feat: support PG4K namespace-restricted installation (#140)

Signed-off-by: Leonardo Cecchi <[email protected]> Signed-off-by: Jaime Silvela <[email protected]> Signed-off-by: Jonathan Gonzalez V <[email protected]> Co-authored-by: Jaime Silvela <[email protected]> Co-authored-by: Jonathan Gonzalez V <[email protected]>
EnterpriseDB · Apr 9, 2024 · f0c02ad · f0c02ad
1 parent 6dfb29d
commit f0c02ad
Show file tree

Hide file tree

Showing 8 changed files with 475 additions and 334 deletions.
diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -102,3 +102,42 @@ jobs:
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-a
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-b
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-c
+
+  deploy-ep4k-single-namespace:
+    runs-on: ubuntu-22.04
+    needs:
+      - change-triage
+    if: needs.change-triage.outputs.ep4k-changed == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/[email protected]
+        with:
+          version: v3.11.3
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+
+      - name: Deploy in single-namespace mode using helm chart
+        run: |
+          helm upgrade --install edb-pg4k --namespace single-install \
+          --set config.clusterWide=false \
+          --create-namespace charts/edb-postgres-for-kubernetes --wait
+      - name: Install kubectl
+        uses: azure/[email protected]
+
+      - name: Deploy a cluster in the watched namespace
+        run: |
+          kubectl -n single-install apply -f hack/samples/ep4k-cluster.yaml
+          PHASE="Cluster in healthy state"
+          kubectl -n single-install wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" clusters/cluster-example
+
+      - name: Ignore deploying a cluster in another namespace
+        run: |
+          kubectl create ns test-ignore
+          kubectl -n test-ignore apply -f hack/samples/ep4k-cluster.yaml
+          kubectl -n test-ignore get pods 2>&1 >/dev/null | grep 'No resources found'
diff --git a/README.md b/README.md
@@ -42,6 +42,30 @@ edb-pg4k-edb-postgres-for-kubernetes   1/1     1            1           11s
 Once it is ready, you can verify that you can deploy the sample cluster
 suggested by the helm chart.
 
+### Single namespace installation
+
+It is possible to limit the operator's capabilities to solely the namespace in
+which it has been installed. With this restriction, the cluster-level
+permissions required by the operator will be substantially reduced, and
+the security profile of the installation will be enhanced.
+
+You can install the operator in single-namespace mode by setting the
+`config.clusterWide` flag to false, as in the following example:
+
+```console
+helm upgrade --install edb-pg4k \
+  --namespace postgresql-operator-system \
+  --create-namespace \
+  --set config.clusterWide=false \
+  edb/edb-postgres-for-kubernetes
+```
+
+**IMPORTANT**: the single-namespace installation mode can't coexist
+with the cluster-wide operator. Otherwise there would be collisions when
+managing the resources in the namespace watched by the single-namespace
+operator.
+It is up to the user to ensure there is no collision between operators.
+
 ### Deploying EDB Postgres for Kubernetes (PG4K) operator from EDB's private registry
 
 By default, PG4K will be deployed using [images publicly hosted on Quay.io](https://quay.io/repository/enterprisedb/cloud-native-postgresql),

diff --git a/charts/edb-postgres-for-kubernetes/templates/NOTES.txt b/charts/edb-postgres-for-kubernetes/templates/NOTES.txt
@@ -1,18 +1,21 @@
 
 EDB Postgres for Kubernetes Operator should be installed in namespace "{{ .Release.Namespace }}".
-You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+You can now create a PostgreSQL cluster with 3 nodes as follows:
 
 cat <<EOF | kubectl apply -f -
 # Example of PostgreSQL cluster
 apiVersion: postgresql.k8s.enterprisedb.io/v1
 kind: Cluster
 metadata:
   name: cluster-example
+  {{if not .Values.config.clusterWide  -}}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
 spec:
   instances: 3
   storage:
     size: 1Gi
 EOF
 
-kubectl get cluster
+kubectl get -A cluster