Merge pull request #137 from reddec/fix/keep-secret-name

allow keeping secret name as defined in user spec

Author: hitman99

README.md

@@ -71,9 +71,17 @@ These environment variables are embedded in [deploy/operator.yaml](deploy/operat
 * `WATCH_NAMESPACE` - which namespace to watch. Defaults to empty string for all namespaces
 * `OPERATOR_NAME` - name of the operator, defaults to `ext-postgres-operator` 
 * `POSTGRES_INSTANCE` - identity of operator, this matched with `postgres.db.movetokube.com/instance` in CRs. Default is empty
+* `KEEP_SECRET_NAME` - use secret name as provided by user (disabled by default)
 
 `POSTGRES_INSTANCE` is only available since version 1.2.0
 
+> While using `KEEP_SECRET_NAME` could be a convenient way to define secrets with predictable and explicit names, 
+> the default logic reduces risk of operator from entering the endless reconcile loop as secret is very unlikely to exist. 
+>
+> The administrator should ensure that the `SecretName` does not collide with other secrets in the same namespace. 
+> If the secret already exists, the operator will never stop reconciling the CR until either offending secret is deleted 
+> or CR is deleted or updated with another SecretName
+
 ## Installation
 
 This operator requires a Kubernetes Secret to be created in the same namespace as operator itself.
@@ -167,7 +175,7 @@ spec:
     foo: "bar"
 ```
 
-This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user`.
+This creates a user role `username-<hash>` and grants role `test-db-group`, `test-db-writer` or `test-db-reader` depending on `privileges` property. Its credentials are put in secret `my-secret-my-db-user` (unless `KEEP_SECRET_NAME` is enabled).
 
 `PostgresUser` needs to reference a `Postgres` in the same namespace.
 

deploy/operator.yaml

@@ -25,6 +25,8 @@ spec:
           env:
             - name: WATCH_NAMESPACE
               value: ""
+            - name: KEEP_SECRET_NAME
+              value: "false"
             - name: POD_NAME
               valueFrom:
                 fieldRef:

pkg/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"net/url"
+	"strconv"
 	"sync"
 
 	"github.com/movetokube/postgres-operator/pkg/utils"
@@ -15,6 +16,7 @@ type cfg struct {
 	PostgresDefaultDb string
 	CloudProvider     string
 	AnnotationFilter  string
+	KeepSecretName    bool
 }
 
 var doOnce sync.Once
@@ -30,6 +32,9 @@ func Get() *cfg {
 		config.PostgresDefaultDb = utils.GetEnv("POSTGRES_DEFAULT_DATABASE")
 		config.CloudProvider = utils.GetEnv("POSTGRES_CLOUD_PROVIDER")
 		config.AnnotationFilter = utils.GetEnv("POSTGRES_INSTANCE")
+		if value, err := strconv.ParseBool(utils.GetEnv("KEEP_SECRET_NAME")); err == nil {
+			config.KeepSecretName = value
+		}
 	})
 	return config
 }

pkg/controller/postgresuser/postgresuser_controller.go

@@ -54,6 +54,7 @@ func newReconciler(mgr manager.Manager) reconcile.Reconciler {
 		pg:             pg,
 		pgHost:         c.PostgresHost,
 		instanceFilter: c.AnnotationFilter,
+		keepSecretName: c.KeepSecretName,
 	}
 }
 
@@ -98,6 +99,7 @@ type ReconcilePostgresUser struct {
 	pg             postgres.PG
 	pgHost         string
 	instanceFilter string
+	keepSecretName bool // use secret name as defined in PostgresUserSpec
 }
 
 // The Controller will requeue the Request to be processed again if the returned error is non-nil or
@@ -276,10 +278,14 @@ func (r *ReconcilePostgresUser) newSecretForCR(cr *dbv1alpha1.PostgresUser, role
 		"app": cr.Name,
 	}
 	annotations := cr.Spec.Annotations
+	name := fmt.Sprintf("%s-%s", cr.Spec.SecretName, cr.Name)
+	if r.keepSecretName {
+		name = cr.Spec.SecretName
+	}
 
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        fmt.Sprintf("%s-%s", cr.Spec.SecretName, cr.Name),
+			Name:        name,
 			Namespace:   cr.Namespace,
 			Labels:      labels,
 			Annotations: annotations,