Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Delete User and Grant after Database Deletion #120

Open
uluzox opened this issue Nov 15, 2022 · 1 comment
Open

Delete User and Grant after Database Deletion #120

uluzox opened this issue Nov 15, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@uluzox
Copy link

uluzox commented Nov 15, 2022

What problem are you facing?

I am using FluxCD to reconcile my crossplane resources in my k8s cluster.
I provision a database on AWS RDS with

apiVersion: v1
kind: Namespace
metadata:
  name: db-deletion-test
---
apiVersion: mysql.sql.crossplane.io/v1alpha1
kind: Database
metadata:
  name: db-deletion-test-db
spec:
  providerConfigRef:
    name: default
  deletionPolicy: Delete
---
apiVersion: mysql.sql.crossplane.io/v1alpha1
kind: User
metadata:
  name: db-deletion-test-user
spec:
  deletionPolicy: Delete
  providerConfigRef:
    name: default
  forProvider: {}
  writeConnectionSecretToRef:
    name: db-deletion-test-db-conn
    namespace: db-deletion-test
---
apiVersion: mysql.sql.crossplane.io/v1alpha1
kind: Grant
metadata:
  name: db-deletion-test-db
spec:
  deletionPolicy: Delete
  providerConfigRef:
    name: default
  forProvider:
    privileges:
      - ALL
    userRef:
      name: db-deletion-test-user
    databaseRef:
      name: db-deletion-test

If I delete the Kustomization that includes the resources above. Flux tries to remove the namespace, user, grant and database all at once.
My observation is that while namespace, user and grant are deleted, the database remains as k8s resource in the cluster and in RDS.
However this does only happen if the database is not empty. Therefore I assume that if the database is somewhat filled, the user, grant and namespace (and with that the connection secret) is deleted before the database is successfully dropped.

How could Crossplane help solve your problem?

Implement a deletion order via finalizers?
Can I somehow mark the namespace to wait for those cluster scoped resources (user, grant, database) before it deletes the connection secret?

@uluzox uluzox added the enhancement New feature or request label Nov 15, 2022
@acelinkio
Copy link

acelinkio commented Dec 16, 2022

One solution is database to have an ownerRef field. This would create a link between the role/user and dictate the order of operations: Role/User -> Database -> Grant. That does does not exist currently. https://doc.crds.dev/github.com/crossplane-contrib/provider-sql/postgresql.sql.crossplane.io/Database/[email protected]

Example of what the desired configuration would be:

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Role
metadata:
  name: testdb-owner
spec:
  forProvider: {}
  providerConfigRef:
    name: dbms00-superuser
---
apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Database
metadata:
  name: testdb
spec:
  forProvider:
    ownerRef: testdb-owner
  providerConfigRef:
    name: dbms00-superuser

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants