PostgREST Operator

A Kubernetes operator to start instances of PostgREST.

Installation

There is an available deployment file ready to be used. Install operator and CRD:

kubectl apply -f deployment.yaml

An example CR is found at config/samples/operator_v1_postgrest.yaml. The CRD included in the deployment file is found at config/crd/bases/operator.postgrest.org_postgrests.yaml.

Launch CR:

kubectl apply -f config/samples/operator_v1_postgrest.yaml

PostgREST custom resource

A PostgREST custom resource's properties are:

• schema: Required. The schema PostgREST will expose.
• anonRole: Optional. The role PostgREST will use to authenticate. If specified, it is assumed to already exist and already have the intended permissions on tables. If not specified, will be auto-generated as as <CR name>_postgrest_role.
• tables: Do not set if you already set anonRole, otherwise required. List of tables within the schema to expose.
• grants: Optional. Ignored if you already set anonRole. Comma-separated string listing actions permitted on tables. Defaults to SELECT if not specified. A "full" string is INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, but you may also use ALL.
• connection: Required. A structure to indicate the database to connect to. Its sub-properties are:
  • host: Optional. Must be provided if secretName is unspecified or the secret does not contain POSTGREST_URL.
  • port: Optional.
  • database: Optional. Must be provided if secretName is unspecified or the secret does not contain POSTGREST_URL.
  • user: Used with password to initialize PostgREST. Do not provide if secretName is provided.
  • password: Used with user to initialize PostgREST. Do not provide if secretName is provided.
  • extraParams: Optional. String for extra connection parameters, in the format parameter1=value&parameter2=value.
  • secretName: Name of a Kubernetes secret containing connection properties. Do not provide if user and password are provided. More information in a later section.

Note that you must provide either secretName, or user and password, but if you provide the former, do not provide the latter two, and vice versa.

Note that the user you provide must have permissions to handle roles in the database.

Using a K8S secret to authenticate

Instead of writing user and password as properties, you can provide a connection.secretName property, containing a string with the name of a Kubernetes secret to use to authenticate.

Here is a sample file you can apply with kubectl apply -f secret-file.yml to create the secret:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: postgrest-operator-system
stringData:
  POSTGRES_URL: postgresql://postgres:postgres@192.168.123.123:5432/postgres?sslmode=disable
  USER: postgres # Only required if POSTGRES_URL is not provided
  PASSWORD: postgres # Only required if POSTGRES_URL is not provided

If you omit POSTGRES_URL, then USER and PASSWORD are required, but if you provide it, they will be ignored.

POSTGRES_URL uses the format:

postgresql://user:password@host:port/database?parameter1=value&parameter2=value

Sample configurations

A valid sample spec configuration is:

...
spec:
  schema: operator
  anonRole: anon
  connection:
    host: 192.168.123.123
    database: postgres
    user: postgres
    password: postgres

Another valid sample (the secret contains POSTGRES_URL):

...
spec:
  schema: operator
  tables:
    - test
  grants: SELECT, UPDATE, INSERT, DELETE
  connection:
    secretName: mysecret

Another valid sample (the secret contains USER and PASSWORD):

...
spec:
  schema: operator
  tables:
    - test
  grants: SELECT, UPDATE, INSERT, DELETE
  connection:
    host: 192.168.123.123
    database: postgres
    secretName: mysecret