fix bug where secrets where getting deleted if --delete-data was not specified, this prevented a new cluster with the same name from being able to auth into the original pg

Jeff McCormick · Jeff McCormick · commit c5be519e610e · 2018-08-31T14:38:03.000-05:00
diff --git a/apiserver/clusterservice/clusterimpl.go b/apiserver/clusterservice/clusterimpl.go
@@ -73,6 +73,7 @@ func DeleteCluster(name, selector string, deleteData, deleteBackups bool) msgs.D
 	for _, cluster := range clusterList.Items {
 
 		if deleteData {
+			deleteDatabaseSecrets(cluster.Spec.Name)
 			createDeleteDataTasks(cluster.Spec.Name, cluster.Spec.PrimaryStorage, deleteBackups)
 		}
 
@@ -1014,3 +1015,17 @@ func validateBackrestConfig(labels map[string]string) error {
 	return err
 
 }
+
+// deleteDatabaseSecrets delete secrets that match pg-database=somecluster
+func deleteDatabaseSecrets(db string) {
+	//get all that match pg-database=db
+	selector := util.LABEL_PG_DATABASE + "=" + db
+	secrets, err := kubeapi.GetSecrets(apiserver.Clientset, selector, apiserver.Namespace)
+	if err != nil {
+		return
+	}
+
+	for _, s := range secrets.Items {
+		kubeapi.DeleteSecret(apiserver.Clientset, s.ObjectMeta.Name, apiserver.Namespace)
+	}
+}
diff --git a/apiserver/userservice/userimpl.go b/apiserver/userservice/userimpl.go
@@ -26,6 +26,7 @@ import (
 	"github.com/crunchydata/postgres-operator/kubeapi"
 	"github.com/crunchydata/postgres-operator/util"
 	_ "github.com/lib/pq"
+	"k8s.io/client-go/kubernetes"
 	"strconv"
 	"time"
 )
@@ -414,7 +415,9 @@ func deleteUser(namespace, clusterName string, info connInfo, user string, manag
 	}()
 
 	if managed {
-		err = util.DeleteUserSecret(apiserver.Clientset, clusterName, user, namespace)
+		//delete current secret
+		secretName := clusterName + "-" + user + "-secret"
+		err := kubeapi.DeleteSecret(apiserver.Clientset, secretName, namespace)
 		if err != nil {
 			log.Error(err.Error())
 			return err
@@ -597,3 +600,11 @@ func ShowUser(name, selector string) msgs.ShowUserResponse {
 	return response
 
 }
+
+func deleteUserSecret(clientset *kubernetes.Clientset, clustername, username, namespace string) error {
+	//delete current secret
+	secretName := clustername + "-" + username + "-secret"
+
+	err := kubeapi.DeleteSecret(clientset, secretName, namespace)
+	return err
+}
diff --git a/operator/cluster/cluster.go b/operator/cluster/cluster.go
@@ -178,7 +178,7 @@ func AddClusterBase(clientset *kubernetes.Clientset, client *rest.RESTClient, cl
 	}
 
 	var testPassword string
-	_, _, testPassword, err = util.CreateDatabaseSecrets(clientset, client, cl, namespace)
+	_, _, testPassword, err = createDatabaseSecrets(clientset, client, cl, namespace)
 	if err != nil {
 		log.Error("error in create secrets " + err.Error())
 		return
@@ -198,9 +198,9 @@ func AddClusterBase(clientset *kubernetes.Clientset, client *rest.RESTClient, cl
 	}
 
 	//add pgpool deployment if requested
-	if cl.Spec.UserLabels["crunchy-pgpool"] == "true" {
+	if cl.Spec.UserLabels[util.LABEL_PGPOOL_SECRET] == "true" {
 		//generate a secret for pgpool using the testuser credential
-		secretName := cl.Spec.Name + "-pgpool-secret"
+		secretName := cl.Spec.Name + "-" + util.LABEL_PGPOOL_SECRET
 		primaryName := cl.Spec.Name
 		replicaName := cl.Spec.Name + "-replica"
 		err = CreatePgpoolSecret(clientset, primaryName, replicaName, primaryName, secretName, "testuser", testPassword, namespace)
@@ -248,8 +248,6 @@ func DeleteClusterBase(clientset *kubernetes.Clientset, client *rest.RESTClient,
 		return
 	}
 
-	util.DeleteDatabaseSecrets(clientset, cl.Spec.Name, namespace)
-
 	strategy.DeleteCluster(clientset, client, cl, namespace)
 
 	err := kubeapi.Deletepgupgrade(client, cl.Spec.Name, namespace)
@@ -423,3 +421,93 @@ func ScaleDownBase(clientset *kubernetes.Clientset, client *rest.RESTClient, rep
 	strategy.DeleteReplica(clientset, replica, namespace)
 
 }
+
+/**
+import (
+	log "github.com/Sirupsen/logrus"
+	crv1 "github.com/crunchydata/postgres-operator/apis/cr/v1"
+	msgs "github.com/crunchydata/postgres-operator/apiservermsgs"
+	"github.com/crunchydata/postgres-operator/kubeapi"
+	"k8s.io/api/core/v1"
+	"k8s.io/client-go/kubernetes"
+	//"k8s.io/client-go/rest"
+	"math/rand"
+	"strings"
+	"time"
+)
+
+*/
+// createDatabaseSecrets create pgroot, pgprimary, and pguser secrets
+func createDatabaseSecrets(clientset *kubernetes.Clientset, restclient *rest.RESTClient, cl *crv1.Pgcluster, namespace string) (string, string, string, error) {
+
+	//pgroot
+	username := "postgres"
+	suffix := crv1.RootSecretSuffix
+
+	var secretName string
+	var err error
+
+	secretName = cl.Spec.Name + suffix
+	pgPassword := util.GeneratePassword(10)
+	if cl.Spec.RootPassword != "" {
+		log.Debug("using user specified password for secret " + secretName)
+		pgPassword = cl.Spec.RootPassword
+	}
+
+	err = util.CreateSecret(clientset, cl.Spec.Name, secretName, username, pgPassword, namespace)
+	if err != nil {
+		log.Error("error creating secret" + err.Error())
+	}
+
+	cl.Spec.RootSecretName = secretName
+	err = util.Patch(restclient, "/spec/rootsecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error("error patching cluster" + err.Error())
+	}
+
+	///primary
+	username = "primaryuser"
+	suffix = crv1.PrimarySecretSuffix
+
+	secretName = cl.Spec.Name + suffix
+	primaryPassword := util.GeneratePassword(10)
+	if cl.Spec.PrimaryPassword != "" {
+		log.Debug("using user specified password for secret " + secretName)
+		primaryPassword = cl.Spec.PrimaryPassword
+	}
+
+	err = util.CreateSecret(clientset, cl.Spec.Name, secretName, username, primaryPassword, namespace)
+	if err != nil {
+		log.Error("error creating secret2" + err.Error())
+	}
+
+	cl.Spec.PrimarySecretName = secretName
+	err = util.Patch(restclient, "/spec/primarysecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error("error patching cluster " + err.Error())
+	}
+
+	///pguser
+	username = "testuser"
+	suffix = crv1.UserSecretSuffix
+
+	secretName = cl.Spec.Name + suffix
+	testPassword := util.GeneratePassword(10)
+	if cl.Spec.Password != "" {
+		log.Debug("using user specified password for secret " + secretName)
+		testPassword = cl.Spec.Password
+	}
+
+	err = util.CreateSecret(clientset, cl.Spec.Name, secretName, username, testPassword, namespace)
+	if err != nil {
+		log.Error("error creating secret " + err.Error())
+	}
+
+	cl.Spec.UserSecretName = secretName
+	err = util.Patch(restclient, "/spec/usersecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
+	if err != nil {
+		log.Error("error patching cluster " + err.Error())
+	}
+
+	return pgPassword, primaryPassword, testPassword, err
+}
diff --git a/util/failover.go b/util/failover.go
@@ -154,7 +154,7 @@ func GetRepStatus(restclient *rest.RESTClient, clientset *kubernetes.Clientset,
 
 	//get the postgres secret for this dep
 	var secretInfo []msgs.ShowUserSecret
-	secretInfo, err = GetSecrets(clientset, &cluster, namespace)
+	secretInfo, err = getSecrets(clientset, &cluster, namespace)
 	var pgSecret msgs.ShowUserSecret
 	var found bool
 	for _, si := range secretInfo {
@@ -260,3 +260,26 @@ func GetReplicationInfo(target string) (*ReplicationInfo, error) {
 
 	return &ReplicationInfo{recvLocation, replayLocation}, nil
 }
+
+func getSecrets(clientset *kubernetes.Clientset, cluster *crv1.Pgcluster, namespace string) ([]msgs.ShowUserSecret, error) {
+
+	output := make([]msgs.ShowUserSecret, 0)
+	selector := "pgpool!=true," + LABEL_PG_DATABASE + "=" + cluster.Spec.Name
+
+	secrets, err := kubeapi.GetSecrets(clientset, selector, namespace)
+	if err != nil {
+		return output, err
+	}
+
+	log.Debugf("got %d secrets for %s\n", len(secrets.Items), cluster.Spec.Name)
+	for _, s := range secrets.Items {
+		d := msgs.ShowUserSecret{}
+		d.Name = s.Name
+		d.Username = string(s.Data["username"][:])
+		d.Password = string(s.Data["password"][:])
+		output = append(output, d)
+
+	}
+
+	return output, err
+}
diff --git a/util/secrets.go b/util/secrets.go
@@ -17,12 +17,12 @@ package util
 
 import (
 	log "github.com/Sirupsen/logrus"
-	crv1 "github.com/crunchydata/postgres-operator/apis/cr/v1"
-	msgs "github.com/crunchydata/postgres-operator/apiservermsgs"
+	//crv1 "github.com/crunchydata/postgres-operator/apis/cr/v1"
+	//msgs "github.com/crunchydata/postgres-operator/apiservermsgs"
 	"github.com/crunchydata/postgres-operator/kubeapi"
 	"k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
+	//"k8s.io/client-go/rest"
 	"math/rand"
 	"strings"
 	"time"
@@ -36,81 +36,6 @@ const charset = "abcdefghijklmnopqrstuvwxyz" +
 var seededRand = rand.New(
 	rand.NewSource(time.Now().UnixNano()))
 
-// CreateDatabaseSecrets create pgroot, pgprimary, and pguser secrets
-func CreateDatabaseSecrets(clientset *kubernetes.Clientset, restclient *rest.RESTClient, cl *crv1.Pgcluster, namespace string) (string, string, string, error) {
-
-	//pgroot
-	username := "postgres"
-	suffix := crv1.RootSecretSuffix
-
-	var secretName string
-	var err error
-
-	secretName = cl.Spec.Name + suffix
-	pgPassword := GeneratePassword(10)
-	if cl.Spec.RootPassword != "" {
-		log.Debug("using user specified password for secret " + secretName)
-		pgPassword = cl.Spec.RootPassword
-	}
-
-	err = CreateSecret(clientset, cl.Spec.Name, secretName, username, pgPassword, namespace)
-	if err != nil {
-		log.Error("error creating secret" + err.Error())
-	}
-
-	cl.Spec.RootSecretName = secretName
-	err = Patch(restclient, "/spec/rootsecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
-	if err != nil {
-		log.Error("error patching cluster" + err.Error())
-	}
-
-	///primary
-	username = "primaryuser"
-	suffix = crv1.PrimarySecretSuffix
-
-	secretName = cl.Spec.Name + suffix
-	primaryPassword := GeneratePassword(10)
-	if cl.Spec.PrimaryPassword != "" {
-		log.Debug("using user specified password for secret " + secretName)
-		primaryPassword = cl.Spec.PrimaryPassword
-	}
-
-	err = CreateSecret(clientset, cl.Spec.Name, secretName, username, primaryPassword, namespace)
-	if err != nil {
-		log.Error("error creating secret2" + err.Error())
-	}
-
-	cl.Spec.PrimarySecretName = secretName
-	err = Patch(restclient, "/spec/primarysecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
-	if err != nil {
-		log.Error("error patching cluster " + err.Error())
-	}
-
-	///pguser
-	username = "testuser"
-	suffix = crv1.UserSecretSuffix
-
-	secretName = cl.Spec.Name + suffix
-	testPassword := GeneratePassword(10)
-	if cl.Spec.Password != "" {
-		log.Debug("using user specified password for secret " + secretName)
-		testPassword = cl.Spec.Password
-	}
-
-	err = CreateSecret(clientset, cl.Spec.Name, secretName, username, testPassword, namespace)
-	if err != nil {
-		log.Error("error creating secret " + err.Error())
-	}
-
-	cl.Spec.UserSecretName = secretName
-	err = Patch(restclient, "/spec/usersecretname", secretName, crv1.PgclusterResourcePlural, cl.Spec.Name, namespace)
-	if err != nil {
-		log.Error("error patching cluster " + err.Error())
-	}
-
-	return pgPassword, primaryPassword, testPassword, err
-}
-
 // CreateSecret create the secret, user, and primary secrets
 func CreateSecret(clientset *kubernetes.Clientset, db, secretName, username, password, namespace string) error {
 
@@ -150,20 +75,6 @@ func GenerateRandString(length int) string {
 	return stringWithCharset(length, lowercharset)
 }
 
-// DeleteDatabaseSecrets delete secrets that match pg-database=somecluster
-func DeleteDatabaseSecrets(clientset *kubernetes.Clientset, db, namespace string) {
-	//get all that match pg-database=db
-	selector := "pg-database=" + db
-	secrets, err := kubeapi.GetSecrets(clientset, selector, namespace)
-	if err != nil {
-		return
-	}
-
-	for _, s := range secrets.Items {
-		kubeapi.DeleteSecret(clientset, s.ObjectMeta.Name, namespace)
-	}
-}
-
 // GetPasswordFromSecret will fetch the username, password from a user secret
 func GetPasswordFromSecret(clientset *kubernetes.Clientset, namespace string, secretName string) (string, string, error) {
 
@@ -251,15 +162,7 @@ func UpdateUserSecret(clientset *kubernetes.Clientset, clustername, username, pa
 	return err
 }
 
-// DeleteUserSecret will delete a user secret
-func DeleteUserSecret(clientset *kubernetes.Clientset, clustername, username, namespace string) error {
-	//delete current secret
-	secretName := clustername + "-" + username + "-secret"
-
-	err := kubeapi.DeleteSecret(clientset, secretName, namespace)
-	return err
-}
-
+/**
 func GetSecrets(clientset *kubernetes.Clientset, cluster *crv1.Pgcluster, namespace string) ([]msgs.ShowUserSecret, error) {
 
 	output := make([]msgs.ShowUserSecret, 0)
@@ -282,3 +185,4 @@ func GetSecrets(clientset *kubernetes.Clientset, cluster *crv1.Pgcluster, namesp
 
 	return output, err
 }
+*/
