Merge pull request #12 from Facets-cloud/support-username-override

support user name override in role crd

Author: pramodh-ayyappan

apis/postgresql/v1alpha1/role_types.go

@@ -74,6 +74,11 @@ type RoleSpec struct {
 	// +kubebuilder:validation:Required
 	PasswordSecretRef common.SecretKeySelector `json:"passwordSecretRef,omitempty"`
 
+	// UserNameOverride allows specifying a custom username for the PostgreSQL role.
+	// When set, this takes precedence over the role name from the CRD metadata.
+	// +optional
+	UserNameOverride *string `json:"userNameOverride,omitempty"`
+
 	// ConnectionLimit to be applied to the role.
 	// +kubebuilder:validation:Min=-1
 	// +optional

apis/postgresql/v1alpha1/zz_generated.deepcopy.go

@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -54,8 +55,8 @@ spec:
             description: RoleSpec defines the desired state of Role
             properties:
               connectSecretRef:
-                description: ConnectSecretRef references the secret that contains database
-                  details () used to create this role.
+                description: ConnectSecretRef references the secret that contains
+                  database details () used to create this role.
                 properties:
                   name:
                     description: Name of the resource.
@@ -73,8 +74,8 @@ spec:
                 format: int32
                 type: integer
               passwordSecretRef:
-                description: PasswordSecretRef references the secret that contains the
-                  password used for this role.
+                description: PasswordSecretRef references the secret that contains
+                  the password used for this role.
                 properties:
                   key:
                     description: The key to select.
@@ -100,13 +101,13 @@ spec:
                     type: boolean
                   createDb:
                     default: false
-                    description: CreateDb grants CREATEDB when true, allowing the role
-                      to create databases.
+                    description: CreateDb grants CREATEDB when true, allowing the
+                      role to create databases.
                     type: boolean
                   createRole:
                     default: false
-                    description: CreateRole grants CREATEROLE when true, allowing this
-                      role to create other roles.
+                    description: CreateRole grants CREATEROLE when true, allowing
+                      this role to create other roles.
                     type: boolean
                   inherit:
                     default: false
@@ -128,6 +129,11 @@ spec:
                     description: SuperUser grants SUPERUSER privilege when true.
                     type: boolean
                 type: object
+              userNameOverride:
+                description: UserNameOverride allows specifying a custom username
+                  for the PostgreSQL role. When set, this takes precedence over the
+                  role name from the CRD metadata.
+                type: string
             type: object
           status:
             description: RoleStatus defines the observed state of Role
@@ -137,8 +143,8 @@ spec:
                   description: "Condition contains details for one aspect of the current
                     state of this API Resource. --- This struct is intended for direct
                     use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a foo's
-                    current state. // Known .status.conditions.type are: \"Available\",
+                    \n type FooStatus struct{ // Represents the observations of a
+                    foo's current state. // Known .status.conditions.type are: \"Available\",
                     \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
                     // +listType=map // +listMapKey=type Conditions []metav1.Condition
                     `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
@@ -152,8 +158,8 @@ spec:
                       format: date-time
                       type: string
                     message:
-                      description: message is a human readable message indicating details
-                        about the transition. This may be an empty string.
+                      description: message is a human readable message indicating
+                        details about the transition. This may be an empty string.
                       maxLength: 32768
                       type: string
                     observedGeneration:
@@ -167,11 +173,11 @@ spec:
                       type: integer
                     reason:
                       description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers of
-                        specific condition types may define expected values and meanings
-                        for this field, and whether the values are considered a guaranteed
-                        API. The value should be a CamelCase string. This field may
-                        not be empty.
+                        the reason for the condition's last transition. Producers
+                        of specific condition types may define expected values and
+                        meanings for this field, and whether the values are considered
+                        a guaranteed API. The value should be a CamelCase string.
+                        This field may not be empty.
                       maxLength: 1024
                       minLength: 1
                       pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

chart/postgresql-operator/templates/role-crd.yaml

@@ -128,6 +128,11 @@ spec:
                     description: SuperUser grants SUPERUSER privilege when true.
                     type: boolean
                 type: object
+              userNameOverride:
+                description: UserNameOverride allows specifying a custom username
+                  for the PostgreSQL role. When set, this takes precedence over the
+                  role name from the CRD metadata.
+                type: string
             type: object
           status:
             description: RoleStatus defines the observed state of Role

config/crd/bases/postgresql.facets.cloud_roles.yaml

@@ -0,0 +1,28 @@
+apiVersion: postgresql.facets.cloud/v1alpha1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: role-example-with-override
+    app.kubernetes.io/part-of: postgresql-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: postgresql-operator
+  name: role-example-with-override
+spec:
+  connectSecretRef:
+    name: db-conn
+    namespace: default
+  passwordSecretRef:
+    namespace: default
+    name: db-conn
+    key: role_password
+  userNameOverride: "test_user"
+  connectionLimit: 100
+  privileges:
+    bypassRls: false
+    createDb: false
+    createRole: false
+    inherit: false
+    login: true
+    replication: false
+    superUser: false

config/samples/postgresql_v1alpha1_role_with_username_override.yaml

@@ -205,7 +205,7 @@ func (r *GrantStatementReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 
 		// Revoke all privileges from the role before granting new privileges
-		err, message = r.revokeAllPrivileges(grantStatement, prevDatabase, prevRoleRef, secret)
+		err, message = r.revokeAllPrivileges(ctx, grantStatement, prevDatabase, prevRoleRef, secret)
 		if err != nil {
 			message := fmt.Sprintf("Failed to revoke all privileges for GrantStatement %s/%s: %s", grantStatement.Namespace, grantStatement.Name, message)
 			r.appendGrantStatementStatusCondition(ctx, grantStatement, common.FAIL, metav1.ConditionFalse, common.FAIL, fmt.Sprintf("%s: %s", message, err.Error()))
@@ -257,7 +257,7 @@ func (r *GrantStatementReconciler) finalizeGrantStatement(ctx context.Context, g
 		logger.Error(err, message)
 		return fmt.Errorf("failed to retrieve secret from current state for GrantStatement %s/%s: %s", grantStatement.Namespace, grantStatement.Name, err.Error())
 	}
-	err, message = r.revokeAllPrivileges(grantStatement, database, roleRef, secret)
+	err, message = r.revokeAllPrivileges(ctx, grantStatement, database, roleRef, secret)
 	if err != nil {
 		r.appendGrantStatementStatusCondition(ctx, grantStatement, common.FAIL, metav1.ConditionFalse, common.FAIL, err.Error())
 		logger.Error(err, message)
@@ -268,7 +268,7 @@ func (r *GrantStatementReconciler) finalizeGrantStatement(ctx context.Context, g
 	return nil
 }
 
-func (r *GrantStatementReconciler) revokeAllPrivileges(grantStatement *postgresqlv1alpha1.GrantStatement, database string, roleRef common.ResourceReference, secret *corev1.Secret) (error, string) {
+func (r *GrantStatementReconciler) revokeAllPrivileges(ctx context.Context, grantStatement *postgresqlv1alpha1.GrantStatement, database string, roleRef common.ResourceReference, secret *corev1.Secret) (error, string) {
 	var message string
 	db, err := common.ConnectToPostgres(secret, database)
 	if err != nil {
@@ -298,7 +298,20 @@ func (r *GrantStatementReconciler) revokeAllPrivileges(grantStatement *postgresq
 		schemas = append(schemas, schema)
 	}
 
-	role := fmt.Sprintf("\"%s\"", roleRef.Name)
+	// Get the Role object to access UserNameOverride
+	roleObj := &postgresqlv1alpha1.Role{}
+	err = r.Get(ctx, types.NamespacedName{
+		Namespace: roleRef.Namespace,
+		Name:      roleRef.Name,
+	}, roleObj)
+	if err != nil {
+		message = fmt.Sprintf("Failed to get role resource %s/%s for GrantStatement %s", roleRef.Namespace, roleRef.Name, grantStatement.Name)
+		logger.Error(err, message)
+		return err, message
+	}
+
+	effectiveRoleName := getEffectiveRoleName(roleObj)
+	role := fmt.Sprintf("\"%s\"", effectiveRoleName)
 	rootUser := string(secret.Data[common.ResourceCredentialsSecretUserKey])
 
 	// For each schema, execute each SQL command to revoke all privileges as a separate transaction

controllers/postgresql/grantstatement_controller.go

@@ -79,6 +79,15 @@ type RoleReconciler struct {
 	Scheme *runtime.Scheme
 }
 
+// getEffectiveRoleName returns the PostgreSQL role name to use.
+// If UserNameOverride is set, it takes precedence over the CRD name.
+func getEffectiveRoleName(role *postgresql.Role) string {
+	if role.Spec.UserNameOverride != nil && *role.Spec.UserNameOverride != "" {
+		return *role.Spec.UserNameOverride
+	}
+	return role.Name
+}
+
 //+kubebuilder:rbac:groups=postgresql.facets.cloud,resources=roles,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=postgresql.facets.cloud,resources=roles/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=postgresql.facets.cloud,resources=roles/finalizers,verbs=update
@@ -179,7 +188,7 @@ func (r *RoleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.
 	defaultDatabase := string(connectionSecret.Data[common.ResourceCredentialsSecretDatabaseKey])
 	roleDB, err = common.ConnectToPostgres(connectionSecret, defaultDatabase)
 	if err != nil {
-		reason := fmt.Sprintf("Failed connecting to database for role `%s`", role.Name)
+		reason := fmt.Sprintf("Failed connecting to database for role `%s`", getEffectiveRoleName(role))
 		roleLogger.Error(err, reason)
 		r.appendRoleStatusCondition(ctx, role, common.FAIL, metav1.ConditionFalse, common.CONNECTIONFAILED, err.Error())
 	}
@@ -325,31 +334,31 @@ func (r *RoleReconciler) findObjectsForSecret(secret client.Object) []reconcile.
 
 func (r *RoleReconciler) CreateRole(ctx context.Context, role *postgresql.Role, rolePassword string) (string, metav1.ConditionStatus, string, string) {
 	privileges := strings.Join(PrivilegesToClauses(role.Spec.Privileges), " ")
-	createRoleQuery := fmt.Sprintf("CREATE ROLE \"%s\" WITH %s PASSWORD '%s' CONNECTION LIMIT %d", role.Name, privileges, rolePassword, *role.Spec.ConnectionLimit)
+	createRoleQuery := fmt.Sprintf("CREATE ROLE \"%s\" WITH %s PASSWORD '%s' CONNECTION LIMIT %d", getEffectiveRoleName(role), privileges, rolePassword, *role.Spec.ConnectionLimit)
 	_, err := roleDB.Exec(createRoleQuery)
 	if err != nil {
-		if strings.Contains(err.Error(), fmt.Sprintf("pq: role \"%s\" already exists", role.Name)) {
-			roleLogger.Error(err, fmt.Sprintf("Role `%s` created outside of database operator.", role.Name))
+		if strings.Contains(err.Error(), fmt.Sprintf("pq: role \"%s\" already exists", getEffectiveRoleName(role))) {
+			roleLogger.Error(err, fmt.Sprintf("Role `%s` created outside of database operator.", getEffectiveRoleName(role)))
 			return common.FAIL, metav1.ConditionFalse, ROLECREATEFAILED, errRoleCreatedOutside
 		} else {
-			roleLogger.Error(err, fmt.Sprintf("Failed to create role `%s`, Check if the secret `%s/%s` has valid database connection details", role.Name, role.Spec.ConnectSecretRef.Namespace, role.Spec.ConnectSecretRef.Name))
+			roleLogger.Error(err, fmt.Sprintf("Failed to create role `%s`, Check if the secret `%s/%s` has valid database connection details", getEffectiveRoleName(role), role.Spec.ConnectSecretRef.Namespace, role.Spec.ConnectSecretRef.Name))
 			return common.FAIL, metav1.ConditionFalse, ROLECREATEFAILED, fmt.Sprintf("%s, Check if the secret `%s/%s` has valid database connection details", err.Error(), role.Spec.ConnectSecretRef.Namespace, role.Spec.ConnectSecretRef.Name)
 		}
 	}
 
-	roleLogger.Info(fmt.Sprintf("Role `%s` got created successfully", role.Name))
+	roleLogger.Info(fmt.Sprintf("Role `%s` got created successfully", getEffectiveRoleName(role)))
 	return common.CREATE, metav1.ConditionTrue, ROLECREATED, "Role created successfully"
 }
 
 func (r *RoleReconciler) DeletRole(ctx context.Context, role *v1alpha1.Role) (string, metav1.ConditionStatus, string, string, error) {
-	deleteRoleQuery := fmt.Sprintf("DROP ROLE IF EXISTS \"%s\"", role.Name)
+	deleteRoleQuery := fmt.Sprintf("DROP ROLE IF EXISTS \"%s\"", getEffectiveRoleName(role))
 	_, err := roleDB.Exec(deleteRoleQuery)
 	if err != nil {
-		roleLogger.Error(err, fmt.Sprintf("Failed to delete role `%s`", role.Name))
+		roleLogger.Error(err, fmt.Sprintf("Failed to delete role `%s`", getEffectiveRoleName(role)))
 		return common.FAIL, metav1.ConditionFalse, ROLEDELETEFAILED, err.Error(), err
 	}
 
-	roleLogger.Info(fmt.Sprintf("Role `%s` got deleted successfully", role.Name))
+	roleLogger.Info(fmt.Sprintf("Role `%s` got deleted successfully", getEffectiveRoleName(role)))
 	return common.DELETE, metav1.ConditionTrue, ROLEDELETED, "Role deleted successfully", err
 }
 
@@ -376,23 +385,23 @@ func (r *RoleReconciler) SyncRole(ctx context.Context, role *postgresql.Role, ro
 		}
 	}
 
-	alterRoleQuery := fmt.Sprintf("ALTER ROLE \"%s\" WITH %s PASSWORD '%s' CONNECTION LIMIT %d", role.Name, strings.Join(privileges, " "), rolePassword, *role.Spec.ConnectionLimit)
+	alterRoleQuery := fmt.Sprintf("ALTER ROLE \"%s\" WITH %s PASSWORD '%s' CONNECTION LIMIT %d", getEffectiveRoleName(role), strings.Join(privileges, " "), rolePassword, *role.Spec.ConnectionLimit)
 	_, err := roleDB.Exec(alterRoleQuery)
 	if err != nil {
-		if strings.Contains(err.Error(), fmt.Sprintf("pq: role \"%s\" does not exist", role.Name)) {
-			roleLogger.Error(err, fmt.Sprintf("Failed to sync role `%s`. Role deleted outside of database operator ", role.Name))
+		if strings.Contains(err.Error(), fmt.Sprintf("pq: role \"%s\" does not exist", getEffectiveRoleName(role))) {
+			roleLogger.Error(err, fmt.Sprintf("Failed to sync role `%s`. Role deleted outside of database operator ", getEffectiveRoleName(role)))
 			return common.SYNC, metav1.ConditionFalse, ROLESYNCFAILED, errRoleDeletedOutside
 		} else {
-			roleLogger.Error(err, fmt.Sprintf("Failed to sync role `%s`", role.Name))
+			roleLogger.Error(err, fmt.Sprintf("Failed to sync role `%s`", getEffectiveRoleName(role)))
 			return common.SYNC, metav1.ConditionFalse, ROLESYNCFAILED, err.Error()
 		}
 	}
 
 	if isPasswordSync {
-		roleLogger.Info(fmt.Sprintf("Role `%s` password got synced successfully", role.Name))
+		roleLogger.Info(fmt.Sprintf("Role `%s` password got synced successfully", getEffectiveRoleName(role)))
 		return common.SYNC, metav1.ConditionTrue, ROLEPASSWORDSYNCED, "Role password synced successfully"
 	}
-	roleLogger.Info(fmt.Sprintf("Role `%s` got synced successfully", role.Name))
+	roleLogger.Info(fmt.Sprintf("Role `%s` got synced successfully", getEffectiveRoleName(role)))
 	return common.SYNC, metav1.ConditionTrue, ROLESYNCED, "Role synced successfully"
 }
 
@@ -411,7 +420,7 @@ func (r *RoleReconciler) ObserveRoleState(ctx context.Context, role *postgresql.
 
 	err := roleDB.QueryRow(
 		observeRoleStateQuery,
-		role.Name,
+		getEffectiveRoleName(role),
 		&role.Spec.Privileges.SuperUser,
 		&role.Spec.Privileges.Inherit,
 		&role.Spec.Privileges.CreateRole,
@@ -422,7 +431,7 @@ func (r *RoleReconciler) ObserveRoleState(ctx context.Context, role *postgresql.
 		&role.Spec.Privileges.BypassRls,
 	).Scan(&isRoleStateChanged)
 	if err != nil {
-		roleLogger.Error(err, fmt.Sprintf("Failed to get role `%s` when observing ", role.Name))
+		roleLogger.Error(err, fmt.Sprintf("Failed to get role `%s` when observing ", getEffectiveRoleName(role)))
 		r.appendRoleStatusCondition(ctx, role, common.FAIL, metav1.ConditionFalse, ROLEGETFAILED, err.Error())
 	}
 	return isRoleStateChanged