Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Init postgres user and database from annotation #1322

Merged
merged 5 commits into from
Jan 14, 2025
Merged

✨ Init postgres user and database from annotation #1322

merged 5 commits into from
Jan 14, 2025

Conversation

yanmxa
Copy link
Member

@yanmxa yanmxa commented Jan 10, 2025
edited
Loading

Summary

Related issue(s)

Fixes # https://issues.redhat.com/browse/ACM-16818

Tests

  • Unit/function tests have been added and incorporated into make unit-tests.
  • Integration tests have been added and incorporated into make integration-test.
  • E2E tests have been added and incorporated into make e2e-test-all.
  • List other manual tests you have done.
  1. create
❯ oc get secret postgresql-user-testuser
Error from server (NotFound): secrets "postgresql-user-testuser" not found
❯ kubectl patch mgh multiclusterglobalhub -n multicluster-global-hub --type='merge' \
  -p '{"metadata": {"annotations": {"global-hub.open-cluster-management.io/postgres-users": "[{\"name\": \"testuser\", \"databases\": [\"test1\"]}]"}}}'
multiclusterglobalhub.operator.open-cluster-management.io/multiclusterglobalhub patched
❯ kubectl exec -it multicluster-global-hub-postgresql-0 -n multicluster-global-hub -- psql -U postgres -d hoh;

Defaulted container "multicluster-global-hub-postgresql" out of: multicluster-global-hub-postgresql, prometheus-postgres-exporter
psql (16.4)
Type "help" for help.

hoh=# \l
                                                      List of databases
   Name    |  Owner   | Encoding | Locale Provider |  Collate   |   Ctype    | ICU Locale | ICU Rules |   Access privileges
-----------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
...
 template0 | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =..
 test1     | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =Tc/postgres         +
           |          |          |                 |            |            |            |           | testuser=CTc/postgres
(6 rows)

hoh=# select * from pg_catalog.pg_user;
         usename          | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig
--------------------------+----------+-------------+----------+---------+--------------+----------+----------+-----------
...
 testuser                 |    24657 | f           | f        | f       | f            | ******** |          |
(3 rows)

hoh=# SELECT
    rolname AS role_name,
    datname AS database_name,
    has_database_privilege(rolname, datname, 'CONNECT') AS can_connect,
    has_database_privilege(rolname, datname, 'CREATE') AS can_create
FROM
    pg_roles,
    pg_database
WHERE rolname = 'testuser';
 role_name | database_name | can_connect | can_create
-----------+---------------+-------------+------------
 testuser  | other1      | t           | f
 testuser  | ohter2           | t           | f
 testuser  | test1         | t           | t
(6 rows)

hoh=# exit
❯ oc get secret postgresql-user-testuser -oyaml
apiVersion: v1
data:
  ca: L...K
  databases: dGVzdDE=
  db.host: **
  db.password: **
  db.port: **
  db.user: dGVzdHVzZXI=
kind: Secret
metadata:
  creationTimestamp: "2025-01-10T09:55:32Z"
  name: postgresql-user-testuser
  namespace: multicluster-global-hub
  resourceVersion: "39342680"
  uid: 4d8996d7-8afc-4094-b0e2-34849ff6f347
type: Opaque
❯ echo "dGVzdDE=" | base64 -d
test1%
❯ echo "L...K" | base64 -d
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  1. update
❯ kubectl patch mgh multiclusterglobalhub -n multicluster-global-hub --type='merge' \
  -p '{"metadata": {"annotations": {"global-hub.open-cluster-management.io/postgres-users": "[{\"name\": \"testuser\", \"databases\": [\"test1\", \"test2\"]}]"}}}'

multiclusterglobalhub.operator.open-cluster-management.io/multiclusterglobalhub patched
❯ kubectl exec -it multicluster-global-hub-postgresql-0 -n multicluster-global-hub -- psql -U postgres -d hoh;

Defaulted container "multicluster-global-hub-postgresql" out of: multicluster-global-hub-postgresql, prometheus-postgres-exporter
psql (16.4)
Type "help" for help.

hoh=# \l
                                                      List of databases
   Name    |  Owner   | Encoding | Locale Provider |  Collate   |   Ctype    | ICU Locale | ICU Rules |   Access privileges
-----------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
...      
           |          |          |                 |            |            |            |           | postgres=CTc/postgres
 test1     | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =Tc/postgres         +
           |          |          |                 |            |            |            |           | postgres=CTc/postgres+
           |          |          |                 |            |            |            |           | testuser=CTc/postgres
 test2     | postgres | UTF8     | libc            | en_US.utf8 | en_US.utf8 |            |           | =Tc/postgres         +
           |          |          |                 |            |            |            |           | postgres=CTc/postgres+
           |          |          |                 |            |            |            |           | testuser=CTc/postgres
(7 rows)

hoh=# select * from pg_catalog.pg_user;
         usename          | usesysid | usecreatedb | usesuper | userepl | usebypassrls |  passwd  | valuntil | useconfig
--------------------------+----------+-------------+----------+---------+--------------+----------+----------+-----------
 ...
 testuser                 |    24657 | f           | f        | f       | f            | ******** |          |
(3 rows)

hoh=# SELECT
    rolname AS role_name,
    datname AS database_name,
    has_database_privilege(rolname, datname, 'CONNECT') AS can_connect,
    has_database_privilege(rolname, datname, 'CREATE') AS can_create
FROM
    pg_roles,
    pg_database
WHERE rolname = 'testuser';
 role_name | database_name | can_connect | can_create
-----------+---------------+-------------+------------
 testuser  | ...     | t           | f
 testuser  | test1         | t           | t
 testuser  | test2         | t           | t
(7 rows)

hoh=# exit
❯ oc get secret postgresql-user-testuser -oyaml
apiVersion: v1
data:
  ca: L...K
  databases: dGVzdDEsdGVzdDI=
  ...
kind: Secret
metadata:
  creationTimestamp: "2025-01-10T09:55:32Z"
  name: postgresql-user-testuser
  namespace: multicluster-global-hub
  resourceVersion: "39347390"
  uid: 4d8996d7-8afc-4094-b0e2-34849ff6f347
type: Opaque
❯ echo "dGVzdDEsdGVzdDI=" | base64 -d
test1,test2%
  1. dashboard
image

yanmxa added 2 commits January 10, 2025 10:08
@yanmxa
add the update
2032c9d 
Signed-off-by: myan <[email protected]>
@yanmxa
add it
70231da 
Signed-off-by: myan <[email protected]>
@yanmxa yanmxa mentioned this pull request Jan 10, 2025
Closed
4 tasks
@yanmxa yanmxa changed the title ✨ Init postgres user and database from annotion ✨ Init postgres user and database from annotation Jan 10, 2025
@yanmxa
fix the sonar
85f77ea 
Signed-off-by: myan <[email protected]>
@yanmxa
Copy link
Member Author

yanmxa commented Jan 13, 2025

/cc @clyang82 @ldpliu

@openshift-ci openshift-ci bot requested review from clyang82 and ldpliu January 13, 2025 01:34
clyang82
clyang82 requested changes Jan 13, 2025
View reviewed changes
test/integration/operator/controllers/storage_test.go
config.SetBYOPostgres(false)
mgh.Annotations = map[string]string{
"global-hub.open-cluster-management.io/postgres-users": "[{\"name\": \"testuser\", \"databases\": [\"test1\"]}]",
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may add another case to test multiple users.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

operator/pkg/controllers/storage/storage_reconciler.go
return nil
}

func (r *StorageReconciler) createPostgresUser(ctx context.Context, conn *pgx.Conn, user AnnotationPGUser,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we split the logic into 2 methods:

  1. create postgres user in database
  2. create the postgres user secret.

Ideally, create the postgres user secret should happen after the database operations are done (db/user/permission)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

operator/pkg/controllers/storage/storage_reconciler.go
"databases": []byte(strings.Join(user.Databases, ",")),
"ca": storageConn.CACert,
}
err = r.GetClient().Create(ctx, userSecret)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will the secret be deleted if the mcgh cr is deleted?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the secret with the mgh owner reference, ensuring it will be deleted when the custom resource is removed

@yanmxa
add review
8b1b4f2 
Signed-off-by: myan <[email protected]>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
81.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@yanmxa yanmxa requested a review from clyang82 January 13, 2025 12:32
clyang82
clyang82 approved these changes Jan 14, 2025
View reviewed changes
Copy link
Contributor

@clyang82 clyang82 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci openshift-ci bot added the lgtm label Jan 14, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 14, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clyang82, yanmxa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@clyang82 clyang82 merged commit 91f5d8f into stolostron:main Jan 14, 2025
13 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clyang82 clyang82 clyang82 approved these changes

@ldpliu ldpliu Awaiting requested review from ldpliu

Assignees

@clyang82 clyang82

Labels
approved dco-signoff: yes lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yanmxa @clyang82