feat: add support of granting membership on roles

PROJECT

@@ -16,4 +16,12 @@ resources:
   kind: PostgresDatabase
   path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: managed-postgres-operator.hoppscale.com
+  kind: PostgresRole
+  path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

README.md

@@ -37,4 +37,6 @@ spec:
   replication: false # Is the role used for replication?
   bypassRLS: false # Should the role bypass the defined row-level security (RLS) policies?
   passwordSecretName: "my-secret" # Name of the secret from where the role's password should be retrieved under the key `password`
+  memberOfRoles: # List of roles the role should be member of
+    - anotherRole
 ```

api/v1alpha1/postgresrole_types.go

@@ -36,6 +36,8 @@ type PostgresRoleSpec struct {
 	BypassRLS   bool `json:"bypassRLS,omitempty"`
 
 	PasswordSecretName string `json:"passwordSecretName,omitempty"`
+
+	MemberOfRoles []string `json:"memberOfRoles,omitempty"`
 }
 
 // PostgresRoleStatus defines the observed state of PostgresRole.

config/crd/bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml

@@ -49,6 +49,10 @@ spec:
                 type: boolean
               login:
                 type: boolean
+              memberOfRoles:
+                items:
+                  type: string
+                type: array
               name:
                 description: PostgreSQL role name
                 type: string

config/crd/kustomization.yaml

@@ -3,6 +3,7 @@
 # It should be run by config/default
 resources:
 - bases/managed-postgres-operator.hoppscale.com_postgresdatabases.yaml
+- bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:

config/rbac/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
 # runtime. Be sure to update RoleBinding and ClusterRoleBinding
 # subjects if changing service account names.
 - service_account.yaml
-- role.yaml
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/pashagolub/pgxmock/v4 v4.7.0
 	go.uber.org/zap v1.27.0
+	k8s.io/api v0.32.4
 	k8s.io/apimachinery v0.32.4
 	k8s.io/client-go v0.32.4
 	sigs.k8s.io/controller-runtime v0.20.4
@@ -96,7 +97,6 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.32.4 // indirect
 	k8s.io/apiextensions-apiserver v0.32.4 // indirect
 	k8s.io/apiserver v0.32.4 // indirect
 	k8s.io/component-base v0.32.4 // indirect

go.sum

@@ -52,8 +52,6 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
 github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/cel-go v0.22.1 h1:AfVXx3chM2qwoSbM7Da8g8hX8OVSkBFwX+rz2+PcK40=
 github.com/google/cel-go v0.22.1/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8=
-github.com/google/cel-go v0.25.0 h1:jsFw9Fhn+3y2kBbltZR4VEz5xKkcIFRPDnuEzAGv5GY=
-github.com/google/cel-go v0.25.0/go.mod h1:hjEb6r5SuOSlhCHmFoLzu8HGCERvIsDAbxDAyNU/MmI=
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=

internal/controller/postgresrole_controller.go

@@ -144,6 +144,11 @@ func (r *PostgresRoleReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrlFailResult, err
 	}
 
+	err = r.reconcileRoleMembership(desiredRole.Name, resource.Spec.MemberOfRoles)
+	if err != nil {
+		return ctrlFailResult, err
+	}
+
 	if !resource.Status.Succeeded {
 		resource.Status.Succeeded = true
 		if err = r.Client.Status().Update(context.Background(), resource); err != nil {
@@ -225,3 +230,54 @@ func (r *PostgresRoleReconciler) reconcileOnCreation(existingRole, desiredRole *
 
 	return err
 }
+
+func (r *PostgresRoleReconciler) reconcileRoleMembership(role string, desiredMembership []string) (err error) {
+	// Listing current membership
+	existingRoleMembership, err := postgresql.GetRoleMembership(r.PGPools.Default, role)
+	if err != nil {
+		r.logging.Error(err, "failed to retrieve role's membership")
+		return err
+	}
+
+	// Revoking membership
+	for _, existingGroupRole := range existingRoleMembership {
+		found := false
+		for _, desiredGroupRole := range desiredMembership {
+			if desiredGroupRole == existingGroupRole {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			err = postgresql.RevokeRoleMembership(r.PGPools.Default, existingGroupRole, role)
+			if err != nil {
+				r.logging.Error(err, "failed to revoke role membership")
+				return err
+			}
+			r.logging.Info(fmt.Sprintf("Role \"%s\" has been revoked from the group \"%s\"", role, existingGroupRole))
+		}
+	}
+
+	// Granting membership
+	for _, desiredGroupRole := range desiredMembership {
+		found := false
+		for _, existingGroupRole := range existingRoleMembership {
+			if desiredGroupRole == existingGroupRole {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			err = postgresql.GrantRoleMembership(r.PGPools.Default, desiredGroupRole, role)
+			if err != nil {
+				r.logging.Error(err, "failed to grant role membership")
+				return err
+			}
+			r.logging.Info(fmt.Sprintf("Role \"%s\" has been granted to the group \"%s\"", role, desiredGroupRole))
+		}
+	}
+
+	return err
+}

internal/controller/postgresrole_controller_test.go

@@ -155,6 +155,14 @@ var _ = Describe("PostgresRole Controller", func() {
 					)
 				pgpoolsMock["default"].ExpectExec(fmt.Sprintf("^%s$", regexp.QuoteMeta(`CREATE ROLE "foo" WITH NOSUPERUSER NOINHERIT CREATEROLE CREATEDB NOLOGIN NOREPLICATION NOBYPASSRLS`))).
 					WillReturnResult(pgxmock.NewResult("foo", 1))
+				pgpoolsMock["default"].ExpectQuery(fmt.Sprintf("^%s$", regexp.QuoteMeta(postgresql.GetRoleMembershipStatement))).
+					WithArgs("foo").
+					WillReturnRows(
+						pgxmock.NewRows([]string{
+							"group_role",
+						}),
+					)
+
 				_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
 					NamespacedName: typeNamespacedName,
 				})
@@ -219,6 +227,14 @@ var _ = Describe("PostgresRole Controller", func() {
 					)
 				pgpoolsMock["default"].ExpectExec(fmt.Sprintf("^%s$", regexp.QuoteMeta(`CREATE ROLE "foo" WITH NOSUPERUSER NOINHERIT CREATEROLE CREATEDB NOLOGIN NOREPLICATION NOBYPASSRLS`))).
 					WillReturnResult(pgxmock.NewResult("foo", 1))
+				pgpoolsMock["default"].ExpectQuery(fmt.Sprintf("^%s$", regexp.QuoteMeta(postgresql.GetRoleMembershipStatement))).
+					WithArgs("foo").
+					WillReturnRows(
+						pgxmock.NewRows([]string{
+							"group_role",
+						}),
+					)
+
 				_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
 					NamespacedName: typeNamespacedName,
 				})
@@ -263,6 +279,13 @@ var _ = Describe("PostgresRole Controller", func() {
 								false,
 							),
 					)
+				pgpoolsMock["default"].ExpectQuery(fmt.Sprintf("^%s$", regexp.QuoteMeta(postgresql.GetRoleMembershipStatement))).
+					WithArgs("foo").
+					WillReturnRows(
+						pgxmock.NewRows([]string{
+							"group_role",
+						}),
+					)
 
 				_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
 					NamespacedName: typeNamespacedName,
@@ -305,6 +328,13 @@ var _ = Describe("PostgresRole Controller", func() {
 					)
 				pgpoolsMock["default"].ExpectExec(fmt.Sprintf("^%s$", regexp.QuoteMeta(`CREATE ROLE "foo" WITH NOSUPERUSER NOINHERIT CREATEROLE CREATEDB NOLOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'password'`))).
 					WillReturnResult(pgxmock.NewResult("foo", 1))
+				pgpoolsMock["default"].ExpectQuery(fmt.Sprintf("^%s$", regexp.QuoteMeta(postgresql.GetRoleMembershipStatement))).
+					WithArgs("foo").
+					WillReturnRows(
+						pgxmock.NewRows([]string{
+							"group_role",
+						}),
+					)
 
 				_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
 					NamespacedName: typeNamespacedName,

internal/postgresql/role_membership.go

@@ -0,0 +1,49 @@
+package postgresql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/jackc/pgx/v5"
+)
+
+const GetRoleMembershipStatement = "SELECT roleid::regrole::text AS group_role FROM pg_auth_members WHERE member::regrole::text = $1"
+
+func GetRoleMembership(pgpool PGPoolInterface, role string) (membership []string, err error) {
+	rows, err := pgpool.Query(context.Background(), GetRoleMembershipStatement, role)
+	if err != nil {
+		err = fmt.Errorf("pg query failed: %s", err)
+		return
+	}
+	defer rows.Close()
+
+	membership, err = pgx.CollectRows(rows, pgx.RowTo[string])
+	if err != nil {
+		err = fmt.Errorf("failed to collect rows: %s", err)
+		return
+	}
+
+	return
+}
+
+func GrantRoleMembership(pgpool PGPoolInterface, groupRole, role string) (err error) {
+	sanitizedGroupRole := pgx.Identifier{groupRole}.Sanitize()
+	sanitizedRole := pgx.Identifier{role}.Sanitize()
+	_, err = pgpool.Exec(context.Background(), fmt.Sprintf("GRANT %s TO %s", sanitizedGroupRole, sanitizedRole))
+	if err != nil {
+		err = fmt.Errorf("pg exec failed: %s", err)
+		return
+	}
+	return
+}
+
+func RevokeRoleMembership(pgpool PGPoolInterface, groupRole, role string) (err error) {
+	sanitizedGroupRole := pgx.Identifier{groupRole}.Sanitize()
+	sanitizedRole := pgx.Identifier{role}.Sanitize()
+	_, err = pgpool.Exec(context.Background(), fmt.Sprintf("REVOKE %s FROM %s", sanitizedGroupRole, sanitizedRole))
+	if err != nil {
+		err = fmt.Errorf("pg exec failed: %s", err)
+		return
+	}
+	return
+}