feat: External-Postgres-Operator 2.3.3 build

Author: tkcontiant

internal/controller/postgres_controller.go

@@ -168,6 +168,22 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		instance.Status.Roles.Writer = writer
 		instance.Status.Succeeded = true
 	}
+
+	desiredOwner := instance.Spec.MasterRole
+	// handle owner rename if was previously set by instance.Spec.MasterRole then was removed
+	if desiredOwner == "" {
+		desiredOwner = fmt.Sprintf("%s-group", instance.Spec.Database)
+	}
+	// rename owner role if instance.Spec.MasterRole was changed
+	ownerChanged := instance.Status.Roles.Owner != "" && instance.Status.Roles.Owner != desiredOwner
+	if ownerChanged {
+		err = r.pg.RenameGroupRole(instance.Status.Roles.Owner, desiredOwner)
+		if err != nil {
+			return requeue(errors.NewInternalError(err))
+		}
+		instance.Status.Roles.Owner = desiredOwner
+	}
+
 	// create extensions
 	for _, extension := range instance.Spec.Extensions {
 		// Check if extension is already added. Skip if already is added.
@@ -192,7 +208,7 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		writerPrivs         = "SELECT,INSERT,DELETE,UPDATE"
 		writerSequencePrivs = "USAGE,SELECT"
 		writerFunctionPrivs = "EXECUTE"
-		ownerPrivs          = "ALL"
+		ownerPrivs          = "ALL,MAINTAIN"
 		ownerFunctionPrivs  = "ALL"
 		ownerSequencePrivs  = "ALL"
 	)
@@ -208,6 +224,11 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			reqLogger.Error(err, fmt.Sprintf("Could not create schema %s", schema))
 			continue
 		}
+		instance.Status.Schemas = append(instance.Status.Schemas, schema)
+	}
+
+	// Set privileges on schemas during every reconcile to ensure privileges are correct
+	for _, schema := range instance.Spec.Schemas {
 
 		// Set privileges on schema
 		schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{
@@ -250,9 +271,8 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\", sequence privileges \"%s\", and function privileges \"%s\"", owner, ownerPrivs, ownerSequencePrivs, ownerFunctionPrivs))
 			continue
 		}
-
-		instance.Status.Schemas = append(instance.Status.Schemas, schema)
 	}
+
 	err = r.Status().Patch(ctx, instance, client.MergeFrom(before))
 	if err != nil {
 		return requeue(err)

pkg/postgres/mock/postgres.go

@@ -14,6 +14,7 @@ type PG interface {
 	CreateSchema(db, role, schema string, logger logr.Logger) error
 	CreateExtension(db, extension string, logger logr.Logger) error
 	CreateGroupRole(role string) error
+	RenameGroupRole(currentRole, newRole string) error
 	CreateUserRole(role, password string) (string, error)
 	UpdatePassword(role, password string) error
 	GrantRole(role, grantee string) error

pkg/postgres/postgres.go

@@ -9,6 +9,7 @@ import (
 
 const (
 	CREATE_GROUP_ROLE   = `CREATE ROLE "%s"`
+	RENAME_GROUP_ROLE   = `ALTER ROLE "%s" RENAME TO "%s"`
 	CREATE_USER_ROLE    = `CREATE ROLE "%s" WITH LOGIN PASSWORD '%s'`
 	GRANT_ROLE          = `GRANT "%s" TO "%s"`
 	ALTER_USER_SET_ROLE = `ALTER USER "%s" SET ROLE "%s"`
@@ -28,6 +29,20 @@ func (c *pg) CreateGroupRole(role string) error {
 	return nil
 }
 
+func (c *pg) RenameGroupRole(currentRole, newRole string) error {
+	_, err := c.db.Exec(fmt.Sprintf(RENAME_GROUP_ROLE, currentRole, newRole))
+	if err != nil {
+		if pqErr, ok := err.(*pq.Error); ok {
+			// 42704 => role does not exist; treat as success so caller can recreate
+			if pqErr.Code == "42704" {
+				return nil
+			}
+		}
+		return err
+	}
+	return nil
+}
+
 func (c *pg) CreateUserRole(role, password string) (string, error) {
 	_, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password))
 	if err != nil {