Merge pull request #5 from arnarg/split-crd

Splitting apart db and role creation

Author: hitman99

README.md

@@ -1,33 +1,51 @@
 # External PostgreSQL server operator for Kubernetes
 
 ## Features
-* creates a database
-* creates a role with random username and password
-* assigns role to the database
-* if the database exist, it will only create a role
-* drops role when removing CR, assigns all objects to user `postgres`
-* creates a Kubernetes secret with postgres_uri in the same namespace as CR
-
-CR example
+* Creates a database from a CR
+* Creates a role with random username and password from a CR
+* If the database exist, it will only create a role
+* Multiple user roles can own one database
+* Creates Kubernetes secret with postgres_uri in the same namespace as CR
+
+## CRs
 ```yaml
 apiVersion: db.movetokube.com/v1alpha1
 kind: Postgres
 metadata:
   name: my-db
   namespace: app
 spec:
-  # Add fields here
-  database: test-db
+  database: test-db # Name of database created in PostgreSQL
+```
+
+This creates a database called `test-db` and a role `test-db-group` that is set as the owner of the database.
+
+```yaml
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: my-db-user
+  namespace: app
+spec:
+  role: username
+  database: my-db # This references the Postgres CR
   secretName: my-secret
 ```
 
+This creates a user role `username-<hash>` and grants role `test-db-group` to it. Its credentials are put in secret `my-secret-my-db-user`.
+
+`PostgresUser` needs to reference a `Postgres` in the same namespace.
+
+Two `Postgres` referencing the same database can exist in more than one namespace. The last CR referencing a database will drop the group role and transfer database ownership to the role used by the operator.
+
 ## Installation
 
 1. Configure Postgres credentials for the operator in `deploy/operator.yaml` 
 2. `kubectl apply -f deploy/crds/db_v1alpha1_postgres_crd.yaml`
-3. `kubectl apply -f deploy/namespace.yaml`
-4. `kubectl apply -f role.yaml`
-5. `kubectl apply -f role_binding.yaml`
-6. `kubectl apply -f service_account.yaml`
-7. `kubectl apply -f operator.yaml`
+3. `kubectl apply -f deploy/crds/db_v1alpha1_postgresuser_crd.yaml`
+4. `kubectl apply -f deploy/namespace.yaml`
+5. `kubectl apply -f role.yaml`
+6. `kubectl apply -f role_binding.yaml`
+7. `kubectl apply -f service_account.yaml`
+8. `kubectl apply -f operator.yaml`
 

deploy/crds/db_v1alpha1_postgres_cr.yaml

@@ -4,6 +4,4 @@ metadata:
   name: my-db
   namespace: app
 spec:
-  # Add fields here
   database: test-db
-  secretName: my-secret

deploy/crds/db_v1alpha1_postgres_crd.yaml

@@ -29,11 +29,8 @@ spec:
           properties:
             database:
               type: string
-            secretName:
-              type: string
           required:
           - database
-          - secretName
           type: object
         status:
           properties:

deploy/crds/db_v1alpha1_postgresuser_cr.yaml

@@ -0,0 +1,9 @@
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: my-db-user
+  namespace: app
+spec:
+  role: username
+  database: my-db
+  secretName: my-credential-secret

deploy/crds/db_v1alpha1_postgresuser_crd.yaml

@@ -0,0 +1,61 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: postgresusers.db.movetokube.com
+spec:
+  group: db.movetokube.com
+  names:
+    kind: PostgresUser
+    listKind: PostgresUserList
+    plural: postgresusers
+    singular: postgresuser
+  scope: Namespaced
+  validation:
+    openAPIV3Schema:
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          properties:
+            database:
+              type: string
+            role:
+              type: string
+            secretName:
+              type: string
+          required:
+          - role
+          - database
+          - secretName
+          type: object
+        status:
+          properties:
+            databaseName:
+              type: string
+            postgresGroup:
+              type: string
+            postgresRole:
+              type: string
+            succeeded:
+              type: boolean
+          required:
+          - succeeded
+          - postgresRole
+          - postgresGroup
+          - databaseName
+          type: object
+  version: v1alpha1
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true

pkg/apis/db/v1alpha1/postgres_types.go

@@ -10,8 +10,7 @@ import (
 // PostgresSpec defines the desired state of Postgres
 // +k8s:openapi-gen=true
 type PostgresSpec struct {
-	Database   string `json:"database"`
-	SecretName string `json:"secretName"`
+	Database string `json:"database"`
 }
 
 // PostgresStatus defines the observed state of Postgres

pkg/apis/db/v1alpha1/postgresuser_types.go

@@ -0,0 +1,54 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// PostgresUserSpec defines the desired state of PostgresUser
+// +k8s:openapi-gen=true
+type PostgresUserSpec struct {
+	Role       string `json:"role"`
+	Database   string `json:"database"`
+	SecretName string `json:"secretName"`
+}
+
+// PostgresUserStatus defines the observed state of PostgresUser
+// +k8s:openapi-gen=true
+type PostgresUserStatus struct {
+	Succeeded     bool   `json:"succeeded"`
+	PostgresRole  string `json:"postgresRole"`
+	PostgresGroup string `json:"postgresGroup"`
+	DatabaseName  string `json:"databaseName"`
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
+	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PostgresUser is the Schema for the postgresusers API
+// +k8s:openapi-gen=true
+// +kubebuilder:subresource:status
+type PostgresUser struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PostgresUserSpec   `json:"spec,omitempty"`
+	Status PostgresUserStatus `json:"status,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PostgresUserList contains a list of PostgresUser
+type PostgresUserList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PostgresUser `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PostgresUser{}, &PostgresUserList{})
+}