Add support of PostgreSQL schemas

PROJECT

@@ -24,4 +24,12 @@ resources:
   kind: PostgresRole
   path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: managed-postgres-operator.hoppscale.com
+  kind: PostgresSchema
+  path: github.com/hoppscale/managed-postgres-operator/api/v1alpha1
+  version: v1alpha1
 version: "3"

api/v1alpha1/postgresschema_types.go

@@ -0,0 +1,76 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// PostgresSchemaPrivilegesSpec defines the desired schema privileges to grant to roles
+type PostgresSchemaPrivilegesSpec struct {
+	Create bool `json:"create,omitempty"`
+	Usage  bool `json:"usage,omitempty"`
+}
+
+// PostgresSchemaSpec defines the desired state of a PostgreSQL schema
+type PostgresSchemaSpec struct {
+	// Database is the PostgreSQL database's name in which the schema exists
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:message="database is immutable",rule="self == oldSelf"
+	Database string `json:"database"`
+
+	// Name is the PostgreSQL schema's name
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:XValidation:message="name is immutable",rule="self == oldSelf"
+	Name string `json:"name"`
+
+	// Owner is the PostgreSQL schema's owner. It must be a valid existing role.
+	Owner string `json:"owner,omitempty"`
+
+	// PrivilegesByRole will grant privileges to roles on this schema
+	PrivilegesByRole map[string]PostgresSchemaPrivilegesSpec `json:"privilegesByRole,omitempty"`
+}
+
+// PostgresSchemaStatus defines the observed state of PostgresSchema.
+type PostgresSchemaStatus struct {
+	Succeeded bool `json:"succeeded"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// PostgresSchema is the Schema for the postgresschemas API.
+type PostgresSchema struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PostgresSchemaSpec   `json:"spec,omitempty"`
+	Status PostgresSchemaStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// PostgresSchemaList contains a list of PostgresSchema.
+type PostgresSchemaList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PostgresSchema `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PostgresSchema{}, &PostgresSchemaList{})
+}

cmd/main.go

@@ -228,6 +228,15 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "PostgresRole")
 		os.Exit(1)
 	}
+	if err = (&controller.PostgresSchemaReconciler{
+		Client:               mgr.GetClient(),
+		Scheme:               mgr.GetScheme(),
+		PGPools:              pgpools,
+		OperatorInstanceName: operatorInstanceName,
+	}).SetupWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "PostgresSchema")
+		os.Exit(1)
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

config/crd/bases/managed-postgres-operator.hoppscale.com_postgresschemas.yaml

@@ -0,0 +1,89 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.2
+  name: postgresschemas.managed-postgres-operator.hoppscale.com
+spec:
+  group: managed-postgres-operator.hoppscale.com
+  names:
+    kind: PostgresSchema
+    listKind: PostgresSchemaList
+    plural: postgresschemas
+    singular: postgresschema
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PostgresSchema is the Schema for the postgresschemas API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresSchemaSpec defines the desired state of a PostgreSQL
+              schema
+            properties:
+              database:
+                description: Database is the PostgreSQL database's name in which the
+                  schema exists
+                type: string
+                x-kubernetes-validations:
+                - message: database is immutable
+                  rule: self == oldSelf
+              name:
+                description: Name is the PostgreSQL schema's name
+                type: string
+                x-kubernetes-validations:
+                - message: name is immutable
+                  rule: self == oldSelf
+              owner:
+                description: Owner is the PostgreSQL schema's owner. It must be a
+                  valid existing role.
+                type: string
+              privilegesByRole:
+                additionalProperties:
+                  description: PostgresSchemaPrivilegesSpec defines the desired schema
+                    privileges to grant to roles
+                  properties:
+                    create:
+                      type: boolean
+                    usage:
+                      type: boolean
+                  type: object
+                description: PrivilegesByRole will grant privileges to roles on this
+                  schema
+                type: object
+            required:
+            - database
+            - name
+            type: object
+          status:
+            description: PostgresSchemaStatus defines the observed state of PostgresSchema.
+            properties:
+              succeeded:
+                type: boolean
+            required:
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/kustomization.yaml

@@ -4,6 +4,7 @@
 resources:
 - bases/managed-postgres-operator.hoppscale.com_postgresdatabases.yaml
 - bases/managed-postgres-operator.hoppscale.com_postgresroles.yaml
+- bases/managed-postgres-operator.hoppscale.com_postgresschemas.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patches:

config/rbac/kustomization.yaml

@@ -21,6 +21,9 @@ resources:
 # default, aiding admins in cluster management. Those roles are
 # not used by the {{ .ProjectName }} itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
+- postgresschema_admin_role.yaml
+- postgresschema_editor_role.yaml
+- postgresschema_viewer_role.yaml
 - postgresrole_admin_role.yaml
 - postgresrole_editor_role.yaml
 - postgresrole_viewer_role.yaml

config/rbac/postgresschema_admin_role.yaml

@@ -0,0 +1,27 @@
+# This rule is not used by the project managed-postgres-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over managed-postgres-operator.hoppscale.com.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: managed-postgres-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: postgresschema-admin-role
+rules:
+- apiGroups:
+  - managed-postgres-operator.hoppscale.com
+  resources:
+  - postgresschemas
+  verbs:
+  - '*'
+- apiGroups:
+  - managed-postgres-operator.hoppscale.com
+  resources:
+  - postgresschemas/status
+  verbs:
+  - get

config/rbac/postgresschema_editor_role.yaml

@@ -0,0 +1,33 @@
+# This rule is not used by the project managed-postgres-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the managed-postgres-operator.hoppscale.com.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: managed-postgres-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: postgresschema-editor-role
+rules:
+- apiGroups:
+  - managed-postgres-operator.hoppscale.com
+  resources:
+  - postgresschemas
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - managed-postgres-operator.hoppscale.com
+  resources:
+  - postgresschemas/status
+  verbs:
+  - get