From 6fdf2c92fa71e1bf3d99deff35401fd93d736086 Mon Sep 17 00:00:00 2001
From: Yingrjimsch <nobel98@bluewin.ch>
Date: Thu, 5 Sep 2024 14:45:23 +0200
Subject: [PATCH] fix(2582): added cluster level delete secrets config

chore: removed log messages

chore: removed test yaml

Revert "chore: removed test yaml"

This reverts commit f19110c86406579133f79637c3a053053857e072.

chore: removed test yaml

chore: added docs

chore: remove accident file
---
 .../crds/operatorconfigurations.yaml               |  2 ++
 charts/postgres-operator/values.yaml               |  3 +++
 docs/reference/operator_parameters.md              |  3 +++
 manifests/configmap.yaml                           |  1 +
 manifests/operatorconfiguration.crd.yaml           |  2 ++
 .../postgresql-operator-default-configuration.yaml |  1 +
 pkg/apis/acid.zalan.do/v1/crds.go                  |  3 +++
 .../v1/operator_configuration_type.go              |  1 +
 pkg/cluster/cluster.go                             | 14 ++++++++++++--
 pkg/controller/operator_config.go                  |  1 +
 pkg/util/config/config.go                          |  1 +
 11 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/charts/postgres-operator/crds/operatorconfigurations.yaml b/charts/postgres-operator/crds/operatorconfigurations.yaml
index 5edb7044f..0c623ae8b 100644
--- a/charts/postgres-operator/crds/operatorconfigurations.yaml
+++ b/charts/postgres-operator/crds/operatorconfigurations.yaml
@@ -229,6 +229,8 @@ spec:
                   enable_secrets_deletion:
                     type: boolean
                     default: true
+                  enable_secrets_deletion_key:
+                    type: string
                   enable_sidecars:
                     type: boolean
                     default: true
diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml
index 472be7443..a04cb27be 100644
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@@ -141,6 +141,9 @@ configKubernetes:
   enable_readiness_probe: false
   # toggles if operator should delete secrets on cluster deletion
   enable_secrets_deletion: true
+  # key name for annotation that overrides enable_secrets_deletion on cluster level
+  # enable_secrets_deletion_key: "enable-secrets-deletion"
+
   # enables sidecar containers to run alongside Spilo in the same pod
   enable_sidecars: true
 
diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
index 5b1eb64c9..6562a5f7a 100644
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@@ -365,6 +365,9 @@ configuration they are grouped under the `kubernetes` key.
   By default, the operator deletes secrets when removing the Postgres cluster
   manifest. To keep secrets, set this option to `false`. The default is `true`.
 
+* **enable_secrets_deletion_key**
+  By default, the `enable_secrets_deletion` decides on the deletion of secrets for the entire operator. To overwrite `enable_secrets_deletion` this property can be set and an annotation on cluster level can be added with the values: delete secrets `true` or `false`.
+
 * **enable_persistent_volume_claim_deletion**
   By default, the operator deletes PersistentVolumeClaims when removing the
   Postgres cluster manifest, no matter if `persistent_volume_claim_retention_policy`
diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml
index 1c8c8fdfd..fabbd4a89 100644
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@@ -61,6 +61,7 @@ data:
   enable_replica_load_balancer: "false"
   enable_replica_pooler_load_balancer: "false"
   enable_secrets_deletion: "true"
+  # enable_secrets_deletion_key: enable-secrets-deletion
   enable_shm_volume: "true"
   enable_sidecars: "true"
   enable_spilo_wal_path_compat: "true"
diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml
index c2b0cf398..de9c9890c 100644
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@@ -227,6 +227,8 @@ spec:
                   enable_secrets_deletion:
                     type: boolean
                     default: true
+                  enable_secrets_deletion_key:
+                    type: string
                   enable_sidecars:
                     type: boolean
                     default: true
diff --git a/manifests/postgresql-operator-default-configuration.yaml b/manifests/postgresql-operator-default-configuration.yaml
index ecb7a03de..1af10af57 100644
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@@ -65,6 +65,7 @@ configuration:
     enable_pod_disruption_budget: true
     enable_readiness_probe: false
     enable_secrets_deletion: true
+    # enable_secrets_deletion_key: enable-secrets-deletion
     enable_sidecars: true
     # ignored_annotations:
     # - k8s.v1.cni.cncf.io/network-status
diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go
index da88b0855..e45901aa7 100644
--- a/pkg/apis/acid.zalan.do/v1/crds.go
+++ b/pkg/apis/acid.zalan.do/v1/crds.go
@@ -1344,6 +1344,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 							"enable_secrets_deletion": {
 								Type: "boolean",
 							},
+							"enable_secrets_deletion_key": {
+								Type: "string",
+							},
 							"enable_sidecars": {
 								Type: "boolean",
 							},
diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
index eb01d450c..d17bb6311 100644
--- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
+++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@@ -104,6 +104,7 @@ type KubernetesMetaConfiguration struct {
 	PodManagementPolicy                      string              `json:"pod_management_policy,omitempty"`
 	PersistentVolumeClaimRetentionPolicy     map[string]string   `json:"persistent_volume_claim_retention_policy,omitempty"`
 	EnableSecretsDeletion                    *bool               `json:"enable_secrets_deletion,omitempty"`
+	EnableSecretsDeletionKey                 string              `json:"enable_secrets_deletion_key,omitempty"`
 	EnablePersistentVolumeClaimDeletion      *bool               `json:"enable_persistent_volume_claim_deletion,omitempty"`
 	EnableReadinessProbe                     bool                `json:"enable_readiness_probe,omitempty"`
 	EnableCrossNamespaceSecret               bool                `json:"enable_cross_namespace_secret,omitempty"`
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index b510613bf..78ccdd0a7 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -1191,7 +1191,18 @@ func (c *Cluster) Delete() error {
 		c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete statefulset: %v", err)
 	}
 
-	if c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion {
+	enable_secrets_deletion_cluster := c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion
+	if c.OpConfig.EnableSecretsDeletionKey != "" {
+		key := c.OpConfig.EnableSecretsDeletionKey
+		if value, ok := c.Postgresql.Annotations[key]; ok {
+			if value == "true" {
+				enable_secrets_deletion_cluster = true
+			} else if value == "false" {
+				enable_secrets_deletion_cluster = false
+			}
+		}
+	}
+	if enable_secrets_deletion_cluster {
 		if err := c.deleteSecrets(); err != nil {
 			anyErrors = true
 			c.logger.Warningf("could not delete secrets: %v", err)
@@ -1200,7 +1211,6 @@ func (c *Cluster) Delete() error {
 	} else {
 		c.logger.Info("not deleting secrets because disabled in configuration")
 	}
-
 	if err := c.deletePodDisruptionBudget(); err != nil {
 		anyErrors = true
 		c.logger.Warningf("could not delete pod disruption budget: %v", err)
diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go
index 78e752f1d..86e35b372 100644
--- a/pkg/controller/operator_config.go
+++ b/pkg/controller/operator_config.go
@@ -124,6 +124,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.PodManagementPolicy = util.Coalesce(fromCRD.Kubernetes.PodManagementPolicy, "ordered_ready")
 	result.PersistentVolumeClaimRetentionPolicy = fromCRD.Kubernetes.PersistentVolumeClaimRetentionPolicy
 	result.EnableSecretsDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnableSecretsDeletion, util.True())
+	result.EnableSecretsDeletionKey = fromCRD.Kubernetes.EnableSecretsDeletionKey
 	result.EnablePersistentVolumeClaimDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnablePersistentVolumeClaimDeletion, util.True())
 	result.EnableReadinessProbe = fromCRD.Kubernetes.EnableReadinessProbe
 	result.MasterPodMoveTimeout = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.MasterPodMoveTimeout), "10m")
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 4c7b8db10..26ca024c5 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -66,6 +66,7 @@ type Resources struct {
 	MaxInstances                      int32  `name:"max_instances" default:"-1"`
 	MinInstances                      int32  `name:"min_instances" default:"-1"`
 	IgnoreInstanceLimitsAnnotationKey string `name:"ignore_instance_limits_annotation_key"`
+	EnableSecretsDeletionKey          string `name:"enable_secrets_deletion_key"`
 }
 
 type InfrastructureRole struct {