Merge branch 'master' into turtle/ELT-16035

Author: Matthias Fuhrmeister

.github/workflows/release.yml

@@ -4,28 +4,48 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+  packages: write
 jobs:
   build:
-
     runs-on: ubuntu-latest
-
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
+
       - name: Generate Docker Tag
         run: |
           echo ${{ github.ref }} | cut -d '/' -f 3 > DOCKER_TAG
-      - name: Build and push container image
-        run: |
-          docker build --file build/Dockerfile.dist --tag ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG) --tag movetokube/postgres-operator:$(cat DOCKER_TAG) .
-          docker tag ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG) ghcr.io/movetokube/postgres-operator:latest
-          docker tag movetokube/postgres-operator:$(cat DOCKER_TAG) movetokube/postgres-operator:latest
-         
-          docker login ghcr.io --username USERNAME --password ${{ secrets.GITHUB_TOKEN }}
-          docker push ghcr.io/movetokube/postgres-operator:$(cat DOCKER_TAG)
-          docker push ghcr.io/movetokube/postgres-operator:latest
-          
-          docker login --username ${{ secrets.DOCKER_USER }} --password ${{ secrets.DOCKER_TOKEN }}
-          docker push movetokube/postgres-operator:$(cat DOCKER_TAG)
-          docker push movetokube/postgres-operator:latest
+          echo "DOCKER_TAG=$(cat DOCKER_TAG)" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./build/Dockerfile.dist
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/movetokube/postgres-operator:latest
+            ghcr.io/movetokube/postgres-operator:${{ env.DOCKER_TAG }}
+            movetokube/postgres-operator:${{ env.DOCKER_TAG }}
+            movetokube/postgres-operator:latest

README.md

@@ -1,26 +1,5 @@
 # External PostgreSQL server operator for Kubernetes
 
----------------------------------------------------------
-### IMPORTANT UPDATE 
-
-### Restoring pushes to DockerHub repository `movetokube/postgres-operator`
-
-Some history about this:
-
-About 10 days after announcing the decition to sunset free organisations in dockerhub and receiving heavily negative community feedback
-Docker revoked their decision, did a 180-degree turn and did not sunset free legacy organisations.
-
-Thus, new images of this operator will be pushed to both `movetokube/postgres-operator` and `ghcr.io/movetokube/postgres-operator` for your convenience.
-
-Starting with ext-postgres-operator Helm chart version **1.2.3** images will be pulled from ghcr by default, you can change this if you like.
-
-Here's how to install it (please install with care according to your configuration):
-```shell
-helm repo add ext-postgres-operator https://movetokube.github.io/postgres-operator/
-helm upgrade --install -n operators ext-postgres-operator  ext-postgres-operator/ext-postgres-operator --version 1.2.3
-```
-
-----------------------------------------------------------
 ## Sponsors
 
 Please consider sponsoring my work
@@ -39,6 +18,7 @@ None
 * Creates Kubernetes secret with postgres_uri in the same namespace as CR
 * Support for AWS RDS and Azure Database for PostgresSQL
 * Support for managing CRs in dynamically created namespaces
+* Template secret values
 
 ## Cloud specific configuration
 
@@ -71,9 +51,17 @@ These environment variables are embedded in [deploy/operator.yaml](deploy/operat
 * `WATCH_NAMESPACE` - which namespace to watch. Defaults to empty string for all namespaces
 * `OPERATOR_NAME` - name of the operator, defaults to `ext-postgres-operator` 
 * `POSTGRES_INSTANCE` - identity of operator, this matched with `postgres.db.movetokube.com/instance` in CRs. Default is empty
+* `KEEP_SECRET_NAME` - use secret name as provided by user (disabled by default)
 
 `POSTGRES_INSTANCE` is only available since version 1.2.0
 
+> While using `KEEP_SECRET_NAME` could be a convenient way to define secrets with predictable and explicit names, 
+> the default logic reduces risk of operator from entering the endless reconcile loop as secret is very unlikely to exist. 
+>
+> The administrator should ensure that the `SecretName` does not collide with other secrets in the same namespace. 
+> If the secret already exists, the operator will never stop reconciling the CR until either offending secret is deleted 
+> or CR is deleted or updated with another SecretName
+
 ## Installation
 
 This operator requires a Kubernetes Secret to be created in the same namespace as operator itself.
@@ -165,9 +153,11 @@ spec:
   privileges: OWNER     # Can be OWNER/READ/WRITE
   annotations:          # Annotations to be propagated to the secrets metadata section (optional)
     foo: "bar"
+  secretTemplate:       # Output secrets can be customized using standard Go templates
+    PQ_URL: "host={{.Host}} user={{.Role}} password={{.Password}} dbname={{.Database}}"
 ```
 
-This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user`.
+This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user` (unless `KEEP_SECRET_NAME` is enabled).
 
 `PostgresUser` needs to reference a `Postgres` in the same namespace.
 
@@ -195,6 +185,21 @@ With the help of annotations it is possible to create annotation-based copies of
 
 For more information and an example, see [kubernetes-replicator#pull-based-replication](https://github.com/mittwald/kubernetes-replicator#pull-based-replication)
 
+#### Template Use Case
+
+Users can specify the structure and content of secrets based on their unique requirements using standard 
+[Go templates](https://pkg.go.dev/text/template#hdr-Actions). This flexibility allows for a more tailored approach to
+meeting the specific needs of different applications.
+
+Available context:
+
+| Variable    | Meaning                  |
+|-------------|--------------------------|
+| `.Host`     | Database host            |
+| `.Role`     | Generated user/role name |
+| `.Database` | Referenced database name |
+| `.Password` | Generated role password  |
+
 ### Contribution
 
 You can contribute to this project by opening a PR to merge to `master`, or one of the `vX.X.X` branches.

build/Dockerfile.dist

@@ -1,12 +1,24 @@
-FROM golang:1.18-stretch
+# syntax=docker/dockerfile:1
+FROM --platform=${BUILDPLATFORM} golang:1.18-stretch AS build
 
-COPY . /go/src/github.com/movetokube/postgres-operator
-WORKDIR /go/src/github.com/movetokube/postgres-operator/cmd/manager
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o /usr/local/bin/postgres-operator
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
 
+COPY . .
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -o /usr/local/bin/postgres-operator cmd/manager/main.go
+
+FROM --platform=${TARGETPLATFORM} registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 ENV OPERATOR=/usr/local/bin/postgres-operator \
     USER_UID=1001 \
@@ -20,5 +32,4 @@ RUN  /usr/local/bin/user_setup
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
-
+USER ${USER_UID}

charts/ext-postgres-operator/Chart.yaml

@@ -11,10 +11,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.3
+version: 1.2.5
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.3"
+appVersion: "1.3.2"

charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -31,6 +31,10 @@ spec:
           spec:
             description: PostgresUserSpec defines the desired state of PostgresUser
             properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                type: object
               database:
                 type: string
               privileges:
@@ -39,6 +43,10 @@ spec:
                 type: string
               secretName:
                 type: string
+              secretTemplate:
+                additionalProperties:
+                  type: string
+                type: object
             required:
             - database
             - role

charts/ext-postgres-operator/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/movetokube/postgres-operator
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: ""
 
 # Override chart name, defaults to Chart.name
 nameOverride: ""

deploy/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -31,6 +31,10 @@ spec:
           spec:
             description: PostgresUserSpec defines the desired state of PostgresUser
             properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                type: object
               database:
                 type: string
               privileges:
@@ -39,6 +43,10 @@ spec:
                 type: string
               secretName:
                 type: string
+              secretTemplate:
+                additionalProperties:
+                  type: string
+                type: object
             required:
             - database
             - role

deploy/operator.yaml

@@ -25,6 +25,8 @@ spec:
           env:
             - name: WATCH_NAMESPACE
               value: ""
+            - name: KEEP_SECRET_NAME
+              value: "false"
             - name: POD_NAME
               valueFrom:
                 fieldRef:

pkg/apis/db/v1alpha1/postgresuser_types.go

@@ -14,6 +14,8 @@ type PostgresUserSpec struct {
 	Database   string `json:"database"`
 	SecretName string `json:"secretName"`
 	// +optional
+	SecretTemplate map[string]string `json:"secretTemplate,omitempty"` // key-value, where key is secret field, value is go template
+	// +optional
 	Privileges string `json:"privileges"`
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`

pkg/apis/db/v1alpha1/zz_generated.deepcopy.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"net/url"
+	"strconv"
 	"sync"
 
 	"github.com/movetokube/postgres-operator/pkg/utils"
@@ -15,6 +16,7 @@ type cfg struct {
 	PostgresDefaultDb string
 	CloudProvider     string
 	AnnotationFilter  string
+	KeepSecretName    bool
 }
 
 var doOnce sync.Once
@@ -30,6 +32,9 @@ func Get() *cfg {
 		config.PostgresDefaultDb = utils.GetEnv("POSTGRES_DEFAULT_DATABASE")
 		config.CloudProvider = utils.GetEnv("POSTGRES_CLOUD_PROVIDER")
 		config.AnnotationFilter = utils.GetEnv("POSTGRES_INSTANCE")
+		if value, err := strconv.ParseBool(utils.GetEnv("KEEP_SECRET_NAME")); err == nil {
+			config.KeepSecretName = value
+		}
 	})
 	return config
 }