update password secret logic

Author: Jeff McCormick

client/cmd/upgrade.go

@@ -292,15 +292,21 @@ func getUpgradeParams(name string) (*tpr.PgUpgrade, error) {
 		return nil, errors.New("invalid image tag")
 	}
 
+	requestedMajorVersion := parseMajorVersion(viper.GetString("CLUSTER.CCP_IMAGE_TAG"))
 	if UpgradeType == MAJOR_UPGRADE {
-		requestedMajorVersion := parseMajorVersion(viper.GetString("CLUSTER.CCP_IMAGE_TAG"))
 		if requestedMajorVersion == existingMajorVersion {
 			log.Error("can't upgrade to the same major version")
 			return nil, errors.New("requested upgrade major version can not equal existing upgrade major version")
 		} else if requestedMajorVersion < existingMajorVersion {
 			log.Error("can't upgrade to a previous major version")
 			return nil, errors.New("requested upgrade major version can not be older than existing upgrade major version")
 		}
+	} else {
+		//minor upgrade
+		if requestedMajorVersion > existingMajorVersion {
+			log.Error("can't do minor upgrade to a newer major version")
+			return nil, errors.New("requested minor upgrade to major version is not allowed")
+		}
 	}
 
 	newInstance := &tpr.PgUpgrade{

conf/postgres-operator/cluster/1/cluster-deployment-1.json

@@ -24,7 +24,7 @@
             },
             "spec": {
 
-	    	{{.SECURITY_CONTEXT}}
+                    {{.SECURITY_CONTEXT}}
 
                 "containers": [{
                     "name": "database",
@@ -63,18 +63,26 @@
                         "name": "PGHOST",
                         "value": "/tmp"
                     }],
-                    "volumeMounts": [
-		    {
-                        "mountPath": "/pgdata",
-                        "name": "pgdata",
-                        "readOnly": false
-                    },
-		    {
-                        "mountPath": "/backup",
-                        "name": "backup",
-                        "readOnly": true
-                    }
-		    ],
+                    "volumeMounts": [{
+                            "mountPath": "/pgdata",
+                            "name": "pgdata",
+                            "readOnly": false
+                        }, {
+                            "mountPath": "/backup",
+                            "name": "backup",
+                            "readOnly": true
+                        }, {
+                            "mountPath": "/pguser",
+                            "name": "pguser-volume"
+                        }, {
+                            "mountPath": "/pgmaster",
+                            "name": "pgmaster-volume"
+                        }, {
+                            "mountPath": "/pgroot",
+                            "name": "pgroot-volume"
+                        }
+
+                    ],
 
                     "ports": [{
                         "containerPort": 5432,
@@ -83,20 +91,35 @@
                     "resources": {},
                     "imagePullPolicy": "IfNotPresent"
                 }],
-                "volumes": [
-		{
-                    "name": "pgdata",
-                    "persistentVolumeClaim": {
-                        "claimName": "{{.PVC_NAME}}"
-                    }
-                },
-		{
-                    "name": "backup",
-                    "persistentVolumeClaim": {
-                        "claimName": "{{.BACKUP_PVC_NAME}}"
+                "volumes": [{
+                        "name": "pgdata",
+                        "persistentVolumeClaim": {
+                            "claimName": "{{.PVC_NAME}}"
+                        }
+                    }, {
+                        "name": "backup",
+                        "persistentVolumeClaim": {
+                            "claimName": "{{.BACKUP_PVC_NAME}}"
+                        }
+                    }, {
+                        "name": "pguser-volume",
+                        "secret": {
+                            "secretName": "{{.PGUSER_SECRET_NAME}}"
+                        }
+                    }, {
+                        "name": "pgmaster-volume",
+                        "secret": {
+                            "secretName": "{{.PGMASTER_SECRET_NAME}}"
+                        }
+                    }, {
+                        "name": "pgroot-volume",
+                        "secret": {
+                            "secretName": "{{.PGROOT_SECRET_NAME}}"
+                        }
                     }
-                }
-		],
+
+
+                ],
 
                 "restartPolicy": "Always",
                 "dnsPolicy": "ClusterFirst"

conf/postgres-operator/cluster/1/cluster-replica-deployment-1.json

@@ -23,6 +23,9 @@
                 }
             },
             "spec": {
+
+	    	{{.SECURITY_CONTEXT}}
+
                 "containers": [{
                     "name": "database",
                     "image": "crunchydata/crunchy-postgres:{{.CCP_IMAGE_TAG}}",

operator/cluster/cluster.go

@@ -62,6 +62,9 @@ type DeploymentTemplateFields struct {
 	PVC_NAME             string
 	BACKUP_PVC_NAME      string
 	BACKUP_PATH          string
+	PGROOT_SECRET_NAME   string
+	PGUSER_SECRET_NAME   string
+	PGMASTER_SECRET_NAME string
 	//next 2 are for the replica deployment only
 	REPLICAS         string
 	PG_MASTER_HOST   string
@@ -152,7 +155,7 @@ func addCluster(clientset *kubernetes.Clientset, client *rest.RESTClient, cl *tp
 
 	log.Debug("creating PgCluster object strategy is [" + cl.Spec.STRATEGY + "]")
 
-	err = util.CreateDatabaseSecrets(clientset, cl.Spec.Name, namespace)
+	err = util.CreateDatabaseSecrets(clientset, client, cl, namespace)
 	if err != nil {
 		log.Error(err.Error())
 		return

operator/cluster/cluster_strategy_1.go

@@ -134,6 +134,9 @@ func (r ClusterStrategy1) AddCluster(clientset *kubernetes.Clientset, client *re
 		PG_DATABASE:          cl.Spec.PG_DATABASE,
 		PG_ROOT_PASSWORD:     cl.Spec.PG_ROOT_PASSWORD,
 		SECURITY_CONTEXT:     util.CreateSecContext(cl.Spec.FS_GROUP, cl.Spec.SUPPLEMENTAL_GROUPS),
+		PGROOT_SECRET_NAME:   cl.Spec.PGROOT_SECRET_NAME,
+		PGMASTER_SECRET_NAME: cl.Spec.PGMASTER_SECRET_NAME,
+		PGUSER_SECRET_NAME:   cl.Spec.PGUSER_SECRET_NAME,
 	}
 
 	err = DeploymentTemplate1.Execute(&masterDoc, deploymentFields)
@@ -160,20 +163,23 @@ func (r ClusterStrategy1) AddCluster(clientset *kubernetes.Clientset, client *re
 
 	//create the replica deployment
 	replicaDeploymentFields := DeploymentTemplateFields{
-		Name:               cl.Spec.Name + REPLICA_SUFFIX,
-		ClusterName:        cl.Spec.Name,
-		Port:               cl.Spec.Port,
-		CCP_IMAGE_TAG:      cl.Spec.CCP_IMAGE_TAG,
-		PVC_NAME:           cl.Spec.PVC_NAME,
-		PG_MASTER_HOST:     cl.Spec.PG_MASTER_HOST,
-		PG_MASTER_USER:     cl.Spec.PG_MASTER_USER,
-		PG_MASTER_PASSWORD: cl.Spec.PG_MASTER_PASSWORD,
-		PG_USER:            cl.Spec.PG_USER,
-		PG_PASSWORD:        cl.Spec.PG_PASSWORD,
-		PG_DATABASE:        cl.Spec.PG_DATABASE,
-		PG_ROOT_PASSWORD:   cl.Spec.PG_ROOT_PASSWORD,
-		REPLICAS:           cl.Spec.REPLICAS,
-		SECURITY_CONTEXT:   util.CreateSecContext(cl.Spec.FS_GROUP, cl.Spec.SUPPLEMENTAL_GROUPS),
+		Name:                 cl.Spec.Name + REPLICA_SUFFIX,
+		ClusterName:          cl.Spec.Name,
+		Port:                 cl.Spec.Port,
+		CCP_IMAGE_TAG:        cl.Spec.CCP_IMAGE_TAG,
+		PVC_NAME:             cl.Spec.PVC_NAME,
+		PG_MASTER_HOST:       cl.Spec.PG_MASTER_HOST,
+		PG_MASTER_USER:       cl.Spec.PG_MASTER_USER,
+		PG_MASTER_PASSWORD:   cl.Spec.PG_MASTER_PASSWORD,
+		PG_USER:              cl.Spec.PG_USER,
+		PG_PASSWORD:          cl.Spec.PG_PASSWORD,
+		PG_DATABASE:          cl.Spec.PG_DATABASE,
+		PG_ROOT_PASSWORD:     cl.Spec.PG_ROOT_PASSWORD,
+		REPLICAS:             cl.Spec.REPLICAS,
+		SECURITY_CONTEXT:     util.CreateSecContext(cl.Spec.FS_GROUP, cl.Spec.SUPPLEMENTAL_GROUPS),
+		PGROOT_SECRET_NAME:   cl.Spec.PGROOT_SECRET_NAME,
+		PGMASTER_SECRET_NAME: cl.Spec.PGMASTER_SECRET_NAME,
+		PGUSER_SECRET_NAME:   cl.Spec.PGUSER_SECRET_NAME,
 	}
 
 	err = ReplicaDeploymentTemplate1.Execute(&replicaDoc, replicaDeploymentFields)

operator/util/secrets.go

@@ -18,7 +18,10 @@ package util
 import (
 	//"encoding/base64"
 	log "github.com/Sirupsen/logrus"
+	"github.com/crunchydata/postgres-operator/tpr"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+
 	"k8s.io/client-go/pkg/api/v1"
 	"math/rand"
 	"time"
@@ -31,34 +34,68 @@ var seededRand *rand.Rand = rand.New(
 	rand.NewSource(time.Now().UnixNano()))
 
 //create pgroot, pgmaster, and pguser secrets
-func CreateDatabaseSecrets(clientset *kubernetes.Clientset, db, namespace string) error {
-
-	var username string
-	var err error
+func CreateDatabaseSecrets(clientset *kubernetes.Clientset, tprclient *rest.RESTClient, cl *tpr.PgCluster, namespace string) error {
 
 	//pgroot
-	username = "postgres"
-	err = CreateSecret(clientset, db, "pgroot-secret", username, namespace)
+	username := "postgres"
+	suffix := "-pgroot-secret"
+	secretName := cl.Spec.Name + suffix
+	err := CreateSecret(clientset, cl.Spec.Name, secretName, username, cl.Spec.PG_ROOT_PASSWORD, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+	cl.Spec.PGROOT_SECRET_NAME = secretName
+	err = Patch(tprclient, "/spec/pgrootsecretname", secretName, "pgclusters", cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+
 	///pgmaster
 	username = "master"
-	err = CreateSecret(clientset, db, "pgmaster-secret", username, namespace)
+	suffix = "-pgmaster-secret"
+	secretName = cl.Spec.Name + suffix
+	err = CreateSecret(clientset, cl.Spec.Name, secretName, username, cl.Spec.PG_MASTER_PASSWORD, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+	cl.Spec.PGMASTER_SECRET_NAME = secretName
+	err = Patch(tprclient, "/spec/pgmastersecretname", secretName, "pgclusters", cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+
 	///pguser
 	username = "testuser"
-	err = CreateSecret(clientset, db, "pguser-secret", username, namespace)
+	suffix = "-pguser-secret"
+	secretName = cl.Spec.Name + suffix
+	err = CreateSecret(clientset, cl.Spec.Name, secretName, username, cl.Spec.PG_PASSWORD, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+	cl.Spec.PGUSER_SECRET_NAME = secretName
+	err = Patch(tprclient, "/spec/pgusersecretname", secretName, "pgclusters", cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error(err.Error())
+	}
+
 	return err
 }
 
 //create the secret, user, and master secrets
-func CreateSecret(clientset *kubernetes.Clientset, db, suffix, username, namespace string) error {
+func CreateSecret(clientset *kubernetes.Clientset, db, secretName, username, password, namespace string) error {
 
 	//var enUsername = base64.StdEncoding.EncodeToString([]byte(username))
 	var enUsername = username
 	//var enPassword = base64.StdEncoding.EncodeToString([]byte(generatePassword(10)))
 	var enPassword = generatePassword(10)
+	if password != "" {
+		log.Debug("using user specified password for secret " + secretName)
+		enPassword = password
+	}
 
 	secret := v1.Secret{}
 
-	secret.Name = db + "-" + suffix
+	secret.Name = secretName
 	secret.ObjectMeta.Labels = make(map[string]string)
 	secret.ObjectMeta.Labels["pg-database"] = db
 	secret.Data = make(map[string][]byte)

tpr/cluster.go

@@ -47,6 +47,9 @@ type PgClusterSpec struct {
 	STRATEGY              string `json:"strategy"`
 	BACKUP_PVC_NAME       string `json:"backuppvcname"`
 	BACKUP_PATH           string `json:"backuppath"`
+	PGUSER_SECRET_NAME    string `json:"pgusersecretname"`
+	PGROOT_SECRET_NAME    string `json:"pgrootsecretname"`
+	PGMASTER_SECRET_NAME  string `json:"pgmastersecretname"`
 }
 
 type PgCluster struct {