fix: tests after review

Author: tkcontiant

charts/ext-postgres-operator/Chart.yaml

@@ -9,4 +9,4 @@ description: |
 type: application
 
 version: 2.3.0
-appVersion: "2.2.0"
+appVersion: "2.4.0"

charts/ext-postgres-operator/templates/clusterrole.yaml

@@ -11,6 +11,8 @@ rules:
       - secrets
     verbs:
       - "*"
+  - apiGroups:
+      - apps
     resourceNames:
       - ext-postgres-operator
     resources:

config/rbac/cluster_role.yaml

@@ -9,6 +9,8 @@ rules:
       - secrets
     verbs:
       - "*"
+  - apiGroups:
+      - apps
     resourceNames:
       - ext-postgres-operator
     resources:

internal/controller/postgres_controller_test.go

@@ -73,7 +73,6 @@ var _ = Describe("PostgresReconciler", func() {
 		pg = mockpg.NewMockPG(mockCtrl)
 		pg.EXPECT().AlterDatabaseOwner(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 		pg.EXPECT().ReassignDatabaseOwner(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
-		pg.EXPECT().ReassignDatabaseOwner(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 		cl = k8sClient
 		// Create runtime scheme
 		sc = scheme.Scheme

internal/controller/postgresuser_controller.go

@@ -203,89 +203,7 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		}
 	} else if awsIamRequested {
 		reqLogger.WithValues("role", role).Info("IAM Auth requested while we are not running with AWS cloud provider config")
-	// Reconcile logic for changes in group membership
-	// This is only applicable if user role is already created
-	// and privileges are changed in spec
-	if instance.Status.PostgresRole != "" {
-
-		// We need to get the Postgres CR to get the group role name
-		database, err := r.getPostgresCR(ctx, instance)
-		if err != nil {
-			return r.requeue(ctx, instance, errors.NewInternalError(err))
-		}
-
-		// Determine desired group role
-		var desiredGroup string
-		switch instance.Spec.Privileges {
-		case "READ":
-			desiredGroup = database.Status.Roles.Reader
-		case "WRITE":
-			desiredGroup = database.Status.Roles.Writer
-		default:
-			desiredGroup = database.Status.Roles.Owner
-		}
-
-		// Ability user to be reassigned to another group role
-		currentGroup := instance.Status.PostgresGroup
-		if desiredGroup != "" && currentGroup != desiredGroup {
-
-			// Remove the old group membership if present
-			if currentGroup != "" {
-				err = r.pg.RevokeRole(currentGroup, role)
-				if err != nil {
-					return r.requeue(ctx, instance, errors.NewInternalError(err))
-				}
-			}
-
-			// Grant the new group role
-			err = r.pg.GrantRole(desiredGroup, role)
-			if err != nil {
-				return r.requeue(ctx, instance, errors.NewInternalError(err))
-			}
-
-			// Ensure objects created by the user are owned by the new group
-			err = r.pg.AlterDefaultLoginRole(role, desiredGroup)
-			if err != nil {
-				return r.requeue(ctx, instance, errors.NewInternalError(err))
-			}
-
-			instance.Status.PostgresGroup = desiredGroup
-			err = r.Status().Update(ctx, instance)
-			if err != nil {
-				return r.requeue(ctx, instance, err)
-			}
-		}
-	} else {
-		role = instance.Status.PostgresRole
-		login = instance.Status.PostgresLogin
-	awsConfig := instance.Spec.AWS
-	awsIamRequested := awsConfig != nil && awsConfig.EnableIamAuth
-
-	if r.cloudProvider == "AWS" {
-		if awsIamRequested && !instance.Status.EnableIamAuth {
-			if err := r.pg.GrantRole("rds_iam", role); err != nil {
-				reqLogger.WithValues("role", role).Error(err, "failed to grant rds_iam role")
-			} else {
-				instance.Status.EnableIamAuth = true
-				if sErr := r.Status().Update(ctx, instance); sErr != nil {
-					reqLogger.WithValues("role", role).Error(sErr, "failed to update status after IAM grant")
-				}
-			}
-		}
-
-		// Revoke aws_iam role on transition: spec=false, status=true
-		if !awsIamRequested && instance.Status.EnableIamAuth {
-			if err := r.pg.RevokeRole("rds_iam", role); err != nil {
-				reqLogger.WithValues("role", role).Error(err, "failed to revoke rds_iam role")
-			} else {
-				instance.Status.EnableIamAuth = false
-				if sErr := r.Status().Update(ctx, instance); sErr != nil {
-					reqLogger.WithValues("role", role).Error(sErr, "failed to update status after IAM revoke")
-				}
-			}
-		}
-	} else if awsIamRequested {
-		reqLogger.WithValues("role", role).Info("IAM Auth requested while we are not running with AWS cloud provider config")
+	}
 
 	// Reconcile logic for changes in group membership
 	// This is only applicable if user role is already created
@@ -309,32 +227,29 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
 			desiredGroup = database.Status.Roles.Owner
 		}
 
+		// Ability user to be reassigned to another group role
 		currentGroup := instance.Status.PostgresGroup
 		if desiredGroup != "" && currentGroup != desiredGroup {
 
 			// Remove the old group membership if present
 			if currentGroup != "" {
-				err = r.pg.RevokeRole(currentGroup, role)
-				if err != nil {
+				if err := r.pg.RevokeRole(currentGroup, role); err != nil {
 					return r.requeue(ctx, instance, errors.NewInternalError(err))
 				}
 			}
 
 			// Grant the new group role
-			err = r.pg.GrantRole(desiredGroup, role)
-			if err != nil {
+			if err := r.pg.GrantRole(desiredGroup, role); err != nil {
 				return r.requeue(ctx, instance, errors.NewInternalError(err))
 			}
 
 			// Ensure objects created by the user are owned by the new group
-			err = r.pg.AlterDefaultLoginRole(role, desiredGroup)
-			if err != nil {
+			if err := r.pg.AlterDefaultLoginRole(role, desiredGroup); err != nil {
 				return r.requeue(ctx, instance, errors.NewInternalError(err))
 			}
 
 			instance.Status.PostgresGroup = desiredGroup
-			err = r.Status().Update(ctx, instance)
-			if err != nil {
+			if err := r.Status().Update(ctx, instance); err != nil {
 				return r.requeue(ctx, instance, err)
 			}
 		}

pkg/postgres/aws.go

@@ -78,11 +78,3 @@ func (c *awspg) DropRole(role, newOwner, database string, logger logr.Logger) er
 
 	return c.pg.DropRole(role, newOwner, database, logger)
 }
-
-func (c *awspg) AlterDatabaseOwner(dbName, owner string) error {
-	return c.pg.AlterDatabaseOwner(dbName, owner)
-}
-
-func (c *awspg) ReassignDatabaseOwner(dbName, currentOwner, newOwner string, logger logr.Logger) error {
-	return c.pg.ReassignDatabaseOwner(dbName, currentOwner, newOwner, logger)
-}

pkg/postgres/azure.go

@@ -48,11 +48,3 @@ func (azpg *azurepg) DropRole(role, newOwner, database string, logger logr.Logge
 	// Delegate to parent implementation to perform the actual drop
 	return azpg.pg.DropRole(role, newOwner, database, logger)
 }
-
-func (azpg *azurepg) AlterDatabaseOwner(dbName, owner string) error {
-	return azpg.pg.AlterDatabaseOwner(dbName, owner)
-}
-
-func (azpg *azurepg) ReassignDatabaseOwner(dbName, currentOwner, newOwner string, logger logr.Logger) error {
-	return azpg.pg.ReassignDatabaseOwner(dbName, currentOwner, newOwner, logger)
-}

pkg/postgres/gcp.go

@@ -83,11 +83,3 @@ func (c *gcppg) DropRole(role, newOwner, database string, logger logr.Logger) er
 	}
 	return nil
 }
-
-func (c *gcppg) AlterDatabaseOwner(dbName, owner string) error {
-	return c.pg.AlterDatabaseOwner(dbName, owner)
-}
-
-func (c *gcppg) ReassignDatabaseOwner(dbName, currentOwner, newOwner string, logger logr.Logger) error {
-	return c.pg.ReassignDatabaseOwner(dbName, currentOwner, newOwner, logger)
-}