diff --git a/charts/postgres-operator/crds/operatorconfigurations.yaml b/charts/postgres-operator/crds/operatorconfigurations.yaml index c75eef541..e9d503acb 100644 --- a/charts/postgres-operator/crds/operatorconfigurations.yaml +++ b/charts/postgres-operator/crds/operatorconfigurations.yaml @@ -211,6 +211,9 @@ spec: enable_init_containers: type: boolean default: true + enable_secrets_deletion: + type: boolean + default: true enable_persistent_volume_claim_deletion: type: boolean default: true diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index 477142b40..89c6458ff 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -129,6 +129,8 @@ configKubernetes: enable_finalizers: false # enables initContainers to run actions before Spilo is started enable_init_containers: true + # toggles if operator should delete secrets on cluster deletion + enable_secrets_deletion: true # toggles if operator should delete PVCs on cluster deletion enable_persistent_volume_claim_deletion: true # toggles pod anti affinity on the Postgres pods diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index 41214e730..3eeb289b0 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -360,6 +360,10 @@ configuration they are grouped under the `kubernetes` key. `"retain"` - or `when_scaled` - default is also `"retain"`. The other possible option is `delete`. +* **enable_secrets_deletion** + By default, the operator deletes secrets when removing the Postgres cluster + manifest. To keep secrets, set this option to `false`. The default is `true`. + * **enable_persistent_volume_claim_deletion** By default, the operator deletes PersistentVolumeClaims when removing the Postgres cluster manifest, no matter if `persistent_volume_claim_retention_policy` diff --git a/e2e/tests/test_e2e.py b/e2e/tests/test_e2e.py index 7ffaba126..10eeca7bf 100644 --- a/e2e/tests/test_e2e.py +++ b/e2e/tests/test_e2e.py @@ -2049,6 +2049,7 @@ def test_zz_cluster_deletion(self): "data": { "delete_annotation_date_key": "delete-date", "delete_annotation_name_key": "delete-clustername", + "enable_secrets_deletion": "false", "enable_persistent_volume_claim_deletion": "false" } } @@ -2109,7 +2110,7 @@ def test_zz_cluster_deletion(self): self.eventuallyEqual(lambda: k8s.count_statefulsets_with_label(cluster_label), 0, "Statefulset not deleted") self.eventuallyEqual(lambda: k8s.count_deployments_with_label(cluster_label), 0, "Deployments not deleted") self.eventuallyEqual(lambda: k8s.count_pdbs_with_label(cluster_label), 0, "Pod disruption budget not deleted") - self.eventuallyEqual(lambda: k8s.count_secrets_with_label(cluster_label), 0, "Secrets not deleted") + self.eventuallyEqual(lambda: k8s.count_secrets_with_label(cluster_label), 7, "Secrets were deleted although disabled in config") self.eventuallyEqual(lambda: k8s.count_pvcs_with_label(cluster_label), 3, "PVCs were deleted although disabled in config") except timeout_decorator.TimeoutError: diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml index 5d36a267e..ae6dfda7e 100644 --- a/manifests/configmap.yaml +++ b/manifests/configmap.yaml @@ -49,6 +49,7 @@ data: enable_master_pooler_load_balancer: "false" enable_password_rotation: "false" enable_patroni_failsafe_mode: "false" + enable_secrets_deletion: "true" enable_persistent_volume_claim_deletion: "true" enable_pgversion_env_var: "true" # enable_pod_antiaffinity: "false" diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml index 7ef285e92..5a07bdbb8 100644 --- a/manifests/operatorconfiguration.crd.yaml +++ b/manifests/operatorconfiguration.crd.yaml @@ -209,6 +209,9 @@ spec: enable_init_containers: type: boolean default: true + enable_secrets_deletion: + type: boolean + default: true enable_persistent_volume_claim_deletion: type: boolean default: true diff --git a/manifests/postgresql-operator-default-configuration.yaml b/manifests/postgresql-operator-default-configuration.yaml index 85a7dd23c..3206da509 100644 --- a/manifests/postgresql-operator-default-configuration.yaml +++ b/manifests/postgresql-operator-default-configuration.yaml @@ -59,6 +59,7 @@ configuration: # enable_cross_namespace_secret: "false" enable_finalizers: false enable_init_containers: true + enable_secrets_deletion: true enable_persistent_volume_claim_deletion: true enable_pod_antiaffinity: false enable_pod_disruption_budget: true diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go index 852993ea0..f22954936 100644 --- a/pkg/apis/acid.zalan.do/v1/crds.go +++ b/pkg/apis/acid.zalan.do/v1/crds.go @@ -1320,6 +1320,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{ "enable_init_containers": { Type: "boolean", }, + "enable_secrets_deletion": { + Type: "boolean", + }, "enable_persistent_volume_claim_deletion": { Type: "boolean", }, diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go index 42debc7f6..ebc53cc44 100644 --- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go +++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go @@ -102,6 +102,7 @@ type KubernetesMetaConfiguration struct { PodAntiAffinityTopologyKey string `json:"pod_antiaffinity_topology_key,omitempty"` PodManagementPolicy string `json:"pod_management_policy,omitempty"` PersistentVolumeClaimRetentionPolicy map[string]string `json:"persistent_volume_claim_retention_policy,omitempty"` + EnableSecretsDeletion *bool `json:"enable_secrets_deletion,omitempty"` EnablePersistentVolumeClaimDeletion *bool `json:"enable_persistent_volume_claim_deletion,omitempty"` EnableReadinessProbe bool `json:"enable_readiness_probe,omitempty"` EnableCrossNamespaceSecret bool `json:"enable_cross_namespace_secret,omitempty"` diff --git a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go index 3a12387a1..76e155cf5 100644 --- a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go +++ b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go @@ -272,6 +272,11 @@ func (in *KubernetesMetaConfiguration) DeepCopyInto(out *KubernetesMetaConfigura (*out)[key] = val } } + if in.EnableSecretsDeletion != nil { + in, out := &in.EnableSecretsDeletion, &out.EnableSecretsDeletion + *out = new(bool) + **out = **in + } if in.EnablePersistentVolumeClaimDeletion != nil { in, out := &in.EnablePersistentVolumeClaimDeletion, &out.EnablePersistentVolumeClaimDeletion *out = new(bool) diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go index 1b1239f34..1765a0402 100644 --- a/pkg/cluster/cluster.go +++ b/pkg/cluster/cluster.go @@ -1112,10 +1112,14 @@ func (c *Cluster) Delete() error { c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete statefulset: %v", err) } - if err := c.deleteSecrets(); err != nil { - anyErrors = true - c.logger.Warningf("could not delete secrets: %v", err) - c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete secrets: %v", err) + if c.OpConfig.EnableSecretsDeletion != nil && *c.OpConfig.EnableSecretsDeletion { + if err := c.deleteSecrets(); err != nil { + anyErrors = true + c.logger.Warningf("could not delete secrets: %v", err) + c.eventRecorder.Eventf(c.GetReference(), v1.EventTypeWarning, "Delete", "could not delete secrets: %v", err) + } + } else { + c.logger.Info("not deleting secrets because disabled in configuration") } if err := c.deletePodDisruptionBudget(); err != nil { diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go index 4c0f0dfbe..d5e1f7fe9 100644 --- a/pkg/controller/operator_config.go +++ b/pkg/controller/operator_config.go @@ -122,6 +122,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur result.PodPriorityClassName = fromCRD.Kubernetes.PodPriorityClassName result.PodManagementPolicy = util.Coalesce(fromCRD.Kubernetes.PodManagementPolicy, "ordered_ready") result.PersistentVolumeClaimRetentionPolicy = fromCRD.Kubernetes.PersistentVolumeClaimRetentionPolicy + result.EnableSecretsDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnableSecretsDeletion, util.True()) result.EnablePersistentVolumeClaimDeletion = util.CoalesceBool(fromCRD.Kubernetes.EnablePersistentVolumeClaimDeletion, util.True()) result.EnableReadinessProbe = fromCRD.Kubernetes.EnableReadinessProbe result.MasterPodMoveTimeout = util.CoalesceDuration(time.Duration(fromCRD.Kubernetes.MasterPodMoveTimeout), "10m") diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index 5834cc92d..dc6f760a3 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -249,6 +249,7 @@ type Config struct { PatroniAPICheckInterval time.Duration `name:"patroni_api_check_interval" default:"1s"` PatroniAPICheckTimeout time.Duration `name:"patroni_api_check_timeout" default:"5s"` EnablePatroniFailsafeMode *bool `name:"enable_patroni_failsafe_mode" default:"false"` + EnableSecretsDeletion *bool `name:"enable_secrets_deletion" default:"true"` EnablePersistentVolumeClaimDeletion *bool `name:"enable_persistent_volume_claim_deletion" default:"true"` PersistentVolumeClaimRetentionPolicy map[string]string `name:"persistent_volume_claim_retention_policy" default:"when_deleted:retain,when_scaled:retain"` }