From: Fiete Ostkamp Date: Thu, 4 Dec 2025 07:27:57 +0000 (+0100) Subject: [COMMON] Enhance common/postgres to support operator based user and db creation X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=24397534f29f521d186e61f8b70f65c0f4fe7465;p=oom.git [COMMON] Enhance common/postgres to support operator based user and db creation - add .postgresOperator.autoCreateUserSchema that can be set to true to automatically create a user-named schema inside the postgres db [0] - add .postgresOperator.databaseInitSQL.key + .name to point the operator to an sql script inside a configmap [1] - add .postgresOperator.users[].name to create the instance with certain users [2] - add .postgresOperator.users[].databases[] to create the instance with certain dbs [3] - add .postgresOperator.users[].options to grant a user certain role privileges [3] - define a "common.postgresOperator.userSecret" function that returns the secret name that is created by the operator and that contains the user credentials. It works with the first entry of the .postgresOperator.user array for it's input params [0] https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/basic-setup/user-management#why-is-the-schema-named-after-the-user [1] https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/day-two/customize-cluster#initialization-sql-configmap [2] https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/basic-setup/user-management#creating-a-new-user [3] https://access.crunchydata.com/documentation/postgres-operator/latest/tutorials/basic-setup/user-management#creating-a-new-database Issue-ID: OOM-3374 Change-Id: I3e64a71b3135a40f95531ea455b6084c330f0d6a Signed-off-by: Fiete Ostkamp --- diff --git a/kubernetes/common/common/Chart.yaml b/kubernetes/common/common/Chart.yaml index df6138b85e..8a0ac3cf61 100644 --- a/kubernetes/common/common/Chart.yaml +++ b/kubernetes/common/common/Chart.yaml @@ -17,4 +17,4 @@ apiVersion: v2 description: Common templates for inclusion in other charts name: common -version: 13.2.19 +version: 13.3.0 diff --git a/kubernetes/common/common/templates/_postgres.tpl b/kubernetes/common/common/templates/_postgres.tpl index dcd17c0312..2232cba495 100644 --- a/kubernetes/common/common/templates/_postgres.tpl +++ b/kubernetes/common/common/templates/_postgres.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2019 Samsung Electronics +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -79,6 +80,10 @@ metadata: labels: app: {{ $dbinst }} version: "5.5" + {{- if .Values.postgresOperator.autoCreateUserSchema }} + annotations: + postgres-operator.crunchydata.com/autoCreateUserSchema: true + {{- end }} spec: metadata: labels: @@ -117,6 +122,11 @@ spec: matchLabels: postgres-operator.crunchydata.com/cluster: {{ $dbinst }} postgres-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + {{- if .Values.postgresOperator.databaseInitSQL }} + databaseInitSQL: + key: {{ .Values.postgresOperator.databaseInitSQL.key }} + name: {{ .Values.postgresOperator.databaseInitSQL.name }} + {{- end }} proxy: pgBouncer: metadata: @@ -147,5 +157,63 @@ spec: {{- end }} {{- end }} users: - - name: postgres + {{/* + For backwards compatibility, a default postgres user is defined here + */}} + {{- $defaultUsers := (list (dict "name" "postgres")) }} + {{- range .Values.postgresOperator.users | default $defaultUsers }} + - name: {{ .name }} + {{- if .databases }} + databases: + {{- range .databases }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .options }} + options: {{ .options | upper | quote }} + {{- end }} + {{- end }} +{{- end -}} + + +{{/* + Get the name of the secret that contains the postgres user credentials + + Usage: + + ```yaml + env: + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.postgresOperator.userSecret" . }} + key: password + ``` + + This assumes that you have a + + ```yaml + postgresOperator: + users: + - name: your-user + databases: + - your-db + ``` + block in your values.yaml. +*/}} +{{- define "common.postgresOperator.userSecret" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $index := default 0 .index -}} {{/* Default to the first user in the list if not provided */}} + +{{- if $dot.Values.postgresOperator.users -}} + {{/* Get the user name from the specified index in the list */}} + {{- $user := (index $dot.Values.postgresOperator.users $index).name -}} + + {{- printf "%s-pguser-%s" $dbinst $user -}} +{{- else -}} + {{/* 'postgres' user is used by default if not defined */}} + {{- printf "%s-pguser-postgres" $dbinst -}} +{{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 9eb47d7093..d36624cef7 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2019 AT&T, Samsung Electronics +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -516,3 +517,29 @@ stringData: {{- end }} {{- end }} {{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}}