Merge pull request #6 from Facets-cloud/fix_diff_sch_no_dup

Bring main up to date

Author: pramodh-ayyappan

.github/workflows/image-build-push.yml

@@ -29,4 +29,4 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }},${{ env.REGISTRY_IMAGE }}:latest
+          tags: ${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.19 as builder
+FROM golang:1.19 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -15,6 +15,8 @@ RUN go mod download
 COPY main.go main.go
 COPY apis/ apis/
 COPY controllers/ controllers/
+COPY utility/ utility/
+COPY validations/ validations
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

PROJECT

@@ -30,4 +30,13 @@ resources:
   kind: Grant
   path: github.com/Facets-cloud/postgresql-operator/apis/postgresql/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: facets.cloud
+  group: postgresql
+  kind: GrantStatement
+  path: github.com/Facets-cloud/postgresql-operator/apis/postgresql/v1alpha1
+  version: v1alpha1
 version: "3"

README.md

@@ -15,12 +15,18 @@ This guide provides an introduction to using the PostgreSQL Operator. It will he
 - You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
 **Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
 - A kubernetes secret that contains base64 encrypted PostgreSQL Database details `username`, `password`, `endpoint`, `port`, `database` and `role_password`
-  > _Note:_
-  > - You can use existing secret with database details and role password
-  > - You can new secret with database details and role password
-  > - You can also created two separate secret for database details and role password
 
-  - Create a secret that contains both the database details and the role password. You have the flexibility to choose your own name for the key representing the role password, as long as you reference it correctly in the Role CRD.
+> [!NOTE] 
+> - You can use existing secret with database details and role password
+> - You can new secret with database details and role password
+> - You can also created two separate secret for database details and role password
+
+> [!CAUTION]
+> - For granting permissions to a specific role, you should utilize either the Grant or GrantStatement Custom Resource Definition — but not both concurrently. Using both might lead to conflicts or unexpected behavior. 
+> - For managing role permissions through the GrantStatement Custom Resource Definition on any database, ensure that no additional permissions are assigned outside the CRD manually. Any such additional permissions will be revoked when the CRD gets updated.
+> - Please note that you should not use any PostgreSQL GRANT query for a different database in a GrantStatement Custom Resource Definition that is specifically related to one database. If you do, the role cleanup process may not be successful.
+
+- Create a secret that contains both the database details and the role password. You have the flexibility to choose your own name for the key representing the role password, as long as you reference it correctly in the Role CRD.
 
     ```bash
     kubectl create secret generic <secret_name> --from-literal=username=<postgresql_username> --from-literal=password=<postgresql_password> --from-literal=endpoint=<postgresql_endpoint> --from-literal=port=<postgresql_port> --from-literal=database=<postgresql_database> --from-literal=role_password=<postgresql_role_password>
@@ -75,6 +81,24 @@ spec:
   table: ALL
 ```
 
+#### Example GrantStatement CRD
+````yaml
+apiVersion: postgresql.facets.cloud/v1alpha1
+kind: GrantStatement
+metadata:
+  name: test-grantstatement
+spec:
+  roleRef:
+    name: test-role
+    namespace: default
+  database: postgres
+  statements:
+    - 'GRANT CONNECT ON DATABASE postgres TO "test-role";'
+    - 'GRANT USAGE ON SCHEMA public TO "test-role";'
+    - 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "test-role";'
+    - 'ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "test-role";'
+````
+
 For more examples, kindly check [here](examples)
 
 ### Running on the cluster

apis/postgresql/v1alpha1/grantstatement_types.go

@@ -0,0 +1,81 @@
+/*
+Copyright 2023 Pramodh Ayyappan.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/Facets-cloud/postgresql-operator/apis/common"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// GrantStatementSpec defines the desired state of GrantStatement
+type GrantStatementSpec struct {
+	// +kubebuilder:validation:Required
+	Database string `json:"database"`
+
+	// +kubebuilder:validation:Required
+	RoleRef common.ResourceReference `json:"roleRef"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	Statements []string `json:"statements"`
+}
+
+// GrantStatementStatus defines the observed state of GrantStatement
+type GrantStatementStatus struct {
+	Conditions                  []metav1.Condition          `json:"conditions,omitempty"`
+	PreviousGrantStatementState PreviousGrantStatementState `json:"previousGrantStatementState,omitempty"`
+}
+
+type PreviousGrantStatementState struct {
+	Database   string                   `json:"database"`
+	RoleRef    common.ResourceReference `json:"roleRef"`
+	Statements []string                 `json:"statements"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:printcolumn:name="Database",type=string,JSONPath=`.spec.database`
+//+kubebuilder:printcolumn:name="Role",type=string,JSONPath=`.spec.roleRef.name`
+//+kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[-1:].status`
+//+kubebuilder:printcolumn:name="Reason",type=string,JSONPath=`.status.conditions[-1:].reason`
+//+kubebuilder:printcolumn:name="Last Transition Time",type=string,priority=1,JSONPath=`.status.conditions[-1:].lastTransitionTime`
+//+kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// GrantStatement is the Schema for the grantstatements API
+type GrantStatement struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   GrantStatementSpec   `json:"spec,omitempty"`
+	Status GrantStatementStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// GrantStatementList contains a list of GrantStatement
+type GrantStatementList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GrantStatement `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&GrantStatement{}, &GrantStatementList{})
+}