Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(2582): added cluster level delete secrets config #2750

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions charts/postgres-operator/crds/operatorconfigurations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,8 @@ spec:
enable_secrets_deletion:
type: boolean
default: true
enable_secrets_deletion_key:
type: string
enable_sidecars:
type: boolean
default: true
Expand Down
3 changes: 3 additions & 0 deletions charts/postgres-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,9 @@ configKubernetes:
enable_readiness_probe: false
# toggles if operator should delete secrets on cluster deletion
enable_secrets_deletion: true
# key name for annotation that overrides enable_secrets_deletion on cluster level
# enable_secrets_deletion_key: "enable-secrets-deletion"

# enables sidecar containers to run alongside Spilo in the same pod
enable_sidecars: true

Expand Down
3 changes: 3 additions & 0 deletions docs/reference/operator_parameters.md
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,9 @@ configuration they are grouped under the `kubernetes` key.
By default, the operator deletes secrets when removing the Postgres cluster
manifest. To keep secrets, set this option to `false`. The default is `true`.

* **enable_secrets_deletion_key**
By default, the `enable_secrets_deletion` decides on the deletion of secrets for the entire operator. To overwrite `enable_secrets_deletion` this property can be set and an annotation on cluster level can be added with the values: delete secrets `true` or `false`.

* **enable_persistent_volume_claim_deletion**
By default, the operator deletes PersistentVolumeClaims when removing the
Postgres cluster manifest, no matter if `persistent_volume_claim_retention_policy`
Expand Down
1 change: 1 addition & 0 deletions manifests/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ data:
enable_replica_load_balancer: "false"
enable_replica_pooler_load_balancer: "false"
enable_secrets_deletion: "true"
# enable_secrets_deletion_key: enable-secrets-deletion
enable_shm_volume: "true"
enable_sidecars: "true"
enable_spilo_wal_path_compat: "true"
Expand Down
2 changes: 2 additions & 0 deletions manifests/operatorconfiguration.crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,8 @@ spec:
enable_secrets_deletion:
type: boolean
default: true
enable_secrets_deletion_key:
type: string
enable_sidecars:
type: boolean
default: true
Expand Down
1 change: 1 addition & 0 deletions manifests/postgresql-operator-default-configuration.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ configuration:
enable_pod_disruption_budget: true
enable_readiness_probe: false
enable_secrets_deletion: true
# enable_secrets_deletion_key: enable-secrets-deletion
enable_sidecars: true
# ignored_annotations:
# - k8s.v1.cni.cncf.io/network-status
Expand Down
3 changes: 3 additions & 0 deletions pkg/apis/acid.zalan.do/v1/crds.go
Original file line number Diff line number Diff line change
Expand Up @@ -1344,6 +1344,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
"enable_secrets_deletion": {
Type: "boolean",
},
"enable_secrets_deletion_key": {
Type: "string",
},
"enable_sidecars": {
Type: "boolean",
},
Expand Down
1 change: 1 addition & 0 deletions pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ type KubernetesMetaConfiguration struct {
PodManagementPolicy string `json:"pod_management_policy,omitempty"`
PersistentVolumeClaimRetentionPolicy map[string]string `json:"persistent_volume_claim_retention_policy,omitempty"`
EnableSecretsDeletion *bool `json:"enable_secrets_deletion,omitempty"`
EnableSecretsDeletionKey string `json:"enable_secrets_deletion_key,omitempty"`
EnablePersistentVolumeClaimDeletion *bool `json:"enable_persistent_volume_claim_deletion,omitempty"`
EnableReadinessProbe bool `json:"enable_readiness_probe,omitempty"`
EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"`
Expand Down
14 changes: 12 additions & 2 deletions pkg/cluster/cluster.go
Original file line number Diff line number Diff line change
Expand Up @@ -1191,7 +1191,18 @@ func (c *Cluster) Delete() error {
c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete statefulset: %v", err)
}

if c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion {
enable_secrets_deletion_cluster := c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion
if c.OpConfig.EnableSecretsDeletionKey != "" {
key := c.OpConfig.EnableSecretsDeletionKey
if value, ok := c.Postgresql.Annotations[key]; ok {
if value == "true" {
enable_secrets_deletion_cluster = true
} else if value == "false" {
enable_secrets_deletion_cluster = false
}
}
}
if enable_secrets_deletion_cluster {
if err := c.deleteSecrets(); err != nil {
anyErrors = true
c.logger.Warningf("could not delete secrets: %v", err)
Expand All @@ -1200,7 +1211,6 @@ func (c *Cluster) Delete() error {
} else {
c.logger.Info("not deleting secrets because disabled in configuration")
}

if err := c.deletePodDisruptionBudget(); err != nil {
anyErrors = true
c.logger.Warningf("could not delete pod disruption budget: %v", err)
Expand Down
1 change: 1 addition & 0 deletions pkg/controller/operator_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.PodManagementPolicy = util.Coalesce(fromCRD.Kubernetes.PodManagementPolicy, "ordered_ready")
result.PersistentVolumeClaimRetentionPolicy = fromCRD.Kubernetes.PersistentVolumeClaimRetentionPolicy
result.EnableSecretsDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnableSecretsDeletion, util.True())
result.EnableSecretsDeletionKey = fromCRD.Kubernetes.EnableSecretsDeletionKey
result.EnablePersistentVolumeClaimDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnablePersistentVolumeClaimDeletion, util.True())
result.EnableReadinessProbe = fromCRD.Kubernetes.EnableReadinessProbe
result.MasterPodMoveTimeout = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.MasterPodMoveTimeout), "10m")
Expand Down
1 change: 1 addition & 0 deletions pkg/util/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type Resources struct {
MaxInstances int32 `name:"max_instances" default:"-1"`
MinInstances int32 `name:"min_instances" default:"-1"`
IgnoreInstanceLimitsAnnotationKey string `name:"ignore_instance_limits_annotation_key"`
EnableSecretsDeletionKey string `name:"enable_secrets_deletion_key"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you rename the to IgnoreSecretDeletionAnnotationKey?

}

type InfrastructureRole struct {
Expand Down
Loading