Merge cd51edc into 1c3a588

pkg/cluster/cluster.go

@@ -163,6 +163,10 @@ func New(cfg Config, kubeClient k8sutil.KubernetesClient, pgSpec cpov1.Postgresq
 		cluster.VolumeResizer = &volumes.EBSVolumeResizer{AWSRegion: cfg.OpConfig.AWSRegion}
 	}
 
+	//Check if monitoring user is added in manifest
+	if _, ok := pgSpec.Spec.Users["cpo-exporter"]; ok {
+		cluster.logger.Error("creating user of name cpo-exporter is not allowed as it is reserved for monitoring")
+	}
 	return cluster
 }
 
@@ -357,6 +361,7 @@ func (c *Cluster) Create() (err error) {
 		c.logger.Info("a TDE secret was successfully created")
 	}
 	if c.Postgresql.Spec.Monitoring != nil {
+		c.logger.Infof("Spec.Users are %s", c.Spec.Users)
 		if err := c.createMonitoringSecret(); err != nil {
 			return fmt.Errorf("could not create the monitoring secret: %v", err)
 		}
@@ -891,6 +896,21 @@ func (c *Cluster) Update(oldSpec, newSpec *cpov1.Postgresql) error {
 			updateFailed = true
 		}
 	}
+	//Add monitoring user if required
+	if newSpec.Spec.Monitoring != nil {
+		flg := cpov1.UserFlags{constants.RoleFlagLogin}
+		if newSpec.Spec.Users != nil {
+			newSpec.Spec.Users[monitorUsername] = flg
+		} else {
+			users := make(map[string]cpov1.UserFlags)
+			newSpec.Spec.Users = users
+			newSpec.Spec.Users[monitorUsername] = flg
+		}
+	}
+	//Check if monitoring user is added in manifest
+	if _, ok := newSpec.Spec.Users["cpo-exporter"]; ok {
+		c.logger.Error("creating user of name cpo-exporter is not allowed as it is reserved for monitoring")
+	}
 
 	// Users
 	func() {
@@ -899,7 +919,6 @@ func (c *Cluster) Update(oldSpec, newSpec *cpov1.Postgresql) error {
 			reflect.DeepEqual(oldSpec.Spec.PreparedDatabases, newSpec.Spec.PreparedDatabases)
 		sameRotatedUsers := reflect.DeepEqual(oldSpec.Spec.UsersWithSecretRotation, newSpec.Spec.UsersWithSecretRotation) &&
 			reflect.DeepEqual(oldSpec.Spec.UsersWithInPlaceSecretRotation, newSpec.Spec.UsersWithInPlaceSecretRotation)
-
 		// connection pooler needs one system user created who is initialized in initUsers
 		// only when disabled in oldSpec and enabled in newSpec
 		needPoolerUser := c.needConnectionPoolerUser(&oldSpec.Spec, &newSpec.Spec)
@@ -941,6 +960,7 @@ func (c *Cluster) Update(oldSpec, newSpec *cpov1.Postgresql) error {
 	//sync monitoring container
 	if !reflect.DeepEqual(oldSpec.Spec.Monitoring, newSpec.Spec.Monitoring) {
 		syncStatefulSet = true
+		c.syncMonitoringSecret(oldSpec, newSpec)
 	}
 
 	// Statefulset

pkg/cluster/sync.go

@@ -143,6 +143,11 @@ func (c *Cluster) Sync(newSpec *cpov1.Postgresql) error {
 		return fmt.Errorf("could not sync connection pooler: %v", err)
 	}
 
+	// sync monitoring
+	if err = c.syncMonitoringSecret(&oldSpec, newSpec); err != nil {
+		return fmt.Errorf("could not sync monitoring: %v", err)
+	}
+
 	if len(c.Spec.Streams) > 0 {
 		c.logger.Debug("syncing streams")
 		if err = c.syncStreams(); err != nil {
@@ -1018,21 +1023,15 @@ func (c *Cluster) syncRoles() (err error) {
 		}
 	}()
 
+	//Check if monitoring user is added in manifest
+	if _, ok := c.Spec.Users["cpo-exporter"]; ok {
+		c.logger.Error("creating user of name cpo-exporter is not allowed as it is reserved for monitoring")
+	}
+
 	// mapping between original role name and with deletion suffix
 	deletedUsers := map[string]string{}
 	newUsers = make(map[string]spec.PgUser)
 
-	if c.Spec.Monitoring != nil {
-		flg := cpov1.UserFlags{constants.RoleFlagLogin}
-		if c.Spec.Users != nil {
-			c.Spec.Users[monitorUsername] = flg
-		} else {
-			users := make(map[string]cpov1.UserFlags)
-			c.Spec.Users = users
-			c.Spec.Users[monitorUsername] = flg
-		}
-	}
-
 	// create list of database roles to query
 	for _, u := range c.pgUsers {
 		pgRole := u.Name
@@ -1466,7 +1465,8 @@ func (c *Cluster) createMonitoringSecret() error {
 		},
 		Type: v1.SecretTypeOpaque,
 		Data: map[string][]byte{
-			"key": []byte(fmt.Sprintf("%x", generatedKey)),
+			"username": []byte(c.getMonitoringSecretName()),
+			"password": []byte(fmt.Sprintf("%x", generatedKey)),
 		},
 	}
 	secret, err := c.KubeClient.Secrets(generatedSecret.Namespace).Create(context.TODO(), &generatedSecret, metav1.CreateOptions{})
@@ -1481,3 +1481,49 @@ func (c *Cluster) createMonitoringSecret() error {
 
 	return nil
 }
+
+// delete monitoring secret
+func (c *Cluster) deleteMonitoringSecret() (err error) {
+	// Repeat the same for the secret object
+	secretName := c.getMonitoringSecretName()
+
+	secret, err := c.KubeClient.
+		Secrets(c.Namespace).
+		Get(context.TODO(), secretName, metav1.GetOptions{})
+
+	if err != nil {
+		c.logger.Debugf("could not get monitoring secret %s: %v", secretName, err)
+	} else {
+		if err = c.deleteSecret(secret.UID, *secret); err != nil {
+			return fmt.Errorf("could not delete monitoring secret: %v", err)
+		}
+	}
+	return nil
+}
+
+// Sync monitoring
+// In case of monitoring is added/deleted, we need to
+// 1. Update sts to in/exclude the exporter contianer
+// 2. Add/Delete the respective user
+// 3. Add/Delete the respective secret
+// Point 1 and 2 are taken care in Update func, so we only need to take care
+// Point 3 here.
+func (c *Cluster) syncMonitoringSecret(oldSpec, newSpec *cpov1.Postgresql) error {
+	c.logger.Info("syncing Monitoring secret")
+	c.setProcessName("syncing Monitoring secret")
+
+	if newSpec.Spec.Monitoring != nil && oldSpec.Spec.Monitoring == nil {
+		// Create monitoring secret
+		if err := c.createMonitoringSecret(); err != nil {
+			return fmt.Errorf("could not create the monitoring secret: %v", err)
+		}
+		c.logger.Info("monitoring secret was successfully created")
+	} else if newSpec.Spec.Monitoring == nil && oldSpec.Spec.Monitoring != nil {
+		// Delete the monitoring secret
+		if err := c.deleteMonitoringSecret(); err != nil {
+			return fmt.Errorf("could not delete the monitoring secret: %v", err)
+		}
+		c.logger.Info("monitoring secret was successfully deleted")
+	}
+	return nil
+}