From bd91bdba9b53010e569c4216a457b05910a0662d Mon Sep 17 00:00:00 2001 From: "romg@pecan.ai" Date: Tue, 6 Aug 2024 14:12:32 +0100 Subject: [PATCH] wip --- .../crds/db.movetokube.com_postgresusers_crd.yaml | 3 +++ pkg/apis/db/v1alpha1/postgresuser_types.go | 14 ++++++++------ .../postgresuser/postgresuser_controller.go | 2 +- pkg/postgres/aws.go | 10 ++++++++-- pkg/postgres/postgres.go | 2 +- pkg/postgres/role.go | 2 +- 6 files changed, 22 insertions(+), 11 deletions(-) diff --git a/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml b/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml index 1d9a5355..a0d5486f 100644 --- a/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml +++ b/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml @@ -41,6 +41,9 @@ spec: type: string role: type: string + iamAuthentication: + type: boolean + default: false secretName: type: string secretTemplate: diff --git a/pkg/apis/db/v1alpha1/postgresuser_types.go b/pkg/apis/db/v1alpha1/postgresuser_types.go index 80e70666..1010756d 100644 --- a/pkg/apis/db/v1alpha1/postgresuser_types.go +++ b/pkg/apis/db/v1alpha1/postgresuser_types.go @@ -16,7 +16,8 @@ type PostgresUserSpec struct { // +optional SecretTemplate map[string]string `json:"secretTemplate,omitempty"` // key-value, where key is secret field, value is go template // +optional - Privileges string `json:"privileges"` + Privileges string `json:"privileges"` + IamAuthentication bool `json:"iamAuthentication"` // +optional Annotations map[string]string `json:"annotations,omitempty"` } @@ -24,11 +25,12 @@ type PostgresUserSpec struct { // PostgresUserStatus defines the observed state of PostgresUser // +k8s:openapi-gen=true type PostgresUserStatus struct { - Succeeded bool `json:"succeeded"` - PostgresRole string `json:"postgresRole"` - PostgresLogin string `json:"postgresLogin"` - PostgresGroup string `json:"postgresGroup"` - DatabaseName string `json:"databaseName"` + Succeeded bool `json:"succeeded"` + PostgresRole string `json:"postgresRole"` + PostgresLogin string `json:"postgresLogin"` + PostgresGroup string `json:"postgresGroup"` + DatabaseName string `json:"databaseName"` + IamAuthentication bool `json:"iamAuthentication"` // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster // Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file // Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html diff --git a/pkg/controller/postgresuser/postgresuser_controller.go b/pkg/controller/postgresuser/postgresuser_controller.go index 85a9437f..573e8f57 100644 --- a/pkg/controller/postgresuser/postgresuser_controller.go +++ b/pkg/controller/postgresuser/postgresuser_controller.go @@ -177,7 +177,7 @@ func (r *ReconcilePostgresUser) Reconcile(request reconcile.Request) (reconcile. // Create user role suffix := utils.GetRandomString(6) role = fmt.Sprintf("%s-%s", instance.Spec.Role, suffix) - login, err = r.pg.CreateUserRole(role, password) + login, err = r.pg.CreateUserRole(role, password, instance.spec.IamAuthentication) if err != nil { return r.requeue(instance, errors.NewInternalError(err)) } diff --git a/pkg/postgres/aws.go b/pkg/postgres/aws.go index 61e73235..1b799af4 100644 --- a/pkg/postgres/aws.go +++ b/pkg/postgres/aws.go @@ -39,11 +39,17 @@ func (c *awspg) CreateDB(dbname, role string) error { return c.pg.CreateDB(dbname, role) } -func (c *awspg) CreateUserRole(role, password string) (string, error) { - returnedRole, err := c.pg.CreateUserRole(role, password) +func (c *awspg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) { + returnedRole, err := c.pg.CreateUserRole(role, password, iamAuthentication) if err != nil { return "", err } + if iamAuthentication != nil && *iamAuthentication { + err = c.GrantRole("rds_iam", role) + if err != nil { + return "", err + } + } // On AWS RDS the postgres user isn't really superuser so he doesn't have permissions // to ALTER DEFAULT PRIVILEGES FOR ROLE unless he belongs to the role err = c.GrantRole(role, c.user) diff --git a/pkg/postgres/postgres.go b/pkg/postgres/postgres.go index a5c66b0a..079e687b 100644 --- a/pkg/postgres/postgres.go +++ b/pkg/postgres/postgres.go @@ -13,7 +13,7 @@ type PG interface { CreateSchema(db, role, schema string, logger logr.Logger) error CreateExtension(db, extension string, logger logr.Logger) error CreateGroupRole(role string) error - CreateUserRole(role, password string) (string, error) + CreateUserRole(role, password string, iamAuthentication *bool) (string, error) UpdatePassword(role, password string) error GrantRole(role, grantee string) error SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logger logr.Logger) error diff --git a/pkg/postgres/role.go b/pkg/postgres/role.go index 8bf4f4b7..f8409622 100644 --- a/pkg/postgres/role.go +++ b/pkg/postgres/role.go @@ -28,7 +28,7 @@ func (c *pg) CreateGroupRole(role string) error { return nil } -func (c *pg) CreateUserRole(role, password string) (string, error) { +func (c *pg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) { _, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password)) if err != nil { return "", err