d5b7c94ba3
Postgres Operator uses infrastructure roles to provide access to a
database for external users e.g. for monitoring purposes. Such
infrastructure roles are expected to be present in the form of k8s
secrets with the following content:
inrole1: some_encrypted_role
password1: some_encrypted_password
user1: some_entrypted_name
inrole2: some_encrypted_role
password2: some_encrypted_password
user2: some_entrypted_name
The format of this content is implied implicitely and not flexible
enough. In case if we do not have possibility to change the format of a
secret we want to use in the Operator, we need to recreate it in this
format.
To address this lets make the format of secret content explicitely. The
idea is to introduce a new configuration option for the Operator.
infrastructure_roles_secrets:
- secret: k8s_secret_name
name: some_encrypted_name
password: some_encrypted_password
role: some_encrypted_role
- secret: k8s_secret_name
name: some_encrypted_name
password: some_encrypted_password
role: some_encrypted_role
This would allow Operator to use any avalable secrets to prepare
infrastructure roles. To make it backward compatible simulate the old
behaviour if the new option is not present.
The new configuration option is intended be used mainly from CRD, but
it's also available via Operator ConfigMap in a limited fashion. For
ConfigMap one can put there only a string with one secret definition in
the following format (as a string):
infrastructure_roles_secret_name: |
secret: k8s_secret_name,
name: some_encrypted_name,
password: some_encrypted_password,
role: some_encrypted_role
|
||
|---|---|---|
| .. | ||
| config | ||
| constants | ||
| filesystems | ||
| k8sutil | ||
| patroni | ||
| retryutil | ||
| ringlog | ||
| teams | ||
| users | ||
| volumes | ||
| util.go | ||
| util_test.go | ||