Skip to content

Refactor SecretRef and ClusterReference to one common ResourceRef #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ThoSap merged 14 commits into from
Feb 26, 2026
+180 −205
Merged

Refactor SecretRef and ClusterReference to one common ResourceRef #38

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
31860e8
update to Quarkus 3.32.1 and update dependencies to latest versions
ThoSap Feb 25, 2026
841b02d
validate K8s resource references against the RFC 1123 hostname format…
ThoSap Feb 26, 2026
ba04f01
refactor SecretRef and ClusterReference to one common ResourceRef type
ThoSap Feb 26, 2026
638359c
fix the test by having a own SchemaCustomizer for Kubernetes names
ThoSap Feb 26, 2026
acddd5a
do not short-circuit the PostgreSQLInstanceReadinessCheck check once …
ThoSap Feb 26, 2026
a0f9e2b
let the PostgreSQLContextFactory exception bubble up
ThoSap Feb 26, 2026
b4444ea
Merge branch 'validate-k8s-resource-references-against-rfc1123' into …
ThoSap Feb 26, 2026
c95e06f
reformat code
ThoSap Feb 26, 2026
4f0adcc
fix compile issue
ThoSap Feb 26, 2026
f41c60c
the namespace should come always first
ThoSap Feb 26, 2026
23b6e70
add explicit string max length check of 63
ThoSap Feb 26, 2026
03ac84d
Merge branch 'validate-k8s-resource-references-against-rfc1123' into …
ThoSap Feb 26, 2026
fc7eaf0
add explicit string max length check of 63
ThoSap Feb 26, 2026
e3a9793
Merge branch 'main' into refactor-secret-ref-and-cluster-reference-to…
ThoSap Feb 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions docs/cluster-connection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ Other Custom Resources (like `Database`, `Role`, `Schema`, `Grant`, `DefaultPriv
| `host` | `string` | The hostname of the PostgreSQL instance. | Yes |
| `port` | `integer` | The port of the PostgreSQL instance (1-65535). | Yes |
| `database` | `string` | The database to connect to (usually `postgres` for admin operations). | Yes |
| `adminSecretRef` | `SecretRef` | Reference to the secret containing admin credentials. | Yes |
| `adminSecretRef` | `ResourceRef` | Reference to the Kubernetes Secret containing the admin credentials. | Yes |
| `parameters` | `map[string]string` | Additional connection parameters. | No |

### SecretRef
### ResourceRef (`adminSecretRef`)

| Field | Type | Description | Required |
|-------------|----------|---------------------------------------------------------------------|----------|
| `name` | `string` | Name of the secret. | Yes |
| `namespace` | `string` | Namespace of the secret. If not specified, uses the CR's namespace. | No |
| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------------------------|----------|
| `namespace` | `string` | Namespace of the referenced Kubernetes `Secret`. If not specified, uses the owning CR's namespace. | No |
| `name` | `string` | Name of the referenced Kubernetes `Secret`. | Yes |

The referenced secret must be of type `kubernetes.io/basic-auth` and contain the keys `username` and `password`.

Expand Down
26 changes: 13 additions & 13 deletions docs/database.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@ The `Database` Custom Resource Definition (CRD) is responsible for managing Post

## Spec

| Field | Type | Description | Required | Immutable |
|-----------------|--------------------|------------------------------------------------------------------------------------------------------|----------|-----------|
| `clusterRef` | `ClusterReference` | Reference to the `ClusterConnection` to use. | Yes | No |
| `name` | `string` | The name of the database to create. | Yes | Yes |
| `owner` | `string` | The owner of the database. | No | No |
| `reclaimPolicy` | `string` | The policy for reclaiming the database when the CR is deleted. Values: `Retain` (Default), `Delete`. | No | No |

### ClusterReference

| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------|----------|
| `name` | `string` | Name of the `ClusterConnection`. | Yes |
| `namespace` | `string` | Namespace of the `ClusterConnection`. If not specified, uses the CR's namespace. | No |
| Field | Type | Description | Required | Immutable |
|-----------------|---------------|------------------------------------------------------------------------------------------------------|----------|-----------|
| `clusterRef` | `ResourceRef` | Reference to the `ClusterConnection` to use. | Yes | No |
| `name` | `string` | The name of the database to create. | Yes | Yes |
| `owner` | `string` | The owner of the database. | No | No |
| `reclaimPolicy` | `string` | The policy for reclaiming the database when the CR is deleted. Values: `Retain` (Default), `Delete`. | No | No |

### ResourceRef (`clusterRef`)

| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------------------------|----------|
| `namespace` | `string` | Namespace of the referenced `ClusterConnection`. If not specified, uses the owning CR's namespace. | No |
| `name` | `string` | Name of the referenced `ClusterConnection`. | Yes |

### Reclaim Policy

Expand Down
28 changes: 14 additions & 14 deletions docs/default-privilege.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ The `DefaultPrivilege` Custom Resource Definition (CRD) manages default privileg

## Spec

| Field | Type | Description | Required | Immutable |
|--------------|--------------------|---------------------------------------------------------------------------------------------------------|-------------|-----------|
| `clusterRef` | `ClusterReference` | Reference to the `ClusterConnection` to use. | Yes | No |
| `database` | `string` | The database where default privileges apply. | Yes | Yes |
| `role` | `string` | The role to which default privileges are granted. | Yes | Yes |
| `owner` | `string` | The role that owns the objects (the creator). Default privileges apply to objects created by this role. | Yes | Yes |
| `schema` | `string` | The schema where default privileges apply. Required, unless `objectType` is `schema`. | Conditional | Yes |
| `objectType` | `string` | The type of object. | Yes | Yes |
| `privileges` | `array[string]` | List of privileges to grant. | Yes | No |
| Field | Type | Description | Required | Immutable |
|--------------|-----------------|---------------------------------------------------------------------------------------------------------|-------------|-----------|
| `clusterRef` | `ResourceRef` | Reference to the `ClusterConnection` to use. | Yes | No |
| `database` | `string` | The database where default privileges apply. | Yes | Yes |
| `role` | `string` | The role to which default privileges are granted. | Yes | Yes |
| `owner` | `string` | The role that owns the objects (the creator). Default privileges apply to objects created by this role. | Yes | Yes |
| `schema` | `string` | The schema where default privileges apply. Required, unless `objectType` is `schema`. | Conditional | Yes |
| `objectType` | `string` | The type of object. | Yes | Yes |
| `privileges` | `array[string]` | List of privileges to grant. | Yes | No |

### Object Types

Expand All @@ -39,12 +39,12 @@ Supported privileges depend on the `objectType`:
- `update`
- `usage`

### ClusterReference
### ResourceRef (`clusterRef`)

| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------|----------|
| `name` | `string` | Name of the `ClusterConnection`. | Yes |
| `namespace` | `string` | Namespace of the `ClusterConnection`. If not specified, uses the CR's namespace. | No |
| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------------------------|----------|
| `namespace` | `string` | Namespace of the referenced `ClusterConnection`. If not specified, uses the owning CR's namespace. | No |
| `name` | `string` | Name of the referenced `ClusterConnection`. | Yes |

## Example

Expand Down
28 changes: 14 additions & 14 deletions docs/grant.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@ The `Grant` Custom Resource Definition (CRD) is responsible for managing privile

## Spec

| Field | Type | Description | Required | Immutable |
|--------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------|
| `clusterRef` | `ClusterReference` | Reference to the `ClusterConnection` to use. | Yes | No |
| `database` | `string` | The database containing the objects. | Yes | Yes |
| `role` | `string` | The role to which privileges are granted. | Yes | Yes |
| `schema` | `string` | The schema containing the objects. Required, unless `objectType` is `database`. | Conditional | Yes |
| `objectType` | `string` | The type of object. | Yes | Yes |
| `objects` | `array[string]` | List of object names. If empty, all objects of this `objectType` will be granted. Required, unless `objectType` is `database` or `schema`. | Conditional | No |
| `privileges` | `array[string]` | List of privileges to grant. | Yes | No |
| Field | Type | Description | Required | Immutable |
|--------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------|-------------|-----------|
| `clusterRef` | `ResourceRef` | Reference to the `ClusterConnection` to use. | Yes | No |
| `database` | `string` | The database containing the objects. | Yes | Yes |
| `role` | `string` | The role to which privileges are granted. | Yes | Yes |
| `schema` | `string` | The schema containing the objects. Required, unless `objectType` is `database`. | Conditional | Yes |
| `objectType` | `string` | The type of object. | Yes | Yes |
| `objects` | `array[string]` | List of object names. If empty, all objects of this `objectType` will be granted. Required, unless `objectType` is `database` or `schema`. | Conditional | No |
| `privileges` | `array[string]` | List of privileges to grant. | Yes | No |

### Object Types

Expand Down Expand Up @@ -40,12 +40,12 @@ Supported privileges depend on the `objectType`:
- `update`
- `usage`

### ClusterReference
### ResourceRef (`clusterRef`)

| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------|----------|
| `name` | `string` | Name of the `ClusterConnection`. | Yes |
| `namespace` | `string` | Namespace of the `ClusterConnection`. If not specified, uses the CR's namespace. | No |
| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------------------------|----------|
| `namespace` | `string` | Namespace of the referenced `ClusterConnection`. If not specified, uses the owning CR's namespace. | No |
| `name` | `string` | Name of the referenced `ClusterConnection`. | Yes |

## Example

Expand Down
39 changes: 16 additions & 23 deletions docs/role.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,24 @@ The `Role` Custom Resource Definition (CRD) manages PostgreSQL roles (users).

## Spec

| Field | Type | Description | Required | Immutable |
|---------------------|--------------------|-------------------------------------------------------------------------------------|----------|-----------|
| `clusterRef` | `ClusterReference` | Reference to the `ClusterConnection` to use. | Yes | No |
| `name` | `string` | The name of the role to create in the database. | Yes | Yes |
| `comment` | `string` | A comment to add to the role. | No | No |
| `passwordSecretRef` | `SecretRef` | Reference to a secret containing the password for the role to make it a LOGIN role. | No | No |
| `flags` | `RoleFlags` | Flags and attributes for the role. | No | No |
| Field | Type | Description | Required | Immutable |
|---------------------|---------------|-------------------------------------------------------------------------------------|----------|-----------|
| `clusterRef` | `ResourceRef` | Reference to the `ClusterConnection` to use. | Yes | No |
| `name` | `string` | The name of the role to create in the database. | Yes | Yes |
| `comment` | `string` | A comment to add to the role. | No | No |
| `passwordSecretRef` | `ResourceRef` | Reference to a secret containing the password for the role to make it a LOGIN role. | No | No |
| `flags` | `RoleFlags` | Flags and attributes for the role. | No | No |

### ClusterReference
### ResourceRef (`clusterRef` and `passwordSecretRef`)

| Field | Type | Description | Required |
|-------------|----------|----------------------------------------------------------------------------------|----------|
| `name` | `string` | Name of the `ClusterConnection`. | Yes |
| `namespace` | `string` | Namespace of the `ClusterConnection`. If not specified, uses the CR's namespace. | No |
| Field | Type | Description | Required |
|-------------|----------|-----------------------------------------------------------------------------------------|----------|
| `namespace` | `string` | Namespace of the referenced resource. If not specified, uses the owning CR's namespace. | No |
| `name` | `string` | Name of the referenced Kubernetes resource. | Yes |

**Note**:
When used as `passwordSecretRef`, the referenced Kubernetes Secret must be of type `kubernetes.io/basic-auth`.
The `username` key in the Secret is not strictly required, as the role name is specified by the `name` field in the CRD. Only the `password` key is used.

### RoleFlags

Expand All @@ -34,17 +38,6 @@ The `Role` Custom Resource Definition (CRD) manages PostgreSQL roles (users).
| `superuser` | `boolean` | `false` | Superuser status. |
| `validUntil` | `string` | `null` | Date and time until the password is valid (ISO 8601). |

### SecretRef

| Field | Type | Description | Required |
|-------------|----------|---------------------------------------------------------------------|----------|
| `name` | `string` | Name of the secret. | Yes |
| `namespace` | `string` | Namespace of the secret. If not specified, uses the CR's namespace. | No |

The referenced secret must be of type `kubernetes.io/basic-auth`.

**Note**: The `username` key in the secret is not strictly required, as the role name is specified by the `name` field in the CRD. Only the `password` key is used.

### Login vs No-Login Roles

The operator uses the presence of the `passwordSecretRef` field to determine if the role should have the `LOGIN` privilege (User) or not (Group).
Expand Down
Loading