add sample for grant statement crd and update readme

sanmesh-kakade · sanmesh-kakade · commit e3795f29138c · 2025-02-25T15:22:21.000+05:30
diff --git a/README.md b/README.md
@@ -15,12 +15,18 @@ This guide provides an introduction to using the PostgreSQL Operator. It will he
 - You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
 **Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
 - A kubernetes secret that contains base64 encrypted PostgreSQL Database details `username`, `password`, `endpoint`, `port`, `database` and `role_password`
-  > _Note:_
-  > - You can use existing secret with database details and role password
-  > - You can new secret with database details and role password
-  > - You can also created two separate secret for database details and role password
 
-  - Create a secret that contains both the database details and the role password. You have the flexibility to choose your own name for the key representing the role password, as long as you reference it correctly in the Role CRD.
+> [!NOTE] 
+> - You can use existing secret with database details and role password
+> - You can new secret with database details and role password
+> - You can also created two separate secret for database details and role password
+
+> [!CAUTION]
+> - For granting permissions to a specific role, you should utilize either the Grant or GrantStatement Custom Resource Definition — but not both concurrently. Using both might lead to conflicts or unexpected behavior. 
+> - For managing role permissions through the GrantStatement Custom Resource Definition on any database, ensure that no additional permissions are assigned outside the CRD manually. Any such additional permissions will be revoked when the CRD gets updated.
+> - Please note that you should not use any PostgreSQL GRANT query for a different database in a GrantStatement Custom Resource Definition that is specifically related to one database. If you do, the role cleanup process may not be successful.
+
+- Create a secret that contains both the database details and the role password. You have the flexibility to choose your own name for the key representing the role password, as long as you reference it correctly in the Role CRD.
 
     ```bash
     kubectl create secret generic <secret_name> --from-literal=username=<postgresql_username> --from-literal=password=<postgresql_password> --from-literal=endpoint=<postgresql_endpoint> --from-literal=port=<postgresql_port> --from-literal=database=<postgresql_database> --from-literal=role_password=<postgresql_role_password>
@@ -75,6 +81,24 @@ spec:
   table: ALL
 ```
 
+#### Example GrantStatement CRD
+````yaml
+apiVersion: postgresql.facets.cloud/v1alpha1
+kind: GrantStatement
+metadata:
+  name: test-grantstatement
+spec:
+  roleRef:
+    name: test-role
+    namespace: default
+  database: postgres
+  statements:
+    - 'GRANT CONNECT ON DATABASE postgres TO "test-role";'
+    - 'GRANT USAGE ON SCHEMA public TO "test-role";'
+    - 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "test-role";'
+    - 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "test-role";'
+````
+
 For more examples, kindly check [here](examples)
 
 ### Running on the cluster
diff --git a/config/samples/postgresql_v1alpha1_grantstatement.yaml b/config/samples/postgresql_v1alpha1_grantstatement.yaml
@@ -9,4 +9,12 @@ metadata:
     app.kubernetes.io/created-by: postgresql-operator
   name: grantstatement-sample
 spec:
-  # TODO(user): Add fields here
+  roleRef:
+    name: test-role
+    namespace: default
+  database: postgres
+  statements:
+    - 'GRANT CONNECT ON DATABASE postgres TO "test-role";'
+    - 'GRANT USAGE ON SCHEMA public TO "test-role";'
+    - 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "test-role";'
+    - 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "test-role";'
diff --git a/docs/crd.md b/docs/crd.md
@@ -11,6 +11,7 @@ Package v1alpha1 contains API Schema definitions for the postgresql v1alpha1 API
 ### Resource Types
 - [Grant](#grant)
 - [Role](#role)
+- [GrantStatement](#grantstatement)
 
 
 
@@ -101,13 +102,40 @@ _Appears in:_
 | `privileges` _[RolePrivilege](#roleprivilege)_                | Privileges to be granted.                                                                          |
 
 
+#### GrantStatement
+
+
+
+GrantStatement is the Schema for the grantstatement API
+
+
+| Field                                                                                                              | Description                                                     |
+| ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- |
+| `apiVersion` _string_                                                                                              | `postgresql.facets.cloud/v1alpha1`                              |
+| `kind` _string_                                                                                                    | `GrantStatement`                                                |
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |
+| `spec` _[GrantStatementSpec](#rolespec)_                                                                           |                                                                 |
+
+#### GrantStatementSpec
+
+GrantStatementSpec defines the desired state of GrantStatement
+
+| Field                                               | Description                                                 |
+| --------------------------------------------------- | ----------------------------------------------------------- |
+| `roleRef` _[ResourceReference](#resourcereference)_ | Defines the role reference to grant permissions             |
+| `statements` _string array_                         | Defines the list of grant queries to be executed for a role |
+| `database` _string_                                 | Defines the Database to execute grant queries for a role    |
+
+
+
 #### ResourceReference
 
 The Database Connection details secret selector
 
 _Appears in:_
 - [Role](#role)
 - [Grant](#Grant)
+- [GrantStatement](#GrantStatement)
 
 | Field       | Description                                                                                                            |
 | ----------- | ---------------------------------------------------------------------------------------------------------------------- |
