Please, answer some short questions which should help us to understand your problem / question better?
Which image of the operator are you using?
ghcr.io/zalando/postgres-operator:v1.11.0
Where do you run it - cloud or metal? Kubernetes or OpenShift?
AWS K8s
Are you running Postgres Operator in production?
Currently no, but will soon go GA
Type of issue? [Bug report, question, feature request, etc.]
bug
I am trying to create two infrastructure roles with different access, Developer (batman - read only) and On-call user (ironman - superuser). Every one should be able to read the Developer k8s secret fetch the password and use it. And only the person who is On-call can read the k8s secret for that (this we can manage by k8s RBAC).
The issue is since I can only provide only one secret as part of the infrastructure_roles_secret_name, I will have to put the other one in infrastructure_roles_secrets but whenever I am trying the following configuration -
After going through the operator code and spending a lot of time understanding how the infrastructures roles are being read, and after spending some time debugging I finally found the issue here -
Since the CRD is not following the camelCase structure and no json tags have been provided in the struct above my values were never getting populated from the OperatorConfigurationCRD into the struct and hence always seeing this SecretName: / in the logs.
I can raise a PR if this fix sounds good. I have tested it locally on a kind cluster and it seems to work.
After my changes, I finally saw this in the operator logs -
Please, answer some short questions which should help us to understand your problem / question better?
ghcr.io/zalando/postgres-operator:v1.11.0
I am trying to create two infrastructure roles with different access, Developer (
batman
- read only) and On-call user (ironman
- superuser). Every one should be able to read the Developer k8s secret fetch the password and use it. And only the person who is On-call can read the k8s secret for that (this we can manage by k8s RBAC).The issue is since I can only provide only one secret as part of the
infrastructure_roles_secret_name
, I will have to put the other one ininfrastructure_roles_secrets
but whenever I am trying the following configuration -Also please note we are using CRD approach.
In my postgres-operator helm release values.yaml -
My on-call user the one created with
infrastructure_roles_secret_name
gets created but not the one referred in theinfrastructure_roles_secret
array.In the postgres-operator logs I saw the following logs -
After going through the operator code and spending a lot of time understanding how the infrastructures roles are being read, and after spending some time debugging I finally found the issue here -
https://github.com/zalando/postgres-operator/blob/1210ceca72fb017ea72eccd245f5190894ff9ecf/pkg/util/config/config.go#L70-L95
Since the CRD is not following the camelCase structure and no
json
tags have been provided in the struct above my values were never getting populated from the OperatorConfigurationCRD into the struct and hence always seeing thisSecretName: /
in the logs.I can raise a PR if this fix sounds good. I have tested it locally on a kind cluster and it seems to work. After my changes, I finally saw this in the operator logs -
And my roles and users got created in the postgresql pod as well.