Support Operator to Add/delete User for PostgreSQL database

[buhongw7583c]

Closes #1056

What this PR does / why we need it:
Support the function to add users with specific roles to Postgresql database.
--Be able to add a user with a predefined roles and delete the user.
-- Able to delete a user under the postgresql database.

Special notes for your reviewer:
The Azure Database for PostgreSQL server is created with the 3 default roles defined.

--azure_pg_admin
--azure_superuser
--your server admin user

The server admin user account can be used to create additional users and grant those users into the azure_pg_admin role.
Also, the server admin account can be used to create less privileged users and roles that have access to individual databases and schemas but this function is not included in this PR.

To verify the PR:
--Use the config/samples/azure_v1alpha1_postgresql_everything.yaml to config pgresql server, database and firewallrule. Ensure at least your local client has the access to azure.
-- Apply the sample file config/samples/azure_v1alpha1_postgresqluser.yaml to add a user with a predefined role.
Use any tool to connect the postgresqlServer (e.g. pgadmin). The default server admin password could be derived from kubectl get secret -o yaml. By default the secret name is the pgresqlserver name.

-- Delete the newly added user by kubect delete postgresqluser <metatdata name> . Note the username is the metadata name applied when adding the pgresql user but not the actual pgresql user name.
From the pgadmin tool, the user has been deleted.

How does this PR make you feel:

If applicable:

• this PR contains documentation
• this PR contains tests

[melonrush13]

Hi Hong! I think we are missing a few files for adding a new operator. Kubebuilder generates these files for us so we don't have to manually create them!

Here is our documentation for creating a new operator with kubebuilder.

Here are the files we need to declare the PostgreSQLUser in from KubeBuilder:

• PROJECT
• Config/crd/kustomization.yaml
• Config/crd/patches/webhook_in_postgresqluser
• Config/rbac/postgresqluser_editor_role.yaml
• Conifg/rbac/postgresqluser_viewer_role.yaml

In step 12 of the documentation I mentioned above, we update the helm chart to include the new operator (PostgreSqlUser). We also need these two files as well

• charts/azure-service-operator-0.1.0.tgz
• charts/index.yaml

[melonrush13]

We also need to add the following inside the controller files:

• new file for postgresql user test (i.e. controller/postgresqluser_controller_test.go)
• declaration of postgresqluser in controllers/suite_test.go (declare like you declared in main.go)

[melonrush13]

Hi Hong!

I tested the Happy Path and it worked! Successfully created a user on top of the database, as well as deleting successfully! I tested this out by commenting out our optional fields of adminsecret, adminsecretkeyvault and username.

I am requesting changes so we can address the missing files from KubeBuilder, add tests in the controller, and address the following edge case I ran into.

If we create a PostgreSqlUser with a improperly connected IP address, we run into the following zapperr in the reconciler. It continues to loop with the following message.

"}, "reason": "FailedReconcile", "message": "Failed to reconcile resource: 1 error occurred:\n\t* pq: no pg_hba.conf entry for host \"73.181.19.189\", user \"yc5jvKen\", database \"postgresqldatabase-sample-m\", SSL on\n\n"}
2020-05-27T16:38:44.958-0600	ERROR	controller-runtime.controller	Reconciler error	{"controller": "postgresqluser", "request": "default/psqluser-sample-meltwo", "error": "1 error occurred:\n\t* pq: no pg_hba.conf entry for host \"73.181.19.189\", user \"yc5jvKen\", database \"postgresqldatabase-sample-m\", SSL on\n\n"}
github.com/go-logr/zapr.(*zapLogger).Error

I tested this out in AzureSqlUser to see if we would have the same behavior, and it does not have this zaperr in the reconcile. Here are the two status messages for comparison:

PostgreSqlUser:
psqluser-sample-meltwo pq: no pg_hba.conf entry for host "73.181.19.189", user "yc5jvKen", database "postgresqldatabase-sample-m", SSL on

AzureSqlUser
sqluser-sample Login error: mssql: Cannot open server 'sqlservermeltest' requested by the login. Client with IP address '73.181.19.189' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.

We should try to handle this err in the reconciler somehow

Let me know if this makes sense or not! Thanks!

[buhongw7583c]

Hi Hong! I think we are missing a few files for adding a new operator. Kubebuilder generates these files for us so we don't have to manually create them!

Here is our documentation for creating a new operator with kubebuilder.

Here are the files we need to declare the PostgreSQLUser in from KubeBuilder:

• PROJECT
• Config/crd/kustomization.yaml
• Config/crd/patches/webhook_in_postgresqluser
• Config/rbac/postgresqluser_editor_role.yaml
• Conifg/rbac/postgresqluser_viewer_role.yaml

In step 12 of the documentation I mentioned above, we update the helm chart to include the new operator (PostgreSqlUser). We also need these two files as well

• charts/azure-service-operator-0.1.0.tgz
• charts/index.yaml

@melonrush13 Mel, thanks so much for the great comments! I do missed several important files and the document mentioned is definitely a great help!

All the comments and suggestions have been addressed and just one left:
for the postgresqluser_editor_role.yaml and postgresqluser_viewer_role.yaml suggested to add under rbac folder, i checked the folder and not all the controllers have corresponding **_editor_role.yaml or **_viewer_role.yaml. Are they generated by commands or manually added? How to decide which verbs to support? Very much appreciate your careful checking on my PR and bring so many valuable comments!

[buhongw7583c]

Hi Hong!

I tested the Happy Path and it worked! Successfully created a user on top of the database, as well as deleting successfully! I tested this out by commenting out our optional fields of adminsecret, adminsecretkeyvault and username.

I am requesting changes so we can address the missing files from KubeBuilder, add tests in the controller, and address the following edge case I ran into.

If we create a PostgreSqlUser with a improperly connected IP address, we run into the following zapperr in the reconciler. It continues to loop with the following message.

"}, "reason": "FailedReconcile", "message": "Failed to reconcile resource: 1 error occurred:\n\t* pq: no pg_hba.conf entry for host \"73.181.19.189\", user \"yc5jvKen\", database \"postgresqldatabase-sample-m\", SSL on\n\n"}
2020-05-27T16:38:44.958-0600	ERROR	controller-runtime.controller	Reconciler error	{"controller": "postgresqluser", "request": "default/psqluser-sample-meltwo", "error": "1 error occurred:\n\t* pq: no pg_hba.conf entry for host \"73.181.19.189\", user \"yc5jvKen\", database \"postgresqldatabase-sample-m\", SSL on\n\n"}
github.com/go-logr/zapr.(*zapLogger).Error

I tested this out in AzureSqlUser to see if we would have the same behavior, and it does not have this zaperr in the reconcile. Here are the two status messages for comparison:

PostgreSqlUser:
psqluser-sample-meltwo pq: no pg_hba.conf entry for host "73.181.19.189", user "yc5jvKen", database "postgresqldatabase-sample-m", SSL on

AzureSqlUser
sqluser-sample Login error: mssql: Cannot open server 'sqlservermeltest' requested by the login. Client with IP address '73.181.19.189' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.

We should try to handle this err in the reconciler somehow

Let me know if this makes sense or not! Thanks!

@melonrush13 Mel, sure it makes sense! I did encounter the similar issue during my test but somehow it slipped from my mind and forgot to add handlings. Now the error could be caught up and wont produce the zapperr. But the error message returned from the sdk was quite confusing and indeed it indicate that your client IP address is not permitted to access, therefore I added more information in the returned message.

[melonrush13]

Hi Hong! I think we are missing a few files for adding a new operator. Kubebuilder generates these files for us so we don't have to manually create them!
Here is our documentation for creating a new operator with kubebuilder.
Here are the files we need to declare the PostgreSQLUser in from KubeBuilder:

• PROJECT
• Config/crd/kustomization.yaml
• Config/crd/patches/webhook_in_postgresqluser
• Config/rbac/postgresqluser_editor_role.yaml
• Conifg/rbac/postgresqluser_viewer_role.yaml

In step 12 of the documentation I mentioned above, we update the helm chart to include the new operator (PostgreSqlUser). We also need these two files as well

• charts/azure-service-operator-0.1.0.tgz
• charts/index.yaml

@melonrush13 Mel, thanks so much for the great comments! I do missed several important files and the document mentioned is definitely a great help!

All the comments and suggestions have been addressed and just one left:
for the postgresqluser_editor_role.yaml and postgresqluser_viewer_role.yaml suggested to add under rbac folder, i checked the folder and not all the controllers have corresponding **_editor_role.yaml or **_viewer_role.yaml. Are they generated by commands or manually added? How to decide which verbs to support? Very much appreciate your careful checking on my PR and bring so many valuable comments!

Hi Hong! So these two rbac files are generated by KubeBuilder when you do the
kubebuilder create api --group azure --version v1alpha1 --kind <AzureNewType> command.

Also, we began discussing this on Teams as Janani also noticed not every controller has these rbac files like you mentioned. We think this might be a difference in kubebuilder versions. Currently if you create a new operator with the latest version of kubebuilder, it will create these rbac files.

When you created the operator with Kubebuilder did it generate these files for you?

[melonrush13]

Awesome! Thanks for all your work on this one, Hong!

• Was able to successfully create the user/delete the user
• Create successfully with keyvault set from adminSecret/adminSecretKeyVault
• Create successfully with keyVaultToStoreSecrets

Looks good to me. :) Passing on to an approved reviewer so we can get merged and another set of eyes!

@frodopwns @jananivMS

[melonrush13]

Also one other thing, @buhongw7583c , we should update the docs here to account for this new operator. Feel free to address this in another PR if you like (same comment for MySql, too!)

[frodopwns]

we should consider putting a conn string in the secret too

[frodopwns]

few things I think we should look at before merge

[frodopwns]

We should remove the concept of custom secret formatting. It probably should not have been included in AzureSQLUser and is in need of some work (some is already done in a PR that is awaiting review)

[buhongw7583c]

I only left this comment to confirm with you since the code change is big. if we remove the custom secret formating, so we would not allow user to use keyVaultSecretPrefix but we still allow customer to use keyvault to store the secret, right?

[frodopwns]

This isn't going to work. The operator should have no concept of what type of secret store is being used. This is a problem in AzureSQL User too and that is why there is a PR out to refactor it.

I think we might be able to remove the prefix idea from this operator.

[buhongw7583c]

same question: we would remove both the keyVaultToStoreSecrets and keyVaultSecretPrefix?

[frodopwns]

I'd like to drop all this secret formatting stuff. There is a PR to refactor it in AzureSQL and I don't want to introduce this feature until its fixed and/or required by a user.

[frodopwns]

lgtm once tests pass we should be able to merge this