Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for referencing a Kubernetes Secret at .spec.proxy.pgBouncer.usersSecret so the operator can append additional PgBouncer users into pgbouncer-users.txt, and wires up field indexes/watches so changes to that Secret trigger reconciles.
Changes:
- Extend PgBouncer specs (upstream + Percona API) with
usersSecretand propagate it through conversion/deepcopy generation. - Update PgBouncer secret reconciliation to merge extra users into the generated auth file, plus add Secret watches/indexers for reconcile triggers.
- Add unit/E2E coverage validating the users are appended into
pgbouncer-users.txt.
Reviewed changes
Copilot reviewed 20 out of 23 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go | Deepcopy updates for new UsersSecret field. |
| pkg/apis/upstream.pgv2.percona.com/v1beta1/postgrescluster_types.go | Adds PgBouncer usersSecret field index helper + indexer func. |
| pkg/apis/upstream.pgv2.percona.com/v1beta1/pgbouncer_types.go | Adds usersSecret to upstream PgBouncer pod spec. |
| pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go | Deepcopy updates for new UsersSecret field. |
| pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go | Adds usersSecret to Percona PgBouncer spec, converts to upstream, and adds index helper + indexer func. |
| percona/controller/pgcluster/controller.go | Watches Secret changes for Percona clusters using usersSecret. |
| internal/pgbouncer/reconcile.go | Passes usersSecret into auth file generation during Secret reconcile. |
| internal/pgbouncer/reconcile_test.go | Verifies reconcile writes the extra user into pgbouncer-users.txt. |
| internal/pgbouncer/config.go | Extends auth file generation to append users from a Secret (sorted). |
| internal/pgbouncer/config_test.go | Adds unit test for multi-user auth file generation and escaping. |
| internal/controller/postgrescluster/watches.go | Adds watch mapping Secrets referenced by usersSecret to PostgresCluster reconcile requests. |
| internal/controller/postgrescluster/pgbouncer.go | Fetches the referenced usersSecret and passes it into PgBouncer Secret reconcile. |
| internal/controller/postgrescluster/controller.go | Registers field index and watches Secrets referenced by usersSecret. |
| e2e-tests/tests/users/23-assert.yaml | E2E assert verifying usersSecret is set and auth file contains appended user. |
| e2e-tests/tests/users/23-add-pgbouncer-user.yaml | E2E step that creates the users Secret and patches the cluster to reference it. |
| deploy/cw-bundle.yaml | CRD bundle schema update for usersSecret. |
| deploy/crd.yaml | CRD schema update for usersSecret. |
| deploy/cr.yaml | Example manifest updates documenting usersSecret. |
| deploy/bundle.yaml | CRD bundle schema update for usersSecret. |
| config/crd/bases/upstream.pgv2.percona.com_postgresclusters.yaml | Upstream CRD base schema update for usersSecret. |
| config/crd/bases/pgv2.percona.com_perconapgclusters.yaml | Percona CRD base schema update for usersSecret. |
| cmd/postgres-operator/main.go | Registers Percona cluster field indexer for usersSecret. |
| build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml | Generated Percona CRD schema update for usersSecret. |
Files not reviewed (2)
- pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go: Generated file
- pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go: Generated file
Comment on lines
+80
to
+85
| for name, password := range userSecret.Data { | ||
| if strings.ContainsAny(string(password), "\r\n") { | ||
| return nil, errors.Errorf("pgbouncer user %q in Secret %q contains a newline", name, userSecret.Name) | ||
| } | ||
| users[name] = string(password) | ||
| } |
Comment on lines
+268
to
+274
| var userSecret *corev1.Secret | ||
| if ref := cluster.Spec.Proxy.PGBouncer.UsersSecret; ref != nil { | ||
| userSecret = &corev1.Secret{} | ||
| if err := r.Client.Get(ctx, client.ObjectKey{Namespace: cluster.Namespace, Name: ref.Name}, userSecret); err != nil { | ||
| return nil, errors.Wrapf(err, "get PgBouncer users Secret %q", ref.Name) | ||
| } | ||
| } |
Comment on lines
+214
to
+218
| if cluster.Spec.Proxy.PGBouncer.UsersSecret == nil { | ||
| return nil | ||
| } | ||
| return []string{cluster.Spec.Proxy.PGBouncer.UsersSecret.Name} | ||
| } |
Comment on lines
+1366
to
+1373
| func (cr *PerconaPGCluster) PGBouncerUserSecrets() []string { | ||
| if cr.Spec.Proxy == nil || cr.Spec.Proxy.PGBouncer == nil || | ||
| cr.Spec.Proxy.PGBouncer.UsersSecret == nil { | ||
| return nil | ||
| } | ||
|
|
||
| return []string{cr.Spec.Proxy.PGBouncer.UsersSecret.Name} | ||
| } |
Collaborator
commit: cd3d6e2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://perconadev.atlassian.net/browse/K8SPG-650
DESCRIPTION
This PR adds
.spec.proxy.pgBouncer.usersSecretto allow adding custom users to pgbouncer.Example of the secret:
The operator reads each key/value from the secret and appends it to the
pgbouncer-users.txtfile. Each secret key is used as a username, and each secret value is used as passwordCHECKLIST
Jira
Needs Doc) and QA (Needs QA)?Tests
Config/Logging/Testability