Skip to content

Commit 92de57c

Browse files
tkcontianttkcontiant
committed
reoslve conflicts after rebase
1 parent 9cdc19a commit 92de57c

File tree

1 file changed

+54
-1
lines changed

1 file changed

+54
-1
lines changed

internal/controller/postgresuser_controller.go

Lines changed: 54 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,9 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
116116
}
117117

118118
// Creation logic
119-
var role, login string
119+
var (
120+
role, login string
121+
)
120122
password, err := utils.GetSecureRandomString(15)
121123

122124
if err != nil {
@@ -201,6 +203,57 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
201203
}
202204
} else if awsIamRequested {
203205
reqLogger.WithValues("role", role).Info("IAM Auth requested while we are not running with AWS cloud provider config")
206+
// Reconcile logic for changes in group membership
207+
// This is only applicable if user role is already created
208+
// and privileges are changed in spec
209+
if instance.Status.PostgresRole != "" {
210+
211+
// We need to get the Postgres CR to get the group role name
212+
database, err := r.getPostgresCR(ctx, instance)
213+
if err != nil {
214+
return r.requeue(ctx, instance, errors.NewInternalError(err))
215+
}
216+
217+
// Determine desired group role
218+
var desiredGroup string
219+
switch instance.Spec.Privileges {
220+
case "READ":
221+
desiredGroup = database.Status.Roles.Reader
222+
case "WRITE":
223+
desiredGroup = database.Status.Roles.Writer
224+
default:
225+
desiredGroup = database.Status.Roles.Owner
226+
}
227+
228+
currentGroup := instance.Status.PostgresGroup
229+
if desiredGroup != "" && currentGroup != desiredGroup {
230+
231+
// Remove the old group membership if present
232+
if currentGroup != "" {
233+
err = r.pg.RevokeRole(currentGroup, role)
234+
if err != nil {
235+
return r.requeue(ctx, instance, errors.NewInternalError(err))
236+
}
237+
}
238+
239+
// Grant the new group role
240+
err = r.pg.GrantRole(desiredGroup, role)
241+
if err != nil {
242+
return r.requeue(ctx, instance, errors.NewInternalError(err))
243+
}
244+
245+
// Ensure objects created by the user are owned by the new group
246+
err = r.pg.AlterDefaultLoginRole(role, desiredGroup)
247+
if err != nil {
248+
return r.requeue(ctx, instance, errors.NewInternalError(err))
249+
}
250+
251+
instance.Status.PostgresGroup = desiredGroup
252+
err = r.Status().Update(ctx, instance)
253+
if err != nil {
254+
return r.requeue(ctx, instance, err)
255+
}
256+
}
204257
}
205258

206259
err = r.addFinalizer(ctx, reqLogger, instance)

0 commit comments

Comments
 (0)