Skip to content

Commit

Permalink
Merge branch 'master' into helm-set-image-tag-to-an-empty-string
Browse files Browse the repository at this point in the history
  • Loading branch information
hitman99 authored Dec 20, 2023
2 parents 0b84b01 + aaa3af7 commit bd0781d
Show file tree
Hide file tree
Showing 11 changed files with 202 additions and 46 deletions.
52 changes: 36 additions & 16 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,28 +4,48 @@ on:
release:
types: [published]

permissions:
contents: read
packages: write
jobs:
build:

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v1
- uses: actions/checkout@v3

- name: Generate Docker Tag
run: |
echo ${{ github.ref }} | cut -d '/' -f 3 > DOCKER_TAG
- name: Build and push container image
run: |
docker build --file build/Dockerfile.dist --tag ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG) --tag movetokube/postgres-operator:$(cat DOCKER_TAG) .
docker tag ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG) ghcr.io/movetokube/postgres-operator:latest
docker tag movetokube/postgres-operator:$(cat DOCKER_TAG) movetokube/postgres-operator:latest
docker login ghcr.io --username USERNAME --password ${{ secrets.GITHUB_TOKEN }}
docker push ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG)
docker push ghcr.io/movetokube/postgres-operator:latest
docker login --username ${{ secrets.DOCKER_USER }} --password ${{ secrets.DOCKER_TOKEN }}
docker push movetokube/postgres-operator:$(cat DOCKER_TAG)
docker push movetokube/postgres-operator:latest
echo "DOCKER_TAG=$(cat DOCKER_TAG)" >> $GITHUB_ENV
- name: Set up QEMU
uses: docker/setup-qemu-action@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push
uses: docker/build-push-action@v4
with:
context: .
file: ./build/Dockerfile.dist
platforms: linux/amd64,linux/arm64
push: true
tags: |
ghcr.io/movetokube/postgres-operator:latest
ghcr.io/movetokube/postgres-operator:${{ env.DOCKER_TAG }}
movetokube/postgres-operator:${{ env.DOCKER_TAG }}
movetokube/postgres-operator:latest
35 changes: 28 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,7 @@ Please consider sponsoring my work
<a class="github-button" href="https://github.com/sponsors/hitman99" data-icon="octicon-heart" data-size="large" aria-label="Sponsor @hitman99 on GitHub">Sponsor</a>

### Current Sponsors

<p align="center">
<a href="https://github.com/ElementAnalytics">
<img src="https://github.com/ElementAnalytics.png" width="50px" alt="ElementAnalytics" />
</a>
</p>
None

## Features

Expand All @@ -44,6 +39,7 @@ Please consider sponsoring my work
* Creates Kubernetes secret with postgres_uri in the same namespace as CR
* Support for AWS RDS and Azure Database for PostgresSQL
* Support for managing CRs in dynamically created namespaces
* Template secret values

## Cloud specific configuration

Expand Down Expand Up @@ -76,9 +72,17 @@ These environment variables are embedded in [deploy/operator.yaml](deploy/operat
* `WATCH_NAMESPACE` - which namespace to watch. Defaults to empty string for all namespaces
* `OPERATOR_NAME` - name of the operator, defaults to `ext-postgres-operator`
* `POSTGRES_INSTANCE` - identity of operator, this matched with `postgres.db.movetokube.com/instance` in CRs. Default is empty
* `KEEP_SECRET_NAME` - use secret name as provided by user (disabled by default)

`POSTGRES_INSTANCE` is only available since version 1.2.0

> While using `KEEP_SECRET_NAME` could be a convenient way to define secrets with predictable and explicit names,
> the default logic reduces risk of operator from entering the endless reconcile loop as secret is very unlikely to exist.
>
> The administrator should ensure that the `SecretName` does not collide with other secrets in the same namespace.
> If the secret already exists, the operator will never stop reconciling the CR until either offending secret is deleted
> or CR is deleted or updated with another SecretName
## Installation

This operator requires a Kubernetes Secret to be created in the same namespace as operator itself.
Expand Down Expand Up @@ -170,9 +174,11 @@ spec:
privileges: OWNER # Can be OWNER/READ/WRITE
annotations: # Annotations to be propagated to the secrets metadata section (optional)
foo: "bar"
secretTemplate: # Output secrets can be customized using standard Go templates
PQ_URL: "host={{.Host}} user={{.Role}} password={{.Password}} dbname={{.Database}}"
```

This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user`.
This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user` (unless `KEEP_SECRET_NAME` is enabled).

`PostgresUser` needs to reference a `Postgres` in the same namespace.

Expand Down Expand Up @@ -200,6 +206,21 @@ With the help of annotations it is possible to create annotation-based copies of

For more information and an example, see [kubernetes-replicator#pull-based-replication](https://github.com/mittwald/kubernetes-replicator#pull-based-replication)

#### Template Use Case

Users can specify the structure and content of secrets based on their unique requirements using standard
[Go templates](https://pkg.go.dev/text/template#hdr-Actions). This flexibility allows for a more tailored approach to
meeting the specific needs of different applications.

Available context:

| Variable | Meaning |
|-------------|--------------------------|
| `.Host` | Database host |
| `.Role` | Generated user/role name |
| `.Database` | Referenced database name |
| `.Password` | Generated role password |

### Contribution

You can contribute to this project by opening a PR to merge to `master`, or one of the `vX.X.X` branches.
Expand Down
25 changes: 18 additions & 7 deletions build/Dockerfile.dist
Original file line number Diff line number Diff line change
@@ -1,12 +1,24 @@
FROM golang:1.18-stretch
# syntax=docker/dockerfile:1
FROM --platform=${BUILDPLATFORM} golang:1.18-stretch AS build

COPY . /go/src/github.com/movetokube/postgres-operator
WORKDIR /go/src/github.com/movetokube/postgres-operator/cmd/manager
ARG TARGETPLATFORM
ARG BUILDPLATFORM
ARG TARGETOS
ARG TARGETARCH

RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /usr/local/bin/postgres-operator
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download

COPY . .

FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
RUN --mount=target=. \
--mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg \
CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
go build -o /usr/local/bin/postgres-operator cmd/manager/main.go

FROM --platform=${TARGETPLATFORM} registry.access.redhat.com/ubi8/ubi-minimal:latest

ENV OPERATOR=/usr/local/bin/postgres-operator \
USER_UID=1001 \
Expand All @@ -20,5 +32,4 @@ RUN /usr/local/bin/user_setup

ENTRYPOINT ["/usr/local/bin/entrypoint"]

USER ${USER_UID}

USER ${USER_UID}
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ spec:
spec:
description: PostgresUserSpec defines the desired state of PostgresUser
properties:
annotations:
additionalProperties:
type: string
type: object
database:
type: string
privileges:
Expand All @@ -39,6 +43,10 @@ spec:
type: string
secretName:
type: string
template:
additionalProperties:
type: string
type: object
required:
- database
- role
Expand Down
8 changes: 8 additions & 0 deletions deploy/crds/db.movetokube.com_postgresusers_crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ spec:
spec:
description: PostgresUserSpec defines the desired state of PostgresUser
properties:
annotations:
additionalProperties:
type: string
type: object
database:
type: string
privileges:
Expand All @@ -39,6 +43,10 @@ spec:
type: string
secretName:
type: string
secretTemplate:
additionalProperties:
type: string
type: object
required:
- database
- role
Expand Down
2 changes: 2 additions & 0 deletions deploy/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ spec:
env:
- name: WATCH_NAMESPACE
value: ""
- name: KEEP_SECRET_NAME
value: "false"
- name: POD_NAME
valueFrom:
fieldRef:
Expand Down
2 changes: 2 additions & 0 deletions pkg/apis/db/v1alpha1/postgresuser_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ type PostgresUserSpec struct {
Database string `json:"database"`
SecretName string `json:"secretName"`
// +optional
SecretTemplate map[string]string `json:"secretTemplate,omitempty"` // key-value, where key is secret field, value is go template
// +optional
Privileges string `json:"privileges"`
// +optional
Annotations map[string]string `json:"annotations,omitempty"`
Expand Down
17 changes: 16 additions & 1 deletion pkg/apis/db/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package config

import (
"net/url"
"strconv"
"sync"

"github.com/movetokube/postgres-operator/pkg/utils"
Expand All @@ -15,6 +16,7 @@ type cfg struct {
PostgresDefaultDb string
CloudProvider string
AnnotationFilter string
KeepSecretName bool
}

var doOnce sync.Once
Expand All @@ -30,6 +32,9 @@ func Get() *cfg {
config.PostgresDefaultDb = utils.GetEnv("POSTGRES_DEFAULT_DATABASE")
config.CloudProvider = utils.GetEnv("POSTGRES_CLOUD_PROVIDER")
config.AnnotationFilter = utils.GetEnv("POSTGRES_INSTANCE")
if value, err := strconv.ParseBool(utils.GetEnv("KEEP_SECRET_NAME")); err == nil {
config.KeepSecretName = value
}
})
return config
}
Loading

0 comments on commit bd0781d

Please sign in to comment.