zalando · sdudoladov · Jul 2, 2021 · Jun 29, 2021 · Jun 29, 2021 · Jun 29, 2021
@@ -173,6 +173,9 @@ spec:
                   enable_init_containers:
                     type: boolean
                     default: true
+                  enable_cross_namespace_secret:
+                    type: boolean
+                    default: false
                   enable_pod_antiaffinity:
                     type: boolean
                     default: false

@@ -515,8 +515,6 @@ spec:
                       type: integer
               useLoadBalancer:  # deprecated
                 type: boolean
-              enableNamespacedSecret:
-                type: boolean
               users:
                 type: object
                 additionalProperties:

@@ -97,6 +97,8 @@ configKubernetes:
   # - deployment-time
   # - downscaler/*
 
+  # allow user secrets in other namespaces than the Postgres cluster
+  enable_cross_namespace_secret: false
   # enables initContainers to run actions before Spilo is started
   enable_init_containers: true
   # toggles pod anti affinity on the Postgres pods
@@ -151,7 +153,7 @@ configKubernetes:
   # template for database user secrets generated by the operator,
   # here username contains the namespace in the format namespace.username
   # if the user is in different namespace than cluster and cross namespace secrets
-  # are enabled via EnableNamespacedSecret flag.
+  # are enabled via `enable_cross_namespace_secret` flag in the configuration.
   secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}"
   # set user and group for the spilo container (required to run Spilo as non-root process)
   # spilo_runasuser: 101

@@ -264,6 +264,13 @@ configuration they are grouped under the `kubernetes` key.
   [admin docs](../administrator.md#pod-disruption-budget) for more information.
   Default is true.
 
+* **enable_cross_namespace_secrets**
+  To allow secrets in a different namespace other than the Postgres cluster
+  namespace. Once enabled, specify the namespace in the user name under the
+  `users` section in the form `{namespace}.{username}`. The operator will then
+  create the user secret in that namespace. The part after the first `.` is
+  considered to be the user name. The default is `false`.
+
 * **enable_init_containers**
   global option to allow for creating init containers in the cluster manifest to
   run actions before Spilo is started. Default is true.
@@ -275,13 +282,12 @@ configuration they are grouped under the `kubernetes` key.
 
 * **secret_name_template**
   a template for the name of the database user secrets generated by the
-  operator. `{namespace}` is replaced with name of the namespace (if cross
-  namespace secrets are enabled via EnableNamespacedSecret flag, otherwise the
-  secret is in cluster's namespace and in that case it is not present in secret
-  name), `{username}` is replaced with name of the secret, `{cluster}` with the
-  name of the cluster, `{tprkind}` with the kind of CRD (formerly known as TPR)
-  and `{tprgroup}` with the group of the CRD. No other placeholders are allowed.
-  The default is
+  operator. `{namespace}` is replaced with name of the namespace if
+  `enable_cross_namespace_secret` is set, otherwise the
+  secret is in cluster's namespace. `{username}` is replaced with name of the
+  secret, `{cluster}` with the name of the cluster, `{tprkind}` with the kind
+  of CRD (formerly known as TPR) and `{tprgroup}` with the group of the CRD.
+  No other placeholders are allowed. The default is
   `{namespace}.{username}.{cluster}.credentials.{tprkind}.{tprgroup}`.
 
 * **cluster_domain**

@@ -140,7 +140,7 @@ At the moment it is not possible to define membership of the manifest role in
 other roles.
 
 To define the secrets for the users in a different namespace than that of the cluster,
-one can use the flag `EnableNamespacedSecret` and declare the namespace for the
+one can set `enable_cross_namespace_secret` and declare the namespace for the
 secrets in the manifest in the following manner,
 
 ```yaml

@@ -598,29 +598,36 @@ def test_zz_cross_namespace_secrets(self):
         self.k8s.api.core_v1.create_namespace(v1_appnamespace)
         self.k8s.wait_for_namespace_creation(app_namespace)
 
+        patch_cross_namespace_secret = {
+            "data": {
+                "enable_cross_namespace_secret": "true"
+            }
+        }
+        self.k8s.update_config(patch_cross_namespace_secret,
+                          step="cross namespace secrets enabled")
+
         self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
             'acid.zalan.do', 'v1', 'default',
             'postgresqls', 'acid-minimal-cluster',
             {
                 'spec': {
-                    'enableNamespacedSecret': True,
                     'users':{
                         'appspace.db_user': [],
                     }
                 }
             })
+
         self.eventuallyEqual(lambda: self.k8s.count_secrets_with_label("cluster-name=acid-minimal-cluster,application=spilo", app_namespace),
                              1, "Secret not created for user in namespace")
 
         #reset the flag
-        self.k8s.api.custom_objects_api.patch_namespaced_custom_object(
-            'acid.zalan.do', 'v1', 'default',
-            'postgresqls', 'acid-minimal-cluster',
-            {
-                'spec': {
-                    'enableNamespacedSecret': False,
+        unpatch_cross_namespace_secret = {
+                "data": {
+                    "enable_cross_namespace_secret": "false",
                 }
-            })
+            }
+        self.k8s.update_config(unpatch_cross_namespace_secret, step="disable cross namespace secrets")
+
 
     @timeout_decorator.timeout(TEST_TIMEOUT_SEC)
     def test_lazy_spilo_upgrade(self):

@@ -12,7 +12,6 @@ spec:
   dockerImage: registry.opensource.zalan.do/acid/spilo-13:2.0-p7
   teamId: "acid"
   numberOfInstances: 2
-  enableNamespacedSecret: False
   users:  # Application/Robot users
     zalando:
     - superuser

@@ -36,6 +36,7 @@ data:
   # downscaler_annotations: "deployment-time,downscaler/*"
   # enable_admin_role_for_users: "true"
   # enable_crd_validation: "true"
+  # enable_cross_namespace_secret: "false"
   # enable_database_access: "true"
   enable_ebs_gp3_migration: "false"
   # enable_ebs_gp3_migration_max_size: "1000"

@@ -45,6 +45,7 @@ configuration:
     # downscaler_annotations:
     # - deployment-time
     # - downscaler/*
+    # enable_cross_namespace_secret: "false"
     enable_init_containers: true
     enable_pod_antiaffinity: false
     enable_pod_disruption_budget: true

@@ -730,9 +730,6 @@ var PostgresCRDResourceValidation = apiextv1.CustomResourceValidation{
 						Type:        "boolean",
 						Description: "Deprecated",
 					},
-					"enableNamespacedSecret": {
-						Type: "boolean",
-					},
 					"users": {
 						Type: "object",
 						AdditionalProperties: &apiextv1.JSONSchemaPropsOrBool{
@@ -1029,6 +1026,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 									},
 								},
 							},
+							"enable_cross_namespace_secret": {
+								Type: "boolean",
+							},
 							"enable_init_containers": {
 								Type: "boolean",
 							},

@@ -91,6 +91,7 @@ type KubernetesMetaConfiguration struct {
 	EnablePodAntiAffinity      bool                `json:"enable_pod_antiaffinity,omitempty"`
 	PodAntiAffinityTopologyKey string              `json:"pod_antiaffinity_topology_key,omitempty"`
 	PodManagementPolicy        string              `json:"pod_management_policy,omitempty"`
+	EnableCrossNamespaceSecret bool                `json:"enable_cross_namespace_secret,omitempty"`
 }
 
 // PostgresPodResourcesDefaults defines the spec of default resources

@@ -53,28 +53,27 @@ type PostgresSpec struct {
 	// load balancers' source ranges are the same for master and replica services
 	AllowedSourceRanges []string `json:"allowedSourceRanges"`
 
-	NumberOfInstances      int32                       `json:"numberOfInstances"`
-	EnableNamespacedSecret *bool                       `json:"enableNamespacedSecret,omitempty"`
-	Users                  map[string]UserFlags        `json:"users,omitempty"`
-	MaintenanceWindows     []MaintenanceWindow         `json:"maintenanceWindows,omitempty"`
-	Clone                  *CloneDescription           `json:"clone,omitempty"`
-	ClusterName            string                      `json:"-"`
-	Databases              map[string]string           `json:"databases,omitempty"`
-	PreparedDatabases      map[string]PreparedDatabase `json:"preparedDatabases,omitempty"`
-	SchedulerName          *string                     `json:"schedulerName,omitempty"`
-	NodeAffinity           *v1.NodeAffinity            `json:"nodeAffinity,omitempty"`
-	Tolerations            []v1.Toleration             `json:"tolerations,omitempty"`
-	Sidecars               []Sidecar                   `json:"sidecars,omitempty"`
-	InitContainers         []v1.Container              `json:"initContainers,omitempty"`
-	PodPriorityClassName   string                      `json:"podPriorityClassName,omitempty"`
-	ShmVolume              *bool                       `json:"enableShmVolume,omitempty"`
-	EnableLogicalBackup    bool                        `json:"enableLogicalBackup,omitempty"`
-	LogicalBackupSchedule  string                      `json:"logicalBackupSchedule,omitempty"`
-	StandbyCluster         *StandbyDescription         `json:"standby,omitempty"`
-	PodAnnotations         map[string]string           `json:"podAnnotations,omitempty"`
-	ServiceAnnotations     map[string]string           `json:"serviceAnnotations,omitempty"`
-	TLS                    *TLSDescription             `json:"tls,omitempty"`
-	AdditionalVolumes      []AdditionalVolume          `json:"additionalVolumes,omitempty"`
+	NumberOfInstances     int32                       `json:"numberOfInstances"`
+	Users                 map[string]UserFlags        `json:"users,omitempty"`
+	MaintenanceWindows    []MaintenanceWindow         `json:"maintenanceWindows,omitempty"`
+	Clone                 *CloneDescription           `json:"clone,omitempty"`
+	ClusterName           string                      `json:"-"`
+	Databases             map[string]string           `json:"databases,omitempty"`
+	PreparedDatabases     map[string]PreparedDatabase `json:"preparedDatabases,omitempty"`
+	SchedulerName         *string                     `json:"schedulerName,omitempty"`
+	NodeAffinity          *v1.NodeAffinity            `json:"nodeAffinity,omitempty"`
+	Tolerations           []v1.Toleration             `json:"tolerations,omitempty"`
+	Sidecars              []Sidecar                   `json:"sidecars,omitempty"`
+	InitContainers        []v1.Container              `json:"initContainers,omitempty"`
+	PodPriorityClassName  string                      `json:"podPriorityClassName,omitempty"`
+	ShmVolume             *bool                       `json:"enableShmVolume,omitempty"`
+	EnableLogicalBackup   bool                        `json:"enableLogicalBackup,omitempty"`
+	LogicalBackupSchedule string                      `json:"logicalBackupSchedule,omitempty"`
+	StandbyCluster        *StandbyDescription         `json:"standby,omitempty"`
+	PodAnnotations        map[string]string           `json:"podAnnotations,omitempty"`
+	ServiceAnnotations    map[string]string           `json:"serviceAnnotations,omitempty"`
+	TLS                   *TLSDescription             `json:"tls,omitempty"`
+	AdditionalVolumes     []AdditionalVolume          `json:"additionalVolumes,omitempty"`
 
 	// deprecated json tags
 	InitContainersOld       []v1.Container `json:"init_containers,omitempty"`

@@ -1163,8 +1163,7 @@ func (c *Cluster) initRobotUsers() error {
 		namespace := c.Namespace
 
 		//if namespaced secrets are allowed
-		if c.Postgresql.Spec.EnableNamespacedSecret != nil &&
-			*c.Postgresql.Spec.EnableNamespacedSecret {
+		if c.Config.OpConfig.EnableCrossNamespaceSecret {
 			if strings.Contains(username, ".") {
 				splits := strings.Split(username, ".")
 				namespace = splits[0]

@@ -1024,7 +1024,6 @@ func TestCrossNamespacedSecrets(t *testing.T) {
 			Volume: acidv1.Volume{
 				Size: "1Gi",
 			},
-			EnableNamespacedSecret: boolToPointer(true),
 			Users: map[string]acidv1.UserFlags{
 				"appspace.db_user": {},
 				"db_user":          {},
@@ -1052,6 +1051,7 @@ func TestCrossNamespacedSecrets(t *testing.T) {
 					DefaultMemoryLimit:   "300Mi",
 					PodRoleLabel:         "spilo-role",
 				},
+				EnableCrossNamespaceSecret: true,
 			},
 		}, client, pg, logger, eventRecorder)
 

@@ -82,6 +82,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
 	result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
 	result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
+	result.EnableCrossNamespaceSecret = fromCRD.Kubernetes.EnableCrossNamespaceSecret
 
 	result.InfrastructureRolesSecretName = fromCRD.Kubernetes.InfrastructureRolesSecretName
 	if fromCRD.Kubernetes.InfrastructureRolesDefs != nil {

@@ -207,6 +207,7 @@ type Config struct {
 	PostgresSuperuserTeams                 []string          `name:"postgres_superuser_teams" default:""`
 	SetMemoryRequestToLimit                bool              `name:"set_memory_request_to_limit" default:"false"`
 	EnableLazySpiloUpgrade                 bool              `name:"enable_lazy_spilo_upgrade" default:"false"`
+	EnableCrossNamespaceSecret             bool              `name:"enable_cross_namespace_secret" default:"false"`
 	EnablePgVersionEnvVar                  bool              `name:"enable_pgversion_env_var" default:"true"`
 	EnableSpiloWalPathCompat               bool              `name:"enable_spilo_wal_path_compat" default:"false"`
 	MajorVersionUpgradeMode                string            `name:"major_version_upgrade_mode" default:"off"`