Skip to content

fix: propagate role removal to postgres cluster when databases are removed from postgres database spec#1816

Open
mploski wants to merge 1 commit intofeature/database-controllersfrom
fix/postgres-controller-roles-removal
Open

fix: propagate role removal to postgres cluster when databases are removed from postgres database spec#1816
mploski wants to merge 1 commit intofeature/database-controllersfrom
fix/postgres-controller-roles-removal

Conversation

@mploski
Copy link
Copy Markdown
Collaborator

@mploski mploski commented Apr 3, 2026

Description

Fixes a bug where removing a database from postgres database CR spec.databases (or deleting the CR with DeletionPolicy: Delete) did not cause the corresponding PostgreSQL roles to be dropped in postgres cluster. postgres cluster only drops a role from cnpg when it receives Exists: false in the cluster spec — previously, removed roles were never marked absent but silently wiped out

Key Changes

  • api/v4/postgrescluster_types.go — removed omitempty from ManagedRole.Exists
  • pkg/postgresql/database/core/database.go:
    • cleanupManagedRoles now sends retained + deleted roles together in one SSA patch
  • internal/controller/postgresdatabase_controller_test.go — added integration test for DB removal while CR stays alive;
    extracted expectManagedRoleExists helper used across both role lifecycle tests

Testing and Verification

Added unit and integration tests. All green

Related Issues

Jira tickets, GitHub issues, Support tickets...

PR Checklist

  • Code changes adhere to the project's coding standards.
  • Relevant unit and integration tests are included.
  • Documentation has been updated accordingly.
  • All tests pass locally.
  • The PR description follows the project's guidelines.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contribution License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment with the exact sentence copied from below.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

@mploski mploski force-pushed the fix/postgres-controller-roles-removal branch from 5618891 to e725c53 Compare April 3, 2026 14:58
patrykw-splunk
patrykw-splunk reviewed Apr 3, 2026
View reviewed changes
api/v4/postgrescluster_types.go
// +kubebuilder:default=true
// +optional
Exists bool `json:"exists,omitempty"`
Exists bool `json:"exists"`
Copy link
Copy Markdown
Collaborator

@patrykw-splunk patrykw-splunk Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it's optional it should have omitempty and should be a pointer type

Copy link
Copy Markdown

@M4KIF M4KIF Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

btw. is "exists" tag our custom or added by k8s api?

Copy link
Copy Markdown
Collaborator Author

@mploski mploski Apr 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not optional anymore, need to remove optional flag - optionality causing problems with SSA if not set properly. @M4KIF this is our attribute so we know if we should add or remove provided role

M4KIF
M4KIF reviewed Apr 7, 2026
View reviewed changes
internal/controller/postgresdatabase_controller_test.go
updatedCluster := &enterprisev4.PostgresCluster{}
Expect(k8sClient.Get(ctx, types.NamespacedName{Name: clusterName, Namespace: namespace}, updatedCluster)).To(Succeed())

expectManagedRoleExists(updatedCluster, "keepdb_admin", true)
Copy link
Copy Markdown

@M4KIF M4KIF Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, and at line 530-533 the values could get packed into constants at the top of the file, so they are easy to change and read. Ie. those permisions are quite verbose, but by doing them with constants they can carry more meaning and less manual string pasting.

Copy link
Copy Markdown
Collaborator Author

@mploski mploski Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point, lets do this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@M4KIF M4KIF M4KIF left review comments

@patrykw-splunk patrykw-splunk patrykw-splunk left review comments

@limak9182 limak9182 limak9182 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mploski @limak9182 @M4KIF @patrykw-splunk