zalando · FxKu · Oct 28, 2020 · Oct 12, 2020 · Oct 14, 2020 · Oct 15, 2020
@@ -319,6 +319,10 @@ spec:
               properties:
                 enable_admin_role_for_users:
                   type: boolean
+                enable_postgres_team_crd:
+                  type: boolean
+                enable_postgres_team_crd_superusers:
+                  type: boolean
                 enable_team_superuser:
                   type: boolean
                 enable_teams_api:

@@ -0,0 +1,67 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: postgresteams.acid.zalan.do
+  labels:
+    app.kubernetes.io/name: postgres-operator
+  annotations:
+    "helm.sh/hook": crd-install
+spec:
+  group: acid.zalan.do
+  names:
+    kind: PostgresTeam
+    listKind: PostgresTeamList
+    plural: postgresteams
+    singular: postgresteam
+    shortNames:
+    - pgteam
+  scope: Namespaced
+  subresources:
+    status: {}
+  version: v1
+  validation:
+    openAPIV3Schema:
+      type: object
+      required:
+        - kind
+        - apiVersion
+        - spec
+      properties:
+        kind:
+          type: string
+          enum:
+            - PostgresTeam
+        apiVersion:
+          type: string
+          enum:
+            - acid.zalan.do/v1
+        spec:
+          type: object
+          properties:
+            additionalSuperuserTeams:
+              type: object
+              description: "Map for teamId and associated additional superuser teams"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of teams to become Postgres superusers"
+                items:
+                  type: string
+            additionalTeams:
+              type: object
+              description: "Map for teamId and associated additional teams"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of teams whose members will also be added to the Postgres cluster"
+                items:
+                  type: string
+            additionalMembers:
+              type: object
+              description: "Map for teamId and associated additional users"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of users who will also be added to the Postgres cluster"
+                items:
+                  type: string
@@ -25,6 +25,15 @@ rules:
   - patch
   - update
   - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
 # to create or get/update CRDs when starting up
 - apiGroups:
   - apiextensions.k8s.io

@@ -256,6 +256,11 @@ configTeamsApi:
   # team_admin_role will have the rights to grant roles coming from PG manifests
   # enable_admin_role_for_users: true
 
+  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
+  enable_postgres_team_crd: true
+  # toogle to create additional superuser teams from PostgresTeam CRs
+  # enable_postgres_team_crd_superusers: "false"
+
   # toggle to grant superuser to team members created from the Teams API
   enable_team_superuser: false
   # toggles usage of the Teams API by the operator

@@ -1,7 +1,7 @@
 image:
   registry: registry.opensource.zalan.do
   repository: acid/postgres-operator
-  tag: v1.5.0
+  tag: v1.5.0-61-ged2b3239-dirty 
   pullPolicy: "IfNotPresent"
 
 # Optionally specify an array of imagePullSecrets.
@@ -248,6 +248,11 @@ configTeamsApi:
   # team_admin_role will have the rights to grant roles coming from PG manifests
   # enable_admin_role_for_users: "true"
 
+  # operator watches for PostgresTeam CRs to assign additional teams and members to clusters
+  enable_postgres_team_crd: "true"
+  # toogle to create additional superuser teams from PostgresTeam CRs
+  # enable_postgres_team_crd_superusers: "false"
+
   # toggle to grant superuser to team members created from the Teams API
   # enable_team_superuser: "false"
 

@@ -561,9 +561,12 @@ database.
 * **Human users** originate from the [Teams API](user.md#teams-api-roles) that
 returns a list of the team members given a team id. The operator differentiates
 between (a) product teams that own a particular Postgres cluster and are granted
-admin rights to maintain it, and (b) Postgres superuser teams that get the
-superuser access to all Postgres databases running in a K8s cluster for the
-purposes of maintaining and troubleshooting.
+admin rights to maintain it, (b) Postgres superuser teams that get superuser
+access to all Postgres databases running in a K8s cluster for the purposes of
+maintaining and troubleshooting, and (c) additional teams, superuser teams or
+members associated with the owning team. The latter is managed via the
+[PostgresTeam CRD](user.md#additional-teams-and-members-per-cluster).
+
 
 ## Understanding rolling update of Spilo pods
 

@@ -598,8 +598,8 @@ key.
   The default is `"log_statement:all"`
 
 * **enable_team_superuser**
-  whether to grant superuser to team members created from the Teams API.
-  The default is `false`.
+  whether to grant superuser to members of the cluster's owning team created
+  from the Teams API. The default is `false`.
 
 * **team_admin_role**
   role name to grant to team members created from the Teams API. The default is
@@ -632,6 +632,16 @@ key.
   cluster to administer Postgres and maintain infrastructure built around it.
   The default is empty.
 
+* **enable_postgres_team_crd**
+  toggle to make the operator watch for created or updated `PostgresTeam` CRDs
+  and create roles for specified additional teams and members.
+  The default is `true`.
+
+* **enable_postgres_team_crd_superusers**
+  in a `PostgresTeam` CRD additional superuser teams can assigned to teams that
+  own clusters. With this flag set to `false`, it will be ignored.
+  The default is `false`.
+
 ## Logging and REST API
 
 Parameters affecting logging and REST API listener. In the CRD-based

@@ -269,6 +269,67 @@ to choose superusers, group roles, [PAM configuration](https://github.com/CyberD
 etc. An OAuth2 token can be passed to the Teams API via a secret. The name for
 this secret is configurable with the `oauth_token_secret_name` parameter.
 
+### Additional teams and members per cluster
+
+Postgres clusters are associated with one team by providing the `teamID` in
+the manifest. Additional superuser teams can be configured as mentioned in
+the previous paragraph. However, this is a global setting. To assign
+additional teams, superuser teams and single users to clusters of a given
+team, use the [PostgresTeam CRD](../manifests/postgresteam.yaml). It provides
+a simple mapping structure.
+
+
+```yaml
+apiVersion: "acid.zalan.do/v1"
+kind: PostgresTeam
+metadata:
+  name: custom-team-membership
+spec:
+  additionalSuperuserTeams:
+    acid:
+    - "postgres_superusers"
+  additionalTeams:
+    acid: []
+  additionalMembers:
+    acid:
+    - "elephant"
+```
+
+One `PostgresTeam` resource could contain mappings of multiple teams but you
+can choose to create separate CRDs, alternatively. On each CRD creation or
+update the operator will gather all mappings to create additional human users
+in databases the next time they are synced. Additional teams are resolved
+transitively, meaning you will also add users for their `additionalTeams`
+or (not and) `additionalSuperuserTeams`.
+
+For each additional team the Teams API would be queried. Additional members
+will be added either way. There can be "virtual teams" that do not exists in
+your Teams API but users of associated teams as well as members will get
+created. With `PostgresTeams` it's also easy to cover team name changes. Just
+add the mapping between old and new team name and the rest can stay the same.
+
+```yaml
+apiVersion: "acid.zalan.do/v1"
+kind: PostgresTeam
+metadata:
+  name: virtualteam-membership
+spec:
+  additionalSuperuserTeams:
+    acid:
+    - "virtual_superusers"
+    virtual_superusers:
+    - "real_teamA"
+    - "real_teamB"
+    real_teamA:
+    - "real_teamA_renamed"
+  additionalTeams:
+    real_teamA:
+    - "real_teamA_renamed"
+  additionalMembers:
+    virtual_superusers:
+    - "foo"
+```
+
 ## Prepared databases with roles and default privileges
 
 The `users` section in the manifests only allows for creating database roles

@@ -41,6 +41,8 @@ data:
   enable_master_load_balancer: "false"
   # enable_pod_antiaffinity: "false"
   # enable_pod_disruption_budget: "true"
+  # enable_postgres_team_crd: "true"
+  # enable_postgres_team_crd_superusers: "false"
   enable_replica_load_balancer: "false"
   # enable_shm_volume: "true"
   # enable_sidecars: "true"

@@ -0,0 +1,13 @@
+apiVersion: "acid.zalan.do/v1"
+kind: PostgresTeam
+metadata:
+  name: custom-team-membership
+spec:
+  additionalSuperuserTeams:
+    acid:
+    - "postgres_superusers"
+  additionalTeams:
+    acid: []
+  additionalMembers:
+    acid:
+    - "elephant"
@@ -26,6 +26,15 @@ rules:
   - patch
   - update
   - watch
+# operator only reads PostgresTeams
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresteams
+  verbs:
+  - get
+  - list
+  - watch
 # to create or get/update CRDs when starting up
 - apiGroups:
   - apiextensions.k8s.io

@@ -325,6 +325,10 @@ spec:
               properties:
                 enable_admin_role_for_users:
                   type: boolean
+                enable_postgres_team_crd:
+                  type: boolean
+                enable_postgres_team_crd_superusers:
+                  type: boolean
                 enable_team_superuser:
                   type: boolean
                 enable_teams_api:

@@ -122,6 +122,8 @@ configuration:
     enable_database_access: true
   teams_api:
     # enable_admin_role_for_users: true
+    # enable_postgres_team_crd: true
+    # enable_postgres_team_crd_superusers: false
     enable_team_superuser: false
     enable_teams_api: false
     # pam_configuration: ""

@@ -0,0 +1,63 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: postgresteams.acid.zalan.do
+spec:
+  group: acid.zalan.do
+  names:
+    kind: PostgresTeam
+    listKind: PostgresTeamList
+    plural: postgresteams
+    singular: postgresteam
+    shortNames:
+    - pgteam
+  scope: Namespaced
+  subresources:
+    status: {}
+  version: v1
+  validation:
+    openAPIV3Schema:
+      type: object
+      required:
+        - kind
+        - apiVersion
+        - spec
+      properties:
+        kind:
+          type: string
+          enum:
+            - PostgresTeam
+        apiVersion:
+          type: string
+          enum:
+            - acid.zalan.do/v1
+        spec:
+          type: object
+          properties:
+            additionalSuperuserTeams:
+              type: object
+              description: "Map for teamId and associated additional superuser teams"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of teams to become Postgres superusers"
+                items:
+                  type: string
+            additionalTeams:
+              type: object
+              description: "Map for teamId and associated additional teams"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of teams whose members will also be added to the Postgres cluster"
+                items:
+                  type: string
+            additionalMembers:
+              type: object
+              description: "Map for teamId and associated additional users"
+              additionalProperties:
+                type: array
+                nullable: true
+                description: "List of users who will also be added to the Postgres cluster"
+                items:
+                  type: string
@@ -1235,6 +1235,12 @@ var OperatorConfigCRDResourceValidation = apiextv1beta1.CustomResourceValidation
 							"enable_admin_role_for_users": {
 								Type: "boolean",
 							},
+							"enable_postgres_team_crd": {
+								Type: "boolean",
+							},
+							"enable_postgres_team_crd_superusers": {
+								Type: "boolean",
+							},
 							"enable_team_superuser": {
 								Type: "boolean",
 							},