Skip to content

fix(2582): added cluster level delete secrets config #2750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions charts/postgres-operator/crds/operatorconfigurations.yaml
Original file line number Diff line number Diff line change
@@ -229,6 +229,8 @@ spec:
enable_secrets_deletion:
type: boolean
default: true
enable_secrets_deletion_key:
type: string
enable_sidecars:
type: boolean
default: true
3 changes: 3 additions & 0 deletions charts/postgres-operator/values.yaml
Original file line number Diff line number Diff line change
@@ -141,6 +141,9 @@ configKubernetes:
enable_readiness_probe: false
# toggles if operator should delete secrets on cluster deletion
enable_secrets_deletion: true
# key name for annotation that overrides enable_secrets_deletion on cluster level
# enable_secrets_deletion_key: "enable-secrets-deletion"

# enables sidecar containers to run alongside Spilo in the same pod
enable_sidecars: true

3 changes: 3 additions & 0 deletions docs/reference/operator_parameters.md
Original file line number Diff line number Diff line change
@@ -365,6 +365,9 @@ configuration they are grouped under the `kubernetes` key.
By default, the operator deletes secrets when removing the Postgres cluster
manifest. To keep secrets, set this option to `false`. The default is `true`.

* **enable_secrets_deletion_key**
By default, the `enable_secrets_deletion` decides on the deletion of secrets for the entire operator. To overwrite `enable_secrets_deletion` this property can be set and an annotation on cluster level can be added with the values: delete secrets `true` or `false`.

* **enable_persistent_volume_claim_deletion**
By default, the operator deletes PersistentVolumeClaims when removing the
Postgres cluster manifest, no matter if `persistent_volume_claim_retention_policy`
1 change: 1 addition & 0 deletions manifests/configmap.yaml
Original file line number Diff line number Diff line change
@@ -61,6 +61,7 @@ data:
enable_replica_load_balancer: "false"
enable_replica_pooler_load_balancer: "false"
enable_secrets_deletion: "true"
# enable_secrets_deletion_key: enable-secrets-deletion
enable_shm_volume: "true"
enable_sidecars: "true"
enable_spilo_wal_path_compat: "true"
2 changes: 2 additions & 0 deletions manifests/operatorconfiguration.crd.yaml
Original file line number Diff line number Diff line change
@@ -227,6 +227,8 @@ spec:
enable_secrets_deletion:
type: boolean
default: true
enable_secrets_deletion_key:
type: string
enable_sidecars:
type: boolean
default: true
1 change: 1 addition & 0 deletions manifests/postgresql-operator-default-configuration.yaml
Original file line number Diff line number Diff line change
@@ -65,6 +65,7 @@ configuration:
enable_pod_disruption_budget: true
enable_readiness_probe: false
enable_secrets_deletion: true
# enable_secrets_deletion_key: enable-secrets-deletion
enable_sidecars: true
# ignored_annotations:
# - k8s.v1.cni.cncf.io/network-status
3 changes: 3 additions & 0 deletions pkg/apis/acid.zalan.do/v1/crds.go
Original file line number Diff line number Diff line change
@@ -1344,6 +1344,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
"enable_secrets_deletion": {
Type: "boolean",
},
"enable_secrets_deletion_key": {
Type: "string",
},
"enable_sidecars": {
Type: "boolean",
},
1 change: 1 addition & 0 deletions pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
Original file line number Diff line number Diff line change
@@ -104,6 +104,7 @@ type KubernetesMetaConfiguration struct {
PodManagementPolicy string `json:"pod_management_policy,omitempty"`
PersistentVolumeClaimRetentionPolicy map[string]string `json:"persistent_volume_claim_retention_policy,omitempty"`
EnableSecretsDeletion *bool `json:"enable_secrets_deletion,omitempty"`
EnableSecretsDeletionKey string `json:"enable_secrets_deletion_key,omitempty"`
EnablePersistentVolumeClaimDeletion *bool `json:"enable_persistent_volume_claim_deletion,omitempty"`
EnableReadinessProbe bool `json:"enable_readiness_probe,omitempty"`
EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"`
14 changes: 12 additions & 2 deletions pkg/cluster/cluster.go
Original file line number Diff line number Diff line change
@@ -1191,7 +1191,18 @@ func (c *Cluster) Delete() error {
c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete statefulset: %v", err)
}

if c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion {
enable_secrets_deletion_cluster := c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion
if c.OpConfig.EnableSecretsDeletionKey != "" {
key := c.OpConfig.EnableSecretsDeletionKey
if value, ok := c.Postgresql.Annotations[key]; ok {
if value == "true" {
enable_secrets_deletion_cluster = true
} else if value == "false" {
enable_secrets_deletion_cluster = false
}
}
}
if enable_secrets_deletion_cluster {
if err := c.deleteSecrets(); err != nil {
anyErrors = true
c.logger.Warningf("could not delete secrets: %v", err)
@@ -1200,7 +1211,6 @@ func (c *Cluster) Delete() error {
} else {
c.logger.Info("not deleting secrets because disabled in configuration")
}

if err := c.deletePodDisruptionBudget(); err != nil {
anyErrors = true
c.logger.Warningf("could not delete pod disruption budget: %v", err)
1 change: 1 addition & 0 deletions pkg/controller/operator_config.go
Original file line number Diff line number Diff line change
@@ -124,6 +124,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
result.PodManagementPolicy = util.Coalesce(fromCRD.Kubernetes.PodManagementPolicy, "ordered_ready")
result.PersistentVolumeClaimRetentionPolicy = fromCRD.Kubernetes.PersistentVolumeClaimRetentionPolicy
result.EnableSecretsDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnableSecretsDeletion, util.True())
result.EnableSecretsDeletionKey = fromCRD.Kubernetes.EnableSecretsDeletionKey
result.EnablePersistentVolumeClaimDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnablePersistentVolumeClaimDeletion, util.True())
result.EnableReadinessProbe = fromCRD.Kubernetes.EnableReadinessProbe
result.MasterPodMoveTimeout = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.MasterPodMoveTimeout), "10m")
1 change: 1 addition & 0 deletions pkg/util/config/config.go
Original file line number Diff line number Diff line change
@@ -66,6 +66,7 @@ type Resources struct {
MaxInstances int32 `name:"max_instances" default:"-1"`
MinInstances int32 `name:"min_instances" default:"-1"`
IgnoreInstanceLimitsAnnotationKey string `name:"ignore_instance_limits_annotation_key"`
EnableSecretsDeletionKey string `name:"enable_secrets_deletion_key"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you rename the to IgnoreSecretDeletionAnnotationKey?

}

type InfrastructureRole struct {