bump version to 1.4.0 + some polishing

charts/postgres-operator-ui/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: postgres-operator-ui
-version: 0.1.0
-appVersion: 1.3.0
+version: 1.4.0
+appVersion: 1.4.0
 home: https://github.com/zalando/postgres-operator
 description: Postgres Operator UI provides a graphical interface for a convenient database-as-a-service user experience
 keywords:

charts/postgres-operator-ui/index.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+entries:
+  postgres-operator-ui:
+  - apiVersion: v1
+    appVersion: 1.4.0
+    created: "2020-02-24T15:32:47.610967635+01:00"
+    description: Postgres Operator UI provides a graphical interface for a convenient
+      database-as-a-service user experience
+    digest: 00e0eff7056d56467cd5c975657fbb76c8d01accd25a4b7aca81bc42aeac961d
+    home: https://github.com/zalando/postgres-operator
+    keywords:
+    - postgres
+    - operator
+    - ui
+    - cloud-native
+    - patroni
+    - spilo
+    maintainers:
+    - email: opensource@zalando.de
+      name: Zalando
+    - email: sk@sik-net.de
+      name: siku4
+    name: postgres-operator-ui
+    sources:
+    - https://github.com/zalando/postgres-operator
+    urls:
+    - postgres-operator-ui-1.4.0.tgz
+    version: 1.4.0
+generated: "2020-02-24T15:32:47.610348278+01:00"

charts/postgres-operator-ui/values.yaml

@@ -8,7 +8,7 @@ replicaCount: 1
 image:
   registry: registry.opensource.zalan.do
   repository: acid/postgres-operator-ui
-  tag: v1.2.0
+  tag: v1.4.0
   pullPolicy: "IfNotPresent"
 
 rbac:

charts/postgres-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: postgres-operator
-version: 1.3.0
-appVersion: 1.3.0
+version: 1.4.0
+appVersion: 1.4.0
 home: https://github.com/zalando/postgres-operator
 description: Postgres Operator creates and manages PostgreSQL clusters running in Kubernetes
 keywords:

charts/postgres-operator/index.yaml

@@ -1,9 +1,31 @@
 apiVersion: v1
 entries:
   postgres-operator:
+  - apiVersion: v1
+    appVersion: 1.4.0
+    created: "2020-02-20T17:39:25.443276193+01:00"
+    description: Postgres Operator creates and manages PostgreSQL clusters running
+      in Kubernetes
+    digest: b93ccde5581deb8ed0857136b8ce74ca3f1b7240438fa4415f705764a1300bed
+    home: https://github.com/zalando/postgres-operator
+    keywords:
+    - postgres
+    - operator
+    - cloud-native
+    - patroni
+    - spilo
+    maintainers:
+    - email: opensource@zalando.de
+      name: Zalando
+    name: postgres-operator
+    sources:
+    - https://github.com/zalando/postgres-operator
+    urls:
+    - postgres-operator-1.4.0.tgz
+    version: 1.4.0
   - apiVersion: v1
     appVersion: 1.3.0
-    created: "2019-12-17T12:58:49.477140129+01:00"
+    created: "2020-02-20T17:39:25.441532163+01:00"
     description: Postgres Operator creates and manages PostgreSQL clusters running
       in Kubernetes
     digest: 7e788fd37daec76a01f6d6f9fe5be5b54f5035e4eba0041e80a760d656537325
@@ -25,7 +47,7 @@ entries:
     version: 1.3.0
   - apiVersion: v1
     appVersion: 1.2.0
-    created: "2019-12-17T12:58:49.475844233+01:00"
+    created: "2020-02-20T17:39:25.440278302+01:00"
     description: Postgres Operator creates and manages PostgreSQL clusters running
       in Kubernetes
     digest: d10710c7cf19f4e266e7704f5d1e98dcfc61bee3919522326c35c22ca7d2f2bf
@@ -47,4 +69,4 @@ entries:
     urls:
     - postgres-operator-1.2.0.tgz
     version: 1.2.0
-generated: "2019-12-17T12:58:49.474719294+01:00"
+generated: "2020-02-20T17:39:25.439168098+01:00"

charts/postgres-operator/templates/clusterrole.yaml

@@ -63,9 +63,9 @@ rules:
   - secrets
   verbs:
   - create
-  - update
   - delete
   - get
+  - update
 # to check nodes for node readiness label
 - apiGroups:
   - ""
@@ -102,9 +102,9 @@ rules:
   - delete
   - get
   - list
-  - watch
-  - update
   - patch
+  - update
+  - watch
 # to resize the filesystem in Spilo pods when increasing volume size
 - apiGroups:
   - ""

charts/postgres-operator/values-crd.yaml

@@ -1,7 +1,7 @@
 image:
   registry: registry.opensource.zalan.do
   repository: acid/postgres-operator
-  tag: v1.3.1
+  tag: v1.4.0
   pullPolicy: "IfNotPresent"
 
 # Optionally specify an array of imagePullSecrets.
@@ -100,8 +100,14 @@ configKubernetes:
   pod_management_policy: "ordered_ready"
   # label assigned to the Postgres pods (and services/endpoints)
   pod_role_label: spilo-role
+  # service account definition as JSON/YAML string to be used by postgres cluster pods
+  # pod_service_account_definition: ""
+
   # name of service account to be used by postgres cluster pods
   pod_service_account_name: "postgres-pod"
+  # role binding definition as JSON/YAML string to be used by pod service account
+  # pod_service_account_role_binding_definition: ""
+
   # Postgres pods are terminated forcefully after this timeout
   pod_terminate_grace_period: 5m
   # template for database user secrets generated by the operator

charts/postgres-operator/values.yaml

@@ -1,7 +1,7 @@
 image:
   registry: registry.opensource.zalan.do
   repository: acid/postgres-operator
-  tag: v1.3.1
+  tag: v1.4.0
   pullPolicy: "IfNotPresent"
 
 # Optionally specify an array of imagePullSecrets.
@@ -93,8 +93,14 @@ configKubernetes:
   pod_management_policy: "ordered_ready"
   # label assigned to the Postgres pods (and services/endpoints)
   pod_role_label: spilo-role
+  # service account definition as JSON/YAML string to be used by postgres cluster pods
+  # pod_service_account_definition: ""
+
   # name of service account to be used by postgres cluster pods
   pod_service_account_name: "postgres-pod"
+  # role binding definition as JSON/YAML string to be used by pod service account
+  # pod_service_account_role_binding_definition: ""
+
   # Postgres pods are terminated forcefully after this timeout
   pod_terminate_grace_period: 5m
   # template for database user secrets generated by the operator

docs/user.md

@@ -359,13 +359,16 @@ stored in secrets which are created by the operator. One solution is to create
 secrets beforehand and paste in the credentials of the source cluster.
 Otherwise, you will see errors in the Postgres logs saying users cannot log in
 and the operator logs will complain about not being able to sync resources.
-This, however, can safely be ignored as it will be sorted out once the cluster
-is detached from the source (and it’s still harmless if you don’t plan to).
 
-You can also edit the secrets afterwards. Find them by:
+When you only run a standby leader, you can safely ignore this, as it will be
+sorted out once the cluster is detached from the source. It is also harmless if
+you don’t plan it. But, when you created a standby replica, too, fix the
+credentials right away. WAL files will pile up on the standby leader if no
+connection can be established between standby replica(s). You can also edit the
+secrets after their creation. Find them by:
 
 ```bash
-kubectl get secrets --all-namespaces | grep <postgres-cluster-name>
+kubectl get secrets --all-namespaces | grep <standby-cluster-name>
 ```
 
 ### Promote the standby

manifests/configmap.yaml

@@ -63,7 +63,9 @@ data:
   pod_label_wait_timeout: 10m
   pod_management_policy: "ordered_ready"
   pod_role_label: spilo-role
+  # pod_service_account_definition: ""
   pod_service_account_name: "postgres-pod"
+  # pod_service_account_role_binding_definition: ""
   pod_terminate_grace_period: 5m
   # postgres_superuser_teams: "postgres_superusers"
   # protected_role_names: "admin"

manifests/operator-service-account-rbac.yaml

@@ -64,9 +64,9 @@ rules:
   - secrets
   verbs:
   - create
-  - update
   - delete
   - get
+  - update
 # to check nodes for node readiness label
 - apiGroups:
   - ""
@@ -103,9 +103,9 @@ rules:
   - delete
   - get
   - list
-  - watch
-  - update
   - patch
+  - update
+  - watch
 # to resize the filesystem in Spilo pods when increasing volume size
 - apiGroups:
   - ""

manifests/postgres-operator.yaml

@@ -15,7 +15,7 @@ spec:
       serviceAccountName: postgres-operator
       containers:
       - name: postgres-operator
-        image: registry.opensource.zalan.do/acid/postgres-operator:v1.3.1
+        image: registry.opensource.zalan.do/acid/postgres-operator:v1.4.0
         imagePullPolicy: IfNotPresent
         resources:
           requests:

pkg/controller/controller.go

@@ -224,7 +224,7 @@ func (c *Controller) initRoleBinding() {
 
 	switch {
 	case err != nil:
-		panic(fmt.Errorf("unable to parse the definition of the role binding for the pod service account definition from the operator configuration: %v", err))
+		panic(fmt.Errorf("unable to parse the role binding definition from the operator configuration: %v", err))
 	case groupVersionKind.Kind != "RoleBinding":
 		panic(fmt.Errorf("role binding definition in the operator configuration defines another type of resource: %v", groupVersionKind.Kind))
 	default:

pkg/controller/postgresql.go

@@ -505,11 +505,11 @@ func (c *Controller) submitRBACCredentials(event ClusterEvent) error {
 	namespace := event.NewSpec.GetNamespace()
 
 	if err := c.createPodServiceAccount(namespace); err != nil {
-		return fmt.Errorf("could not create pod service account %v : %v", c.opConfig.PodServiceAccountName, err)
+		return fmt.Errorf("could not create pod service account %q : %v", c.opConfig.PodServiceAccountName, err)
 	}
 
 	if err := c.createRoleBindings(namespace); err != nil {
-		return fmt.Errorf("could not create role binding %v : %v", c.PodServiceAccountRoleBinding.Name, err)
+		return fmt.Errorf("could not create role binding %q : %v", c.PodServiceAccountRoleBinding.Name, err)
 	}
 	return nil
 }
@@ -520,16 +520,16 @@ func (c *Controller) createPodServiceAccount(namespace string) error {
 	_, err := c.KubeClient.ServiceAccounts(namespace).Get(podServiceAccountName, metav1.GetOptions{})
 	if k8sutil.ResourceNotFound(err) {
 
-		c.logger.Infof(fmt.Sprintf("creating pod service account in the namespace %v", namespace))
+		c.logger.Infof(fmt.Sprintf("creating pod service account %q in the %q namespace", podServiceAccountName, namespace))
 
 		// get a separate copy of service account
 		// to prevent a race condition when setting a namespace for many clusters
 		sa := *c.PodServiceAccount
 		if _, err = c.KubeClient.ServiceAccounts(namespace).Create(&sa); err != nil {
-			return fmt.Errorf("cannot deploy the pod service account %v defined in the config map to the %v namespace: %v", podServiceAccountName, namespace, err)
+			return fmt.Errorf("cannot deploy the pod service account %q defined in the configuration to the %q namespace: %v", podServiceAccountName, namespace, err)
 		}
 
-		c.logger.Infof("successfully deployed the pod service account %v to the %v namespace", podServiceAccountName, namespace)
+		c.logger.Infof("successfully deployed the pod service account %q to the %q namespace", podServiceAccountName, namespace)
 	} else if k8sutil.ResourceAlreadyExists(err) {
 		return nil
 	}
@@ -545,14 +545,14 @@ func (c *Controller) createRoleBindings(namespace string) error {
 	_, err := c.KubeClient.RoleBindings(namespace).Get(podServiceAccountRoleBindingName, metav1.GetOptions{})
 	if k8sutil.ResourceNotFound(err) {
 
-		c.logger.Infof("Creating the role binding %v in the namespace %v", podServiceAccountRoleBindingName, namespace)
+		c.logger.Infof("Creating the role binding %q in the %q namespace", podServiceAccountRoleBindingName, namespace)
 
 		// get a separate copy of role binding
 		// to prevent a race condition when setting a namespace for many clusters
 		rb := *c.PodServiceAccountRoleBinding
 		_, err = c.KubeClient.RoleBindings(namespace).Create(&rb)
 		if err != nil {
-			return fmt.Errorf("cannot bind the pod service account %q defined in the config map to the cluster role in the %q namespace: %v", podServiceAccountName, namespace, err)
+			return fmt.Errorf("cannot bind the pod service account %q defined in the configuration to the cluster role in the %q namespace: %v", podServiceAccountName, namespace, err)
 		}
 
 		c.logger.Infof("successfully deployed the role binding for the pod service account %q to the %q namespace", podServiceAccountName, namespace)

pkg/util/config/config.go

@@ -91,12 +91,11 @@ type Config struct {
 	Scalyr
 	LogicalBackup
 
-	WatchedNamespace string            `name:"watched_namespace"`    // special values: "*" means 'watch all namespaces', the empty string "" means 'watch a namespace where operator is deployed to'
-	EtcdHost         string            `name:"etcd_host" default:""` // special values: the empty string "" means Patroni will use K8s as a DCS
-	DockerImage      string            `name:"docker_image" default:"registry.opensource.zalan.do/acid/spilo-12:1.6-p2"`
-	Sidecars         map[string]string `name:"sidecar_docker_images"`
-	// default name `operator` enables backward compatibility with the older ServiceAccountName field
-	PodServiceAccountName string `name:"pod_service_account_name" default:"postgres-pod"`
+	WatchedNamespace      string            `name:"watched_namespace"`    // special values: "*" means 'watch all namespaces', the empty string "" means 'watch a namespace where operator is deployed to'
+	EtcdHost              string            `name:"etcd_host" default:""` // special values: the empty string "" means Patroni will use K8s as a DCS
+	DockerImage           string            `name:"docker_image" default:"registry.opensource.zalan.do/acid/spilo-12:1.6-p2"`
+	Sidecars              map[string]string `name:"sidecar_docker_images"`
+	PodServiceAccountName string            `name:"pod_service_account_name" default:"postgres-pod"`
 	// value of this string must be valid JSON or YAML; see initPodServiceAccount
 	PodServiceAccountDefinition            string            `name:"pod_service_account_definition" default:""`
 	PodServiceAccountRoleBindingDefinition string            `name:"pod_service_account_role_binding_definition" default:""`