Move flag to configmap (zalando#1540)

* Move flag to configmap

Co-authored-by: Rafia Sabih <[email protected]>
Co-authored-by: Felix Kunde <[email protected]>

Author: 3 people

charts/postgres-operator/crds/operatorconfigurations.yaml

@@ -173,6 +173,9 @@ spec:
                   enable_init_containers:
                     type: boolean
                     default: true
+                  enable_cross_namespace_secret:
+                    type: boolean
+                    default: false
                   enable_pod_antiaffinity:
                     type: boolean
                     default: false

charts/postgres-operator/crds/postgresqls.yaml

@@ -515,8 +515,6 @@ spec:
                       type: integer
               useLoadBalancer:  # deprecated
                 type: boolean
-              enableNamespacedSecret:
-                type: boolean
               users:
                 type: object
                 additionalProperties:

charts/postgres-operator/values.yaml

@@ -97,6 +97,8 @@ configKubernetes:
   # - deployment-time
   # - downscaler/*
 
+  # allow user secrets in other namespaces than the Postgres cluster
+  enable_cross_namespace_secret: false
   # enables initContainers to run actions before Spilo is started
   enable_init_containers: true
   # toggles pod anti affinity on the Postgres pods
@@ -151,7 +153,7 @@ configKubernetes:
   # template for database user secrets generated by the operator,
   # here username contains the namespace in the format namespace.username
   # if the user is in different namespace than cluster and cross namespace secrets
-  # are enabled via EnableNamespacedSecret flag.
+  # are enabled via `enable_cross_namespace_secret` flag in the configuration.
   secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
   # set user and group for the spilo container (required to run Spilo as non-root process)
   # spilo_runasuser: 101

docs/reference/operator_parameters.md

@@ -264,6 +264,13 @@ configuration they are grouped under the `kubernetes` key.
   [admin docs](../administrator.md#pod-disruption-budget) for more information.
   Default is true.
 
+* **enable_cross_namespace_secrets**
+  To allow secrets in a different namespace other than the Postgres cluster
+  namespace. Once enabled, specify the namespace in the user name under the
+  `users` section in the form `{namespace}.{username}`. The operator will then
+  create the user secret in that namespace. The part after the first `.` is
+  considered to be the user name. The default is `false`.
+
 * **enable_init_containers**
   global option to allow for creating init containers in the cluster manifest to
   run actions before Spilo is started. Default is true.
@@ -275,13 +282,12 @@ configuration they are grouped under the `kubernetes` key.
 
 * **secret_name_template**
   a template for the name of the database user secrets generated by the
-  operator. `{namespace}` is replaced with name of the namespace (if cross
-  namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the
-  secret is in cluster's namespace and in that case it is not present in secret
-  name), `{username}` is replaced with name of the secret, `{cluster}` with the
-  name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
-  and `{tprgroup}` with the group of the CRD. No other placeholders are allowed.
-  The default is
+  operator. `{namespace}` is replaced with name of the namespace if
+  `enable_cross_namespace_secret` is set, otherwise the
+  secret is in cluster's namespace. `{username}` is replaced with name of the
+  secret, `{cluster}` with the name of the cluster, `{tprkind}` with the kind
+  of CRD (formerly known as TPR) and `{tprgroup}` with the group of the CRD.
+  No other placeholders are allowed. The default is
   `{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
 
 * **cluster_domain**

docs/user.md

@@ -140,7 +140,7 @@ At the moment it is not possible to define membership of the manifest role in
 other roles.
 
 To define the secrets for the users in a different namespace than that of the cluster,
-one can use the flag `EnableNamespacedSecret` and declare the namespace for the
+one can set `enable_cross_namespace_secret` and declare the namespace for the
 secrets in the manifest in the following manner,
 
 ```yaml

e2e/tests/test_e2e.py

@@ -598,29 +598,36 @@ def test_zz_cross_namespace_secrets(self):
         self.k8s.api.core_v1.create_namespace(v1_appnamespace)
         self.k8s.wait_for_namespace_creation(app_namespace)
 
+        patch_cross_namespace_secret = {
+            "data": {
+                "enable_cross_namespace_secret": "true"
+            }
+        }
+        self.k8s.update_config(patch_cross_namespace_secret,
+                          step="cross namespace secrets enabled")
+
         self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
             'acid.zalan.do', 'v1', 'default',
             'postgresqls', 'acid-minimal-cluster',
             {
                 'spec': {
-                    'enableNamespacedSecret': True,
                     'users':{
                         'appspace.db_user': [],
                     }
                 }
             })
+
         self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
                              1, "Secret not created for user in namespace")
 
         #reset the flag
-        self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
-            'acid.zalan.do', 'v1', 'default',
-            'postgresqls', 'acid-minimal-cluster',
-            {
-                'spec': {
-                    'enableNamespacedSecret': False,
+        unpatch_cross_namespace_secret = {
+                "data": {
+                    "enable_cross_namespace_secret": "false",
                 }
-            })
+            }
+        self.k8s.update_config(unpatch_cross_namespace_secret, step="disable cross namespace secrets")
+
 
     @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
     def test_lazy_spilo_upgrade(self):

manifests/complete-postgres-manifest.yaml

@@ -12,7 +12,6 @@ spec:
   dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
   teamId: "acid"
   numberOfInstances: 2
-  enableNamespacedSecret: False
   users:  # Application/Robot users
     zalando:
     - superuser

manifests/configmap.yaml

@@ -36,6 +36,7 @@ data:
   # downscaler_annotations: "deployment-time,downscaler/*"
   # enable_admin_role_for_users: "true"
   # enable_crd_validation: "true"
+  # enable_cross_namespace_secret: "false"
   # enable_database_access: "true"
   enable_ebs_gp3_migration: "false"
   # enable_ebs_gp3_migration_max_size: "1000"

manifests/postgresql-operator-default-configuration.yaml

@@ -45,6 +45,7 @@ configuration:
     # downscaler_annotations:
     # - deployment-time
     # - downscaler/*
+    # enable_cross_namespace_secret: "false"
     enable_init_containers: true
     enable_pod_antiaffinity: false
     enable_pod_disruption_budget: true

pkg/apis/acid.zalan.do/v1/crds.go

@@ -730,9 +730,6 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{
 						Type:        "boolean",
 						Description: "Deprecated",
 					},
-					"enableNamespacedSecret": {
-						Type: "boolean",
-					},
 					"users": {
 						Type: "object",
 						AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
@@ -1029,6 +1026,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 									},
 								},
 							},
+							"enable_cross_namespace_secret": {
+								Type: "boolean",
+							},
 							"enable_init_containers": {
 								Type: "boolean",
 							},