wip

romg67 · romg67 · commit bd91bdba9b53 · 2024-08-22T14:01:43.000+01:00
diff --git a/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml b/charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml
@@ -41,6 +41,9 @@ spec:
                 type: string
               role:
                 type: string
+              iamAuthentication:
+                type: boolean
+                default: false
               secretName:
                 type: string
               secretTemplate:
diff --git a/pkg/apis/db/v1alpha1/postgresuser_types.go b/pkg/apis/db/v1alpha1/postgresuser_types.go
@@ -16,19 +16,21 @@ type PostgresUserSpec struct {
 	// +optional
 	SecretTemplate map[string]string `json:"secretTemplate,omitempty"` // key-value, where key is secret field, value is go template
 	// +optional
-	Privileges string `json:"privileges"`
+	Privileges        string `json:"privileges"`
+	IamAuthentication bool   `json:"iamAuthentication"`
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
 // PostgresUserStatus defines the observed state of PostgresUser
 // +k8s:openapi-gen=true
 type PostgresUserStatus struct {
-	Succeeded     bool   `json:"succeeded"`
-	PostgresRole  string `json:"postgresRole"`
-	PostgresLogin string `json:"postgresLogin"`
-	PostgresGroup string `json:"postgresGroup"`
-	DatabaseName  string `json:"databaseName"`
+	Succeeded         bool   `json:"succeeded"`
+	PostgresRole      string `json:"postgresRole"`
+	PostgresLogin     string `json:"postgresLogin"`
+	PostgresGroup     string `json:"postgresGroup"`
+	DatabaseName      string `json:"databaseName"`
+	IamAuthentication bool   `json:"iamAuthentication"`
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html
diff --git a/pkg/controller/postgresuser/postgresuser_controller.go b/pkg/controller/postgresuser/postgresuser_controller.go
@@ -177,7 +177,7 @@ func (r *ReconcilePostgresUser) Reconcile(request reconcile.Request) (reconcile.
 		// Create user role
 		suffix := utils.GetRandomString(6)
 		role = fmt.Sprintf("%s-%s", instance.Spec.Role, suffix)
-		login, err = r.pg.CreateUserRole(role, password)
+		login, err = r.pg.CreateUserRole(role, password, instance.spec.IamAuthentication)
 		if err != nil {
 			return r.requeue(instance, errors.NewInternalError(err))
 		}
diff --git a/pkg/postgres/aws.go b/pkg/postgres/aws.go
@@ -39,11 +39,17 @@ func (c *awspg) CreateDB(dbname, role string) error {
 	return c.pg.CreateDB(dbname, role)
 }
 
-func (c *awspg) CreateUserRole(role, password string) (string, error) {
-	returnedRole, err := c.pg.CreateUserRole(role, password)
+func (c *awspg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) {
+	returnedRole, err := c.pg.CreateUserRole(role, password, iamAuthentication)
 	if err != nil {
 		return "", err
 	}
+	if iamAuthentication != nil && *iamAuthentication {
+		err = c.GrantRole("rds_iam", role)
+		if err != nil {
+			return "", err
+		}
+	}
 	// On AWS RDS the postgres user isn't really superuser so he doesn't have permissions
 	// to ALTER DEFAULT PRIVILEGES FOR ROLE unless he belongs to the role
 	err = c.GrantRole(role, c.user)
diff --git a/pkg/postgres/postgres.go b/pkg/postgres/postgres.go
@@ -13,7 +13,7 @@ type PG interface {
 	CreateSchema(db, role, schema string, logger logr.Logger) error
 	CreateExtension(db, extension string, logger logr.Logger) error
 	CreateGroupRole(role string) error
-	CreateUserRole(role, password string) (string, error)
+	CreateUserRole(role, password string, iamAuthentication *bool) (string, error)
 	UpdatePassword(role, password string) error
 	GrantRole(role, grantee string) error
 	SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logger logr.Logger) error
diff --git a/pkg/postgres/role.go b/pkg/postgres/role.go
@@ -28,7 +28,7 @@ func (c *pg) CreateGroupRole(role string) error {
 	return nil
 }
 
-func (c *pg) CreateUserRole(role, password string) (string, error) {
+func (c *pg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) {
 	_, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password))
 	if err != nil {
 		return "", err

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ func (r *ReconcilePostgresUser) Reconcile(request reconcile.Request) (reconcile.`
`177`	`177`	`// Create user role`
`178`	`178`	`suffix := utils.GetRandomString(6)`
`179`	`179`	`role = fmt.Sprintf("%s-%s", instance.Spec.Role, suffix)`
`180`		`- login, err = r.pg.CreateUserRole(role, password)`
	`180`	`+ login, err = r.pg.CreateUserRole(role, password, instance.spec.IamAuthentication)`
`181`	`181`	`if err != nil {`
`182`	`182`	`return r.requeue(instance, errors.NewInternalError(err))`
`183`	`183`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func (c *pg) CreateGroupRole(role string) error {`
`28`	`28`	`return nil`
`29`	`29`	`}`
`30`	`30`
`31`		`-func (c *pg) CreateUserRole(role, password string) (string, error) {`
	`31`	`+func (c pg) CreateUserRole(role, password string, iamAuthentication bool) (string, error) {`
`32`	`32`	`_, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password))`
`33`	`33`	`if err != nil {`
`34`	`34`	`return "", err`