Merge pull request #1 from hoppscale/add-support-role

feat: add support of role

Author: cryptobioz

README.md

@@ -19,3 +19,22 @@ spec:
   keepDatabaseOnDelete: true # Should the database be kept if the Kubernetes resource is deleted?
   preserveConnectionsOnDelete: false # Should the operator wait until the open connections are closed before deleting the database?
 ```
+
+### PostgresRole
+
+```yaml
+apiVersion: managed-postgres-operator.hoppscale.com/v1alpha1
+kind: PostgresRole
+metadata:
+  name: myrole
+spec:
+  name: myrole # Role's name
+  superUser: false # Should the role be a superuser?
+  createDB: false # Should the role be able to create databases?
+  createRole: false # Should the role be able to create roles?
+  inherit: false # Should the role inherit the permissions of the role of which it is a member?
+  login: false # Should the role be able to log in?
+  replication: false # Is the role used for replication?
+  bypassRLS: false # Should the role bypass the defined row-level security (RLS) policies?
+  passwordSecretName: "my-secret" # Name of the secret from where the role's password should be retrieved under the key `password`
+```

api/v1alpha1/postgresrole_types.go

@@ -0,0 +1,69 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// PostgresRoleSpec defines the desired state of PostgresRole.
+type PostgresRoleSpec struct {
+	// PostgreSQL role name
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:message="name is immutable",rule="self == oldSelf"
+	Name string `json:"name,omitempty"`
+
+	SuperUser   bool `json:"superUser,omitempty"`
+	CreateDB    bool `json:"createDB,omitempty"`
+	CreateRole  bool `json:"createRole,omitempty"`
+	Inherit     bool `json:"inherit,omitempty"`
+	Login       bool `json:"login,omitempty"`
+	Replication bool `json:"replication,omitempty"`
+	BypassRLS   bool `json:"bypassRLS,omitempty"`
+
+	PasswordSecretName string `json:"passwordSecretName,omitempty"`
+}
+
+// PostgresRoleStatus defines the observed state of PostgresRole.
+type PostgresRoleStatus struct {
+	Succeeded bool `json:"succeeded"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// PostgresRole is the Schema for the postgresroles API.
+type PostgresRole struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PostgresRoleSpec   `json:"spec,omitempty"`
+	Status PostgresRoleStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PostgresRoleList contains a list of PostgresRole.
+type PostgresRoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PostgresRole `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PostgresRole{}, &PostgresRoleList{})
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -106,6 +106,8 @@ func main() {
 		},
 	}
 
+	cacheRolePasswords := make(map[string]string)
+
 	// Create watchers for metrics and webhooks certificates
 	var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher
 
@@ -213,6 +215,15 @@ func main() {
 
 		os.Exit(1)
 	}
+	if err = (&controller.PostgresRoleReconciler{
+		Client:             mgr.GetClient(),
+		Scheme:             mgr.GetScheme(),
+		PGPools:            pgpools,
+		CacheRolePasswords: cacheRolePasswords,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "PostgresRole")
+		os.Exit(1)
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

cmd/main.go

@@ -0,0 +1,79 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: postgresroles.managed-postgres-operator.hoppscale.com
+spec:
+  group: managed-postgres-operator.hoppscale.com
+  names:
+    kind: PostgresRole
+    listKind: PostgresRoleList
+    plural: postgresroles
+    singular: postgresrole
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PostgresRole is the Schema for the postgresroles API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresRoleSpec defines the desired state of PostgresRole.
+            properties:
+              bypassRLS:
+                type: boolean
+              createDB:
+                type: boolean
+              createRole:
+                type: boolean
+              inherit:
+                type: boolean
+              login:
+                type: boolean
+              name:
+                description: PostgreSQL role name
+                type: string
+                x-kubernetes-validations:
+                - message: name is immutable
+                  rule: self == oldSelf
+              passwordSecretName:
+                type: string
+              replication:
+                type: boolean
+              superUser:
+                type: boolean
+            required:
+            - name
+            type: object
+          status:
+            description: PostgresRoleStatus defines the observed state of PostgresRole.
+            properties:
+              succeeded:
+                type: boolean
+            required:
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml

@@ -0,0 +1,9 @@
+apiVersion: managed-postgres-operator.hoppscale.com/v1alpha1
+kind: PostgresRole
+metadata:
+  labels:
+    app.kubernetes.io/name: managed-postgres-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: postgresrole-sample
+spec:
+  # TODO(user): Add fields here