DatabaseRole

postgresql.cnpg.io / v1

apiVersion: postgresql.cnpg.io/v1 kind: DatabaseRole metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object required

spec object required

Specification of the desired DatabaseRole. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

bypassrls boolean

Whether a role bypasses every row-level security (RLS) policy. Default is `false`.

clientCertificate object

ClientCertificate configures the operator to generate and renew a TLS client certificate for this role, signed by the cluster's client CA. The certificate is stored in a Secret named `<databaserole-name>-client-cert`. Requires login to be true.

enabled boolean

Enabled turns on client certificate issuance for this role. When true, the role must have login enabled. Defaults to true when the block is present.

cluster object required

The corresponding cluster

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

comment string

Description of the role

connectionLimit integer

If the role can log in, this specifies how many concurrent connections the role can make. `-1` (the default) means no limit.

format: int64

createdb boolean

When set to `true`, the role being defined will be allowed to create new databases. Specifying `false` (default) will deny a role the ability to create databases.

createrole boolean

Whether the role will be permitted to create, alter, drop, comment on, change the security label for, and grant or revoke membership in other roles. Default is `false`.

databaseRoleReclaimPolicy string

The policy for end-of-life maintenance of this role

enum: delete, retain

disablePassword boolean

DisablePassword indicates that a role's password should be set to NULL in Postgres

ensure string

Ensure the role is `present` or `absent` - defaults to "present"

enum: present, absent

inRoles []string

List of one or more existing roles to which this role will be immediately added as a new member. Default empty. Changes to the list are applied to an existing role through `GRANT` and `REVOKE` statements, not only at role creation.

inherit boolean

Whether a role "inherits" the privileges of roles it is a member of. Default is `true`.

Whether the role is allowed to log in. A role having the `login` attribute can be thought of as a user. Roles without this attribute are useful for managing database privileges, but are not users in the usual sense of the word. Default is `false`.

name string required

Name of the role

passwordSecret object

Secret containing the password of the role (if present). If null, the password will be ignored unless DisablePassword is set. When set, the secret must follow the `kubernetes.io/basic-auth` format and contain both a `username` and a `password` field.

name string required

Name of the referent.

replication boolean

Whether a role is a replication role. A role must have this attribute (or be a superuser) in order to be able to connect to the server in replication mode (physical or logical replication) and in order to be able to create or drop replication slots. A role having the `replication` attribute is a very highly privileged role, and should only be used on roles actually used for replication. Default is `false`.

superuser boolean

Whether the role is a `superuser` who can override all access restrictions within the database - superuser status is dangerous and should be used only when really needed. You must yourself be a superuser to create a new superuser. Defaults is `false`.

validUntil string

Date and time after which the role's password is no longer valid. When omitted, the password will never expire (default).

format: date-time

status object

Most recently observed status of the DatabaseRole. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

applied boolean

Applied is true if the role was reconciled correctly

clientCertificate object

ClientCertificate holds the observed state of the generated TLS client certificate, when client certificate issuance is enabled.

expiration string

Expiration is the expiration time of the generated client certificate, in RFC3339 format.

message string

Message contains a human-readable explanation of the current certificate status, such as why issuance was skipped or why an existing Secret was left untouched.

conditions []object

Conditions for the DatabaseRole object

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

message string

Message is the reconciliation error message

observedGeneration integer

A sequence number representing the latest desired state that was synchronized

format: int64

secretResourceVersion string

SecretResourceVersion is the resource version of the password secret last applied to the role; a change to it triggers reconciliation.

No matches. Try .spec.bypassrls for an exact path