes` key.
|
||||||
|
|
||||||
* **secret_name_template**
|
* **secret_name_template**
|
||||||
a template for the name of the database user secrets generated by the
|
a template for the name of the database user secrets generated by the
|
||||||
operator. `{namespace}` is replaced with name of the namespace (if cross
|
operator. `{namespace}` is replaced with name of the namespace if
|
||||||
namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the
|
`enable_cross_namespace_secret` is set, otherwise the
|
||||||
secret is in cluster's namespace and in that case it is not present in secret
|
secret is in cluster's namespace. `{username}` is replaced with name of the
|
||||||
name), `{username}` is replaced with name of the secret, `{cluster}` with the
|
secret, `{cluster}` with the name of the cluster, `{tprkind}` with the kind
|
||||||
name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
|
of CRD (formerly known as TPR) and `{tprgroup}` with the group of the CRD.
|
||||||
and `{tprgroup}` with the group of the CRD. No other placeholders are allowed.
|
No other placeholders are allowed. The default is
|
||||||
The default is
|
|
||||||
`{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
|
`{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
|
||||||
|
|
||||||
* **cluster_domain**
|
* **cluster_domain**
|
||||||
|
|
|
||||||
|
|
@ -140,7 +140,7 @@ At the moment it is not possible to define membership of the manifest role in
|
||||||
other roles.
|
other roles.
|
||||||
|
|
||||||
To define the secrets for the users in a different namespace than that of the cluster,
|
To define the secrets for the users in a different namespace than that of the cluster,
|
||||||
one can use the flag `EnableNamespacedSecret` and declare the namespace for the
|
one can set `enable_cross_namespace_secret` and declare the namespace for the
|
||||||
secrets in the manifest in the following manner,
|
secrets in the manifest in the following manner,
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
|
|
||||||
|
|
@ -598,29 +598,36 @@ class EndToEndTestCase(unittest.TestCase):
|
||||||
self.k8s.api.core_v1.create_namespace(v1_appnamespace)
|
self.k8s.api.core_v1.create_namespace(v1_appnamespace)
|
||||||
self.k8s.wait_for_namespace_creation(app_namespace)
|
self.k8s.wait_for_namespace_creation(app_namespace)
|
||||||
|
|
||||||
|
patch_cross_namespace_secret = {
|
||||||
|
"data": {
|
||||||
|
"enable_cross_namespace_secret": "true"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
self.k8s.update_config(patch_cross_namespace_secret,
|
||||||
|
step="cross namespace secrets enabled")
|
||||||
|
|
||||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
||||||
'acid.zalan.do', 'v1', 'default',
|
'acid.zalan.do', 'v1', 'default',
|
||||||
'postgresqls', 'acid-minimal-cluster',
|
'postgresqls', 'acid-minimal-cluster',
|
||||||
{
|
{
|
||||||
'spec': {
|
'spec': {
|
||||||
'enableNamespacedSecret': True,
|
|
||||||
'users':{
|
'users':{
|
||||||
'appspace.db_user': [],
|
'appspace.db_user': [],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
|
self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
|
||||||
1, "Secret not created for user in namespace")
|
1, "Secret not created for user in namespace")
|
||||||
|
|
||||||
#reset the flag
|
#reset the flag
|
||||||
self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
|
unpatch_cross_namespace_secret = {
|
||||||
'acid.zalan.do', 'v1', 'default',
|
"data": {
|
||||||
'postgresqls', 'acid-minimal-cluster',
|
"enable_cross_namespace_secret": "false",
|
||||||
{
|
|
||||||
'spec': {
|
|
||||||
'enableNamespacedSecret': False,
|
|
||||||
}
|
}
|
||||||
})
|
}
|
||||||
|
self.k8s.update_config(unpatch_cross_namespace_secret, step="disable cross namespace secrets")
|
||||||
|
|
||||||
|
|
||||||
@timeout_decorator.timeout(TEST_TIMEOUT_SEC)
|
@timeout_decorator.timeout(TEST_TIMEOUT_SEC)
|
||||||
def test_lazy_spilo_upgrade(self):
|
def test_lazy_spilo_upgrade(self):
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,6 @@ spec:
|
||||||
dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
|
dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
|
||||||
teamId: "acid"
|
teamId: "acid"
|
||||||
numberOfInstances: 2
|
numberOfInstances: 2
|
||||||
enableNamespacedSecret: False
|
|
||||||
users: # Application/Robot users
|
users: # Application/Robot users
|
||||||
zalando:
|
zalando:
|
||||||
- superuser
|
- superuser
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ data:
|
||||||
# downscaler_annotations: "deployment-time,downscaler/*"
|
# downscaler_annotations: "deployment-time,downscaler/*"
|
||||||
# enable_admin_role_for_users: "true"
|
# enable_admin_role_for_users: "true"
|
||||||
# enable_crd_validation: "true"
|
# enable_crd_validation: "true"
|
||||||
|
# enable_cross_namespace_secret: "false"
|
||||||
# enable_database_access: "true"
|
# enable_database_access: "true"
|
||||||
enable_ebs_gp3_migration: "false"
|
enable_ebs_gp3_migration: "false"
|
||||||
# enable_ebs_gp3_migration_max_size: "1000"
|
# enable_ebs_gp3_migration_max_size: "1000"
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,7 @@ configuration:
|
||||||
# downscaler_annotations:
|
# downscaler_annotations:
|
||||||
# - deployment-time
|
# - deployment-time
|
||||||
# - downscaler/*
|
# - downscaler/*
|
||||||
|
# enable_cross_namespace_secret: "false"
|
||||||
enable_init_containers: true
|
enable_init_containers: true
|
||||||
enable_pod_antiaffinity: false
|
enable_pod_antiaffinity: false
|
||||||
enable_pod_disruption_budget: true
|
enable_pod_disruption_budget: true
|
||||||
|
|
|
||||||
|
|
@ -730,9 +730,6 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
Description: "Deprecated",
|
Description: "Deprecated",
|
||||||
},
|
},
|
||||||
"enableNamespacedSecret": {
|
|
||||||
Type: "boolean",
|
|
||||||
},
|
|
||||||
"users": {
|
"users": {
|
||||||
Type: "object",
|
Type: "object",
|
||||||
AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
|
AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
|
||||||
|
|
@ -1029,6 +1026,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"enable_cross_namespace_secret": {
|
||||||
|
Type: "boolean",
|
||||||
|
},
|
||||||
"enable_init_containers": {
|
"enable_init_containers": {
|
||||||
Type: "boolean",
|
Type: "boolean",
|
||||||
},
|
},
|
||||||
|
|
|
||||||
|
|
@ -91,6 +91,7 @@ type KubernetesMetaConfiguration struct {
|
||||||
EnablePodAntiAffinity bool `json:"enable_pod_antiaffinity,omitempty"`
|
EnablePodAntiAffinity bool `json:"enable_pod_antiaffinity,omitempty"`
|
||||||
PodAntiAffinityTopologyKey string `json:"pod_antiaffinity_topology_key,omitempty"`
|
PodAntiAffinityTopologyKey string `json:"pod_antiaffinity_topology_key,omitempty"`
|
||||||
PodManagementPolicy string `json:"pod_management_policy,omitempty"`
|
PodManagementPolicy string `json:"pod_management_policy,omitempty"`
|
||||||
|
EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// PostgresPodResourcesDefaults defines the spec of default resources
|
// PostgresPodResourcesDefaults defines the spec of default resources
|
||||||
|
|
|
||||||
|
|
@ -53,28 +53,27 @@ type PostgresSpec struct {
|
||||||
// load balancers' source ranges are the same for master and replica services
|
// load balancers' source ranges are the same for master and replica services
|
||||||
AllowedSourceRanges []string `json:"allowedSourceRanges"`
|
AllowedSourceRanges []string `json:"allowedSourceRanges"`
|
||||||
|
|
||||||
NumberOfInstances int32 `json:"numberOfInstances"`
|
NumberOfInstances int32 `json:"numberOfInstances"`
|
||||||
EnableNamespacedSecret *bool `json:"enableNamespacedSecret,omitempty"`
|
Users map[string]UserFlags `json:"users,omitempty"`
|
||||||
Users map[string]UserFlags `json:"users,omitempty"`
|
MaintenanceWindows []MaintenanceWindow `json:"maintenanceWindows,omitempty"`
|
||||||
MaintenanceWindows []MaintenanceWindow `json:"maintenanceWindows,omitempty"`
|
Clone *CloneDescription `json:"clone,omitempty"`
|
||||||
Clone *CloneDescription `json:"clone,omitempty"`
|
ClusterName string `json:"-"`
|
||||||
ClusterName string `json:"-"`
|
Databases map[string]string `json:"databases,omitempty"`
|
||||||
Databases map[string]string `json:"databases,omitempty"`
|
PreparedDatabases map[string]PreparedDatabase `json:"preparedDatabases,omitempty"`
|
||||||
PreparedDatabases map[string]PreparedDatabase `json:"preparedDatabases,omitempty"`
|
SchedulerName *string `json:"schedulerName,omitempty"`
|
||||||
SchedulerName *string `json:"schedulerName,omitempty"`
|
NodeAffinity *v1.NodeAffinity `json:"nodeAffinity,omitempty"`
|
||||||
NodeAffinity *v1.NodeAffinity `json:"nodeAffinity,omitempty"`
|
Tolerations []v1.Toleration `json:"tolerations,omitempty"`
|
||||||
Tolerations []v1.Toleration `json:"tolerations,omitempty"`
|
Sidecars []Sidecar `json:"sidecars,omitempty"`
|
||||||
Sidecars []Sidecar `json:"sidecars,omitempty"`
|
InitContainers []v1.Container `json:"initContainers,omitempty"`
|
||||||
InitContainers []v1.Container `json:"initContainers,omitempty"`
|
PodPriorityClassName string `json:"podPriorityClassName,omitempty"`
|
||||||
PodPriorityClassName string `json:"podPriorityClassName,omitempty"`
|
ShmVolume *bool `json:"enableShmVolume,omitempty"`
|
||||||
ShmVolume *bool `json:"enableShmVolume,omitempty"`
|
EnableLogicalBackup bool `json:"enableLogicalBackup,omitempty"`
|
||||||
EnableLogicalBackup bool `json:"enableLogicalBackup,omitempty"`
|
LogicalBackupSchedule string `json:"logicalBackupSchedule,omitempty"`
|
||||||
LogicalBackupSchedule string `json:"logicalBackupSchedule,omitempty"`
|
StandbyCluster *StandbyDescription `json:"standby,omitempty"`
|
||||||
StandbyCluster *StandbyDescription `json:"standby,omitempty"`
|
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
|
||||||
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
|
ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
|
||||||
ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
|
TLS *TLSDescription `json:"tls,omitempty"`
|
||||||
TLS *TLSDescription `json:"tls,omitempty"`
|
AdditionalVolumes []AdditionalVolume `json:"additionalVolumes,omitempty"`
|
||||||
AdditionalVolumes []AdditionalVolume `json:"additionalVolumes,omitempty"`
|
|
||||||
|
|
||||||
// deprecated json tags
|
// deprecated json tags
|
||||||
InitContainersOld []v1.Container `json:"init_containers,omitempty"`
|
InitContainersOld []v1.Container `json:"init_containers,omitempty"`
|
||||||
|
|
|
||||||
|
|
@ -614,11 +614,6 @@ func (in *PostgresSpec) DeepCopyInto(out *PostgresSpec) {
|
||||||
*out = make([]string, len(*in))
|
*out = make([]string, len(*in))
|
||||||
copy(*out, *in)
|
copy(*out, *in)
|
||||||
}
|
}
|
||||||
if in.EnableNamespacedSecret != nil {
|
|
||||||
in, out := &in.EnableNamespacedSecret, &out.EnableNamespacedSecret
|
|
||||||
*out = new(bool)
|
|
||||||
**out = **in
|
|
||||||
}
|
|
||||||
if in.Users != nil {
|
if in.Users != nil {
|
||||||
in, out := &in.Users, &out.Users
|
in, out := &in.Users, &out.Users
|
||||||
*out = make(map[string]UserFlags, len(*in))
|
*out = make(map[string]UserFlags, len(*in))
|
||||||
|
|
|
||||||
|
|
@ -1163,8 +1163,7 @@ func (c *Cluster) initRobotUsers() error {
|
||||||
namespace := c.Namespace
|
namespace := c.Namespace
|
||||||
|
|
||||||
//if namespaced secrets are allowed
|
//if namespaced secrets are allowed
|
||||||
if c.Postgresql.Spec.EnableNamespacedSecret != nil &&
|
if c.Config.OpConfig.EnableCrossNamespaceSecret {
|
||||||
*c.Postgresql.Spec.EnableNamespacedSecret {
|
|
||||||
if strings.Contains(username, ".") {
|
if strings.Contains(username, ".") {
|
||||||
splits := strings.Split(username, ".")
|
splits := strings.Split(username, ".")
|
||||||
namespace = splits[0]
|
namespace = splits[0]
|
||||||
|
|
|
||||||
|
|
@ -1024,7 +1024,6 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
||||||
Volume: acidv1.Volume{
|
Volume: acidv1.Volume{
|
||||||
Size: "1Gi",
|
Size: "1Gi",
|
||||||
},
|
},
|
||||||
EnableNamespacedSecret: boolToPointer(true),
|
|
||||||
Users: map[string]acidv1.UserFlags{
|
Users: map[string]acidv1.UserFlags{
|
||||||
"appspace.db_user": {},
|
"appspace.db_user": {},
|
||||||
"db_user": {},
|
"db_user": {},
|
||||||
|
|
@ -1052,6 +1051,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
|
||||||
DefaultMemoryLimit: "300Mi",
|
DefaultMemoryLimit: "300Mi",
|
||||||
PodRoleLabel: "spilo-role",
|
PodRoleLabel: "spilo-role",
|
||||||
},
|
},
|
||||||
|
EnableCrossNamespaceSecret: true,
|
||||||
},
|
},
|
||||||
}, client, pg, logger, eventRecorder)
|
}, client, pg, logger, eventRecorder)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -82,6 +82,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
|
||||||
result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
|
result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
|
||||||
result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
|
result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
|
||||||
result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
|
result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
|
||||||
|
result.EnableCrossNamespaceSecret = fromCRD.Kubernetes.EnableCrossNamespaceSecret
|
||||||
|
|
||||||
result.InfrastructureRolesSecretName = fromCRD.Kubernetes.InfrastructureRolesSecretName
|
result.InfrastructureRolesSecretName = fromCRD.Kubernetes.InfrastructureRolesSecretName
|
||||||
if fromCRD.Kubernetes.InfrastructureRolesDefs != nil {
|
if fromCRD.Kubernetes.InfrastructureRolesDefs != nil {
|
||||||
|
|
|
||||||
|
|
@ -207,6 +207,7 @@ type Config struct {
|
||||||
PostgresSuperuserTeams []string `name:"postgres_superuser_teams" default:""`
|
PostgresSuperuserTeams []string `name:"postgres_superuser_teams" default:""`
|
||||||
SetMemoryRequestToLimit bool `name:"set_memory_request_to_limit" default:"false"`
|
SetMemoryRequestToLimit bool `name:"set_memory_request_to_limit" default:"false"`
|
||||||
EnableLazySpiloUpgrade bool `name:"enable_lazy_spilo_upgrade" default:"false"`
|
EnableLazySpiloUpgrade bool `name:"enable_lazy_spilo_upgrade" default:"false"`
|
||||||
|
EnableCrossNamespaceSecret bool `name:"enable_cross_namespace_secret" default:"false"`
|
||||||
EnablePgVersionEnvVar bool `name:"enable_pgversion_env_var" default:"true"`
|
EnablePgVersionEnvVar bool `name:"enable_pgversion_env_var" default:"true"`
|
||||||
EnableSpiloWalPathCompat bool `name:"enable_spilo_wal_path_compat" default:"false"`
|
EnableSpiloWalPathCompat bool `name:"enable_spilo_wal_path_compat" default:"false"`
|
||||||
MajorVersionUpgradeMode string `name:"major_version_upgrade_mode" default:"off"`
|
MajorVersionUpgradeMode string `name:"major_version_upgrade_mode" default:"off"`
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue