From f423eda47ae5b338cfd62c32014ae622bf583fa2 Mon Sep 17 00:00:00 2001
From: Philipp Eberle <eberlep@gmail.com>
Date: Mon, 22 Nov 2021 22:06:50 +0100
Subject: [PATCH] Enable audit logs via pgaudit

---
 api/v1/postgres_types.go                           | 14 ++++++++++++++
 api/v1/zz_generated.deepcopy.go                    |  6 ++++++
 config/crd/bases/database.fits.cloud_postgres.yaml |  4 +++-
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/api/v1/postgres_types.go b/api/v1/postgres_types.go
index 0ab75d3f..bcee990e 100644
--- a/api/v1/postgres_types.go
+++ b/api/v1/postgres_types.go
@@ -151,6 +151,8 @@ type PostgresSpec struct {
 
 	// BackupSecretRef reference to the secret where the backup credentials are stored
 	BackupSecretRef string `json:"backupSecretRef,omitempty"`
+
+	AuditLogs *bool `json:"auditLogs,omitempty"`
 }
 
 // AccessList defines the type of restrictions to access the database
@@ -447,6 +449,9 @@ func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *cor
 	z.Spec.NumberOfInstances = p.Spec.NumberOfInstances
 	z.Spec.PostgresqlParam.PgVersion = p.Spec.Version
 	z.Spec.PostgresqlParam.Parameters = map[string]string{}
+	if p.Spec.AuditLogs == nil || *p.Spec.AuditLogs {
+		enableAuditLogs(z.Spec.PostgresqlParam.Parameters)
+	}
 	setSharedBufferSize(z.Spec.PostgresqlParam.Parameters, p.Spec.Size.SharedBuffer)
 	z.Spec.Resources.ResourceRequests.CPU = p.Spec.Size.CPU
 	z.Spec.Resources.ResourceRequests.Memory = p.Spec.Size.Memory
@@ -639,3 +644,12 @@ func setSharedBufferSize(parameters map[string]string, shmSize string) {
 		}
 	}
 }
+
+// enableAuditLogs configures this postgres instances audit logging
+func enableAuditLogs(parameters map[string]string) {
+	parameters["shared_preload_libraries"] = "pgaudit"
+	parameters["pgaudit.log_catalog"] = "off"
+	parameters["pgaudit.log"] = "ddl"
+	parameters["pgaudit.log_relation"] = "on"
+	parameters["pgaudit.log_parameter"] = "on"
+}
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
index 724793cf..01ed1f59 100644
--- a/api/v1/zz_generated.deepcopy.go
+++ b/api/v1/zz_generated.deepcopy.go
@@ -1,3 +1,4 @@
+//go:build !ignore_autogenerated
 // +build !ignore_autogenerated
 
 /*
@@ -131,6 +132,11 @@ func (in *PostgresSpec) DeepCopyInto(out *PostgresSpec) {
 		*out = new(AccessList)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.AuditLogs != nil {
+		in, out := &in.AuditLogs, &out.AuditLogs
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresSpec.
diff --git a/config/crd/bases/database.fits.cloud_postgres.yaml b/config/crd/bases/database.fits.cloud_postgres.yaml
index 714f8693..1911ce94 100644
--- a/config/crd/bases/database.fits.cloud_postgres.yaml
+++ b/config/crd/bases/database.fits.cloud_postgres.yaml
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.5.0
+    controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
   name: postgres.database.fits.cloud
 spec:
@@ -65,6 +65,8 @@ spec:
                       type: string
                     type: array
                 type: object
+              auditLogs:
+                type: boolean
               backupSecretRef:
                 description: BackupSecretRef reference to the secret where the backup
                   credentials are stored