Roles¶
A Role resource represents a PostgreSQL role (user) within a cluster.
Overview¶
The Role controller:
- Connects to the referenced PostgreSQL cluster
- Creates or updates the role with specified permissions
- Auto-generates a password and creates a credentials Secret
- Manages role membership (GRANT role TO role)
- Cleans up the role on deletion
Example¶
apiVersion: pgop.ruck.io/v1alpha1
kind: Role
metadata:
name: app-user
namespace: default
spec:
clusterRef:
name: my-cluster
login: true
createDB: false
connectionLimit: 100
memberOf:
- app_read_role
Spec Reference¶
| Field | Type | Default | Description |
|---|---|---|---|
clusterRef.name |
string | required | Name of the Cluster resource (same namespace) |
login |
bool | false |
Can role log in? |
superuser |
bool | false |
Grant superuser privileges |
createDB |
bool | false |
Can role create databases? |
createRole |
bool | false |
Can role create other roles? |
inherit |
bool | true |
Inherit privileges from member roles |
replication |
bool | false |
Can role initiate replication? |
bypassRLS |
bool | false |
Bypass row-level security? |
connectionLimit |
int | -1 |
Max concurrent connections (-1 = unlimited) |
memberOf |
[]string | - | Roles this role is a member of |
passwordSecretRef |
SecretKeySelector | - | Use existing password (optional) |
Status¶
| Field | Description |
|---|---|
ready |
Whether the role exists in PostgreSQL |
secretName |
Name of the auto-generated credentials secret |
conditions |
Detailed status conditions |
Credentials Secret¶
The operator creates <role-name>-credentials containing:
Role Types¶
Application User¶
Read-Only Role¶
Admin Role¶
Using a Custom Password¶
If you want to provide your own password instead of auto-generation: