add the option to iamAuthentication in aws

charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -41,6 +41,9 @@ spec:
                 type: string
               role:
                 type: string
+              iamAuthentication:
+                type: boolean
+                default: false
               secretName:
                 type: string
               secretTemplate:

pkg/apis/db/v1alpha1/postgresuser_types.go

@@ -16,19 +16,21 @@ type PostgresUserSpec struct {
 	// +optional
 	SecretTemplate map[string]string `json:"secretTemplate,omitempty"` // key-value, where key is secret field, value is go template
 	// +optional
-	Privileges string `json:"privileges"`
+	Privileges        string `json:"privileges"`
+	IamAuthentication bool   `json:"iamAuthentication"`
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
 // PostgresUserStatus defines the observed state of PostgresUser
 // +k8s:openapi-gen=true
 type PostgresUserStatus struct {
-	Succeeded     bool   `json:"succeeded"`
-	PostgresRole  string `json:"postgresRole"`
-	PostgresLogin string `json:"postgresLogin"`
-	PostgresGroup string `json:"postgresGroup"`
-	DatabaseName  string `json:"databaseName"`
+	Succeeded         bool   `json:"succeeded"`
+	PostgresRole      string `json:"postgresRole"`
+	PostgresLogin     string `json:"postgresLogin"`
+	PostgresGroup     string `json:"postgresGroup"`
+	DatabaseName      string `json:"databaseName"`
+	IamAuthentication bool   `json:"iamAuthentication"`
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "operator-sdk generate k8s" to regenerate code after modifying this file
 	// Add custom validation using kubebuilder tags: https://book.kubebuilder.io/beyond_basics/generating_crd.html

pkg/controller/postgresuser/postgresuser_controller.go

@@ -177,7 +177,7 @@ func (r *ReconcilePostgresUser) Reconcile(request reconcile.Request) (reconcile.
 		// Create user role
 		suffix := utils.GetRandomString(6)
 		role = fmt.Sprintf("%s-%s", instance.Spec.Role, suffix)
-		login, err = r.pg.CreateUserRole(role, password)
+		login, err = r.pg.CreateUserRole(role, password, instance.spec.IamAuthentication)
 		if err != nil {
 			return r.requeue(instance, errors.NewInternalError(err))
 		}

pkg/postgres/aws.go

@@ -39,11 +39,17 @@ func (c *awspg) CreateDB(dbname, role string) error {
 	return c.pg.CreateDB(dbname, role)
 }
 
-func (c *awspg) CreateUserRole(role, password string) (string, error) {
-	returnedRole, err := c.pg.CreateUserRole(role, password)
+func (c *awspg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) {
+	returnedRole, err := c.pg.CreateUserRole(role, password, iamAuthentication)
 	if err != nil {
 		return "", err
 	}
+	if iamAuthentication != nil && *iamAuthentication {
+		err = c.GrantRole("rds_iam", role)
+		if err != nil {
+			return "", err
+		}
+	}
 	// On AWS RDS the postgres user isn't really superuser so he doesn't have permissions
 	// to ALTER DEFAULT PRIVILEGES FOR ROLE unless he belongs to the role
 	err = c.GrantRole(role, c.user)

pkg/postgres/postgres.go

@@ -13,7 +13,7 @@ type PG interface {
 	CreateSchema(db, role, schema string, logger logr.Logger) error
 	CreateExtension(db, extension string, logger logr.Logger) error
 	CreateGroupRole(role string) error
-	CreateUserRole(role, password string) (string, error)
+	CreateUserRole(role, password string, iamAuthentication *bool) (string, error)
 	UpdatePassword(role, password string) error
 	GrantRole(role, grantee string) error
 	SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logger logr.Logger) error

pkg/postgres/role.go

@@ -28,7 +28,7 @@ func (c *pg) CreateGroupRole(role string) error {
 	return nil
 }
 
-func (c *pg) CreateUserRole(role, password string) (string, error) {
+func (c *pg) CreateUserRole(role, password string, iamAuthentication *bool) (string, error) {
 	_, err := c.db.Exec(fmt.Sprintf(CREATE_USER_ROLE, role, password))
 	if err != nil {
 		return "", err