postgres-operator

History

Dmitrii Dolgov bd576942f2 Extend infrastructure roles handling Postgres Operator uses infrastructure roles to provide access to a database for external users e.g. for monitoring purposes. Such infrastructure roles are expected to be present in the form of k8s secrets with the following content: inrole1: some_encrypted_role password1: some_encrypted_password user1: some_entrypted_name inrole2: some_encrypted_role password2: some_encrypted_password user2: some_entrypted_name The format of this content is implied implicitely and not flexible enough. In case if we do not have possibility to change the format of a secret we want to use in the Operator, we need to recreate it in this format. To address this lets make the format of secret content explicitely. The idea is to introduce a new configuration option for the Operator. infrastructure_roles_secrets: - secret: k8s_secret_name name: some_encrypted_name password: some_encrypted_password role: some_encrypted_role - secret: k8s_secret_name name: some_encrypted_name password: some_encrypted_password role: some_encrypted_role This would allow Operator to use any avalable secrets to prepare infrastructure roles. To make it backward compatible simulate the old behaviour if the new option is not present. The new configuration option is intended be used mainly from CRD, but it's also available via Operator ConfigMap in a limited fashion. For ConfigMap one can put there only a string with one secret definition in the following format (as a string): infrastructure_roles_secret_name: \| secret: k8s_secret_name, name: some_encrypted_name, password: some_encrypted_password, role: some_encrypted_role	2020-07-22 12:36:51 +02:00
..
k8sutil.go	Extend infrastructure roles handling	2020-07-22 12:36:51 +02:00
k8sutil_test.go	Fix test flakiness on TestSameService (#833 )	2020-02-18 16:45:44 +01:00

Dmitrii Dolgov bd576942f2 Extend infrastructure roles handling

Postgres Operator uses infrastructure roles to provide access to a
database for external users e.g. for monitoring purposes. Such
infrastructure roles are expected to be present in the form of k8s
secrets with the following content:

    inrole1: some_encrypted_role
    password1: some_encrypted_password
    user1: some_entrypted_name

    inrole2: some_encrypted_role
    password2: some_encrypted_password
    user2: some_entrypted_name

The format of this content is implied implicitely and not flexible
enough. In case if we do not have possibility to change the format of a
secret we want to use in the Operator, we need to recreate it in this
format.

To address this lets make the format of secret content explicitely. The
idea is to introduce a new configuration option for the Operator.

    infrastructure_roles_secrets:
    - secret: k8s_secret_name
      name: some_encrypted_name
      password: some_encrypted_password
      role: some_encrypted_role

    - secret: k8s_secret_name
      name: some_encrypted_name
      password: some_encrypted_password
      role: some_encrypted_role

This would allow Operator to use any avalable secrets to prepare
infrastructure roles. To make it backward compatible simulate the old
behaviour if the new option is not present.

The new configuration option is intended be used mainly from CRD, but
it's also available via Operator ConfigMap in a limited fashion. For
ConfigMap one can put there only a string with one secret definition in
the following format (as a string):

    infrastructure_roles_secret_name: |
        secret: k8s_secret_name,
        name: some_encrypted_name,
        password: some_encrypted_password,
        role: some_encrypted_role

2020-07-22 12:36:51 +02:00

k8sutil.go

Extend infrastructure roles handling

2020-07-22 12:36:51 +02:00

k8sutil_test.go

Fix test flakiness on TestSameService (#833 )

2020-02-18 16:45:44 +01:00