movetokube · tkcontiant · Aug 29, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,7 @@ kubeconfig
 
 .gomodcache
 .gocache
+
+# helm template output temporary files
+/**/out
+out
diff --git a/charts/ext-postgres-operator/Chart.yaml b/charts/ext-postgres-operator/Chart.yaml
@@ -8,5 +8,5 @@ description: |
 
 type: application
 
-version: 2.2.0
-appVersion: "2.0.0"
+version: 2.3.0
+appVersion: "2.4.0"
diff --git a/charts/ext-postgres-operator/templates/operator.yaml b/charts/ext-postgres-operator/templates/operator.yaml
@@ -44,6 +44,10 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: metrics
+              containerPort: 8080
+              protocol: "TCP"
           envFrom:
             - secretRef:
                 {{- if .Values.existingSecret }}

diff --git a/charts/ext-postgres-operator/templates/pod-monitor.yaml b/charts/ext-postgres-operator/templates/pod-monitor.yaml
@@ -0,0 +1,32 @@
+{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") ( .Values.podMonitor.enabled ) }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  annotations:
+    {{- with .Values.podMonitor.additionalAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+    {{- with .Values.podMonitor.additonalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "chart.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  podMetricsEndpoints:
+  - interval: {{ .Values.podMonitor.interval | default "30s" }}
+    scrapeTimeout: {{ .Values.podMonitor.scrapeTimeout | default "10s" }}
+    path: /metrics
+    port: metrics
+    {{- if .Values.podMonitor.relabelings }}
+    relabelings:
+      {{- tpl (toYaml .Values.podMonitor.relabelings) . | nindent 6 }}
+    {{- end }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+{{- end -}}
diff --git a/charts/ext-postgres-operator/templates/role.yaml b/charts/ext-postgres-operator/templates/role.yaml
@@ -18,11 +18,31 @@ rules:
     resources:
       - pods
     verbs:
-      - "get"
+      - get
   - apiGroups:
-      - "apps"
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - apps
     resources:
       - replicasets
       - deployments
     verbs:
-      - "get"
+      - get
diff --git a/charts/ext-postgres-operator/values.yaml b/charts/ext-postgres-operator/values.yaml
@@ -79,7 +79,7 @@ watchNamespace: ""
 # Define connection to postgres database server
 postgres:
   # postgres hostname
-  host: "localhost"
+  host: "localhost:5432"
   # postgres admin user and password ( ignored if existingSecret or ExternalSecret is set )
   user: "admin"
   password: "password"
@@ -114,6 +114,20 @@ env: {}
   # POSTGRES_INSTANCE: "XXXXXXXXXX"
   # POSTGRES_CLOUD_PROVIDER: "AWS"
 
+# podMonitor is a custom resource used by the Prometheus-Operator and others
+podMonitor:
+  enabled: false
+  interval: 30s
+  scrapeTimeout: 10s
+  relabeling: []
+    # - targetLabel: app
+    #   replacement: '{{ include "chart.name" . }}'
+  additonalLabels: {}
+    # e.g. release label of the prometheus operator
+    # release: prometheus-operator
+  additionalAnnotations: {}
+    # e.g. {}
+
 nodeSelector: {}
 
 tolerations: []
diff --git a/cmd/main.go b/cmd/main.go
@@ -47,15 +47,15 @@ func main() {
 	var secureMetrics bool
 	var enableHTTP2 bool
 	var tlsOpts []func(*tls.Config)
-	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to. "+
 		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+	flag.BoolVar(&enableLeaderElection, "leader-elect", true,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+	flag.BoolVar(&secureMetrics, "metrics-secure", false,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+	flag.BoolVar(&enableHTTP2, "enable-http2", true,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,

diff --git a/config/manager/operator.yaml b/config/manager/operator.yaml
@@ -19,6 +19,10 @@ spec:
         - name: ext-postgres-operator
           image: movetokube/postgres-operator:2.0.0
           imagePullPolicy: Always
+          ports:
+            - name: metrics
+              containerPort: 8080
+              protocol: "TCP"
           envFrom:
             - secretRef:
                 name: ext-postgres-operator

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -9,6 +9,7 @@ rules:
       - configmaps
       - secrets
       - services
+      - events
     verbs:
       - "*"
   - apiGroups:
@@ -17,6 +18,18 @@ rules:
       - pods
     verbs:
       - "get"
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
   - apiGroups:
       - "apps"
     resources:

diff --git a/internal/controller/postgres_controller.go b/internal/controller/postgres_controller.go
@@ -168,6 +168,27 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		instance.Status.Roles.Writer = writer
 		instance.Status.Succeeded = true
 	}
+
+	desiredOwner := instance.Spec.MasterRole
+	// If no owner was specified, use default owner name
+	if desiredOwner == "" {
+		desiredOwner = fmt.Sprintf("%s-group", instance.Spec.Database)
+	}
+	// rename owner role if instance.Spec.MasterRole was changed
+	ownerChanged := instance.Status.Roles.Owner != "" && instance.Status.Roles.Owner != desiredOwner
+	if ownerChanged {
+		err = r.pg.RenameGroupRole(instance.Status.Roles.Owner, desiredOwner)
+		if err != nil {
+			return requeue(errors.NewInternalError(err))
+		}
+		// Alter database owner if the owner role was changed
+		err = r.pg.AlterDatabaseOwner(instance.Spec.Database, instance.Status.Roles.Owner)
+		if err != nil {
+			return requeue(errors.NewInternalError(err))
+		}
+		instance.Status.Roles.Owner = desiredOwner
+	}
+
 	// create extensions
 	for _, extension := range instance.Spec.Extensions {
 		// Check if extension is already added. Skip if already is added.
@@ -184,12 +205,17 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	}
 	// create schemas
 	var (
-		database    = instance.Spec.Database
-		owner       = instance.Status.Roles.Owner
-		reader      = instance.Status.Roles.Reader
-		writer      = instance.Status.Roles.Writer
-		readerPrivs = "SELECT"
-		writerPrivs = "SELECT,INSERT,DELETE,UPDATE"
+		database            = instance.Spec.Database
+		owner               = instance.Status.Roles.Owner
+		reader              = instance.Status.Roles.Reader
+		writer              = instance.Status.Roles.Writer
+		readerPrivs         = "SELECT"
+		writerPrivs         = "SELECT,INSERT,DELETE,UPDATE"
+		writerSequencePrivs = "USAGE,SELECT"
+		writerFunctionPrivs = "EXECUTE"
+		ownerPrivs          = "ALL"
+		ownerFunctionPrivs  = "ALL"
+		ownerSequencePrivs  = "ALL"
 	)
 	for _, schema := range instance.Spec.Schemas {
 		// Schema was previously created
@@ -203,6 +229,11 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			reqLogger.Error(err, fmt.Sprintf("Could not create schema %s", schema))
 			continue
 		}
+		instance.Status.Schemas = append(instance.Status.Schemas, schema)
+	}
+
+	// Set privileges on schemas during every reconcile to ensure privileges are correct
+	for _, schema := range instance.Spec.Schemas {
 
 		// Set privileges on schema
 		schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{
@@ -218,32 +249,35 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			continue
 		}
 		schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{
-			DB:           database,
-			Role:         writer,
-			Schema:       schema,
-			Privs:        writerPrivs,
-			CreateSchema: true,
+			DB:            database,
+			Role:          writer,
+			Schema:        schema,
+			Privs:         writerPrivs,
+			SequencePrivs: writerSequencePrivs,
+			FunctionPrivs: writerFunctionPrivs,
+			CreateSchema:  true,
 		}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesWriter, reqLogger)
 		if err != nil {
-			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))
+			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\", sequence privileges \"%s\", and function privileges \"%s\"", writer, writerPrivs, writerSequencePrivs, writerFunctionPrivs))
 			continue
 		}
 		schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{
-			DB:           database,
-			Role:         owner,
-			Schema:       schema,
-			Privs:        writerPrivs,
-			CreateSchema: true,
+			DB:            database,
+			Role:          owner,
+			Schema:        schema,
+			Privs:         ownerPrivs,
+			SequencePrivs: ownerSequencePrivs,
+			FunctionPrivs: ownerFunctionPrivs,
+			CreateSchema:  true,
 		}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesOwner, reqLogger)
 		if err != nil {
-			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))
+			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\", sequence privileges \"%s\", and function privileges \"%s\"", owner, ownerPrivs, ownerSequencePrivs, ownerFunctionPrivs))
 			continue
 		}
-
-		instance.Status.Schemas = append(instance.Status.Schemas, schema)
 	}
+
 	err = r.Status().Patch(ctx, instance, client.MergeFrom(before))
 	if err != nil {
 		return requeue(err)

diff --git a/internal/controller/postgres_controller_test.go b/internal/controller/postgres_controller_test.go
@@ -71,6 +71,8 @@ var _ = Describe("PostgresReconciler", func() {
 		// Gomock
 		mockCtrl = gomock.NewController(GinkgoT())
 		pg = mockpg.NewMockPG(mockCtrl)
+		pg.EXPECT().AlterDatabaseOwner(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
+		pg.EXPECT().ReassignDatabaseOwner(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 		cl = k8sClient
 		// Create runtime scheme
 		sc = scheme.Scheme
@@ -684,10 +686,10 @@ var _ = Describe("PostgresReconciler", func() {
 					// Expected method calls
 					// customers schema
 					pg.EXPECT().CreateSchema(name, name+"-group", "customers", gomock.Any()).Return(nil).Times(1)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(3)
+					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 					// stores schema
 					pg.EXPECT().CreateSchema(name, name+"-group", "stores", gomock.Any()).Return(nil).Times(1)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(3)
+					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 				})
 
 				It("should update status", func() {
@@ -708,10 +710,10 @@ var _ = Describe("PostgresReconciler", func() {
 					// Expected method calls
 					// customers schema errors
 					pg.EXPECT().CreateSchema(name, name+"-group", "customers", gomock.Any()).Return(fmt.Errorf("Could not create schema")).Times(1)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(0)
+					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 					// stores schema
 					pg.EXPECT().CreateSchema(name, name+"-group", "stores", gomock.Any()).Return(nil).Times(1)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(3)
+					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 				})
 
 				It("should update status", func() {
@@ -743,10 +745,9 @@ var _ = Describe("PostgresReconciler", func() {
 				It("should not recreate existing schema", func() {
 					// customers schema
 					pg.EXPECT().CreateSchema(name, name+"-group", "customers", gomock.Any()).Return(nil).Times(1)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(3)
+					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 					// stores schema already exists
 					pg.EXPECT().CreateSchema(name, name+"-group", "stores", gomock.Any()).Times(0)
-					pg.EXPECT().SetSchemaPrivileges(gomock.Any(), gomock.Any()).Return(nil).Times(0)
 					// Call reconcile
 					err := runReconcile(rp, ctx, req)
 					Expect(err).NotTo(HaveOccurred())