feat: add support of granting membership on roles

Author: cryptobioz

PROJECT

@@ -16,4 +16,12 @@ resources:
   kind: PostgresDatabase
   path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: managed-postgres-operator.hoppscale.com
+  kind: PostgresRole
+  path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

README.md

@@ -37,4 +37,6 @@ spec:
   replication: false # Is the role used for replication?
   bypassRLS: false # Should the role bypass the defined row-level security (RLS) policies?
   passwordSecretName: "my-secret" # Name of the secret from where the role's password should be retrieved under the key `password`
+  memberOfRoles: # List of roles the role should be member of
+    - anotherRole
 ```

api/v1alpha1/postgresrole_types.go

@@ -36,6 +36,8 @@ type PostgresRoleSpec struct {
 	BypassRLS   bool `json:"bypassRLS,omitempty"`
 
 	PasswordSecretName string `json:"passwordSecretName,omitempty"`
+
+	MemberOfRoles []string `json:"memberOfRoles,omitempty"`
 }
 
 // PostgresRoleStatus defines the observed state of PostgresRole.

api/v1alpha1/zz_generated.deepcopy.go

@@ -49,6 +49,10 @@ spec:
                 type: boolean
               login:
                 type: boolean
+              memberOfRoles:
+                items:
+                  type: string
+                type: array
               name:
                 description: PostgreSQL role name
                 type: string

config/crd/bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml

@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/managed-postgres-operator.hoppscale.com_postgresdatabases.yaml
+- bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:

config/crd/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
 # runtime. Be sure to update RoleBinding and ClusterRoleBinding
 # subjects if changing service account names.
 - service_account.yaml
-- role.yaml
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml

config/rbac/kustomization.yaml

@@ -13,6 +13,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/pashagolub/pgxmock/v4 v4.7.0
 	go.uber.org/zap v1.27.0
+	k8s.io/api v0.32.4
 	k8s.io/apimachinery v0.32.4
 	k8s.io/client-go v0.32.4
 	sigs.k8s.io/controller-runtime v0.20.4
@@ -96,7 +97,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.32.4 // indirect
 	k8s.io/apiextensions-apiserver v0.32.4 // indirect
 	k8s.io/apiserver v0.32.4 // indirect
 	k8s.io/component-base v0.32.4 // indirect

config/rbac/role.yaml

@@ -52,8 +52,6 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40=
 github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8=
-github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
-github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=