Add an API struct representing a single Secret value

config/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml

@@ -973,24 +973,27 @@ spec:
                       More info: https://www.pgadmin.org/docs/pgadmin4/latest/external_database.html
                     properties:
                       key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
+                        description: Name of the data field within the Secret.
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[-._a-zA-Z0-9]+$
                         type: string
+                        x-kubernetes-validations:
+                        - message: cannot be "." or start with ".."
+                          rule: self != "." && !self.startsWith("..")
                       name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        description: Name of the Secret.
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                         type: string
                       optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
+                        description: Whether or not the Secret or its data must be
+                          defined. Defaults to false.
                         type: boolean
                     required:
                     - key
+                    - name
                     type: object
                     x-kubernetes-map-type: atomic
                   files:
@@ -1327,24 +1330,27 @@ spec:
                       More info: https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
                     properties:
                       key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
+                        description: Name of the data field within the Secret.
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[-._a-zA-Z0-9]+$
                         type: string
+                        x-kubernetes-validations:
+                        - message: cannot be "." or start with ".."
+                          rule: self != "." && !self.startsWith("..")
                       name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        description: Name of the Secret.
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                         type: string
                       optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
+                        description: Whether or not the Secret or its data must be
+                          defined. Defaults to false.
                         type: boolean
                     required:
                     - key
+                    - name
                     type: object
                     x-kubernetes-map-type: atomic
                   settings:

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -16895,24 +16895,27 @@ spec:
                               More info: https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
                             properties:
                               key:
-                                description: The key of the secret to select from.  Must
-                                  be a valid secret key.
+                                description: Name of the data field within the Secret.
+                                maxLength: 253
+                                minLength: 1
+                                pattern: ^[-._a-zA-Z0-9]+$
                                 type: string
+                                x-kubernetes-validations:
+                                - message: cannot be "." or start with ".."
+                                  rule: self != "." && !self.startsWith("..")
                               name:
-                                default: ""
-                                description: |-
-                                  Name of the referent.
-                                  This field is effectively required, but due to backwards compatibility is
-                                  allowed to be empty. Instances of this type with an empty value here are
-                                  almost certainly wrong.
-                                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                description: Name of the Secret.
+                                maxLength: 253
+                                minLength: 1
+                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                 type: string
                               optional:
-                                description: Specify whether the Secret or its key
-                                  must be defined
+                                description: Whether or not the Secret or its data
+                                  must be defined. Defaults to false.
                                 type: boolean
                             required:
                             - key
+                            - name
                             type: object
                             x-kubernetes-map-type: atomic
                           settings:

internal/controller/standalone_pgadmin/pod.go

@@ -229,16 +229,9 @@ func podConfigFiles(configmap *corev1.ConfigMap, pgadmin v1beta1.PGAdmin) []core
 
 	if pgadmin.Spec.Config.ConfigDatabaseURI != nil {
 		config = append(config, corev1.VolumeProjection{
-			Secret: &corev1.SecretProjection{
-				LocalObjectReference: pgadmin.Spec.Config.ConfigDatabaseURI.LocalObjectReference,
-				Optional:             pgadmin.Spec.Config.ConfigDatabaseURI.Optional,
-				Items: []corev1.KeyToPath{
-					{
-						Key:  pgadmin.Spec.Config.ConfigDatabaseURI.Key,
-						Path: configDatabaseURIPath,
-					},
-				},
-			},
+			Secret: initialize.Pointer(
+				pgadmin.Spec.Config.ConfigDatabaseURI.AsProjection(configDatabaseURIPath),
+			),
 		})
 	}
 
@@ -252,16 +245,9 @@ func podConfigFiles(configmap *corev1.ConfigMap, pgadmin v1beta1.PGAdmin) []core
 	// - https://www.pgadmin.org/docs/pgadmin4/development/enabling_ldap_authentication.html
 	if pgadmin.Spec.Config.LDAPBindPassword != nil {
 		config = append(config, corev1.VolumeProjection{
-			Secret: &corev1.SecretProjection{
-				LocalObjectReference: pgadmin.Spec.Config.LDAPBindPassword.LocalObjectReference,
-				Optional:             pgadmin.Spec.Config.LDAPBindPassword.Optional,
-				Items: []corev1.KeyToPath{
-					{
-						Key:  pgadmin.Spec.Config.LDAPBindPassword.Key,
-						Path: ldapFilePath,
-					},
-				},
-			},
+			Secret: initialize.Pointer(
+				pgadmin.Spec.Config.LDAPBindPassword.AsProjection(ldapFilePath),
+			),
 		})
 	}
 

internal/pgadmin/config.go

@@ -9,6 +9,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 
+	"github.com/crunchydata/postgres-operator/internal/initialize"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -94,16 +95,9 @@ func podConfigFiles(configmap *corev1.ConfigMap, spec v1beta1.PGAdminPodSpec) []
 	// - https://www.pgadmin.org/docs/pgadmin4/development/enabling_ldap_authentication.html
 	if spec.Config.LDAPBindPassword != nil {
 		config = append(config, corev1.VolumeProjection{
-			Secret: &corev1.SecretProjection{
-				LocalObjectReference: spec.Config.LDAPBindPassword.LocalObjectReference,
-				Optional:             spec.Config.LDAPBindPassword.Optional,
-				Items: []corev1.KeyToPath{
-					{
-						Key:  spec.Config.LDAPBindPassword.Key,
-						Path: ldapPasswordPath,
-					},
-				},
-			},
+			Secret: initialize.Pointer(
+				spec.Config.LDAPBindPassword.AsProjection(ldapPasswordPath),
+			),
 		})
 	}
 

internal/pgadmin/reconcile_test.go

@@ -316,11 +316,11 @@ volumes:
 				Name: "test",
 			}},
 		}}
-		cluster.Spec.UserInterface.PGAdmin.Config.LDAPBindPassword = &corev1.SecretKeySelector{
-			LocalObjectReference: corev1.LocalObjectReference{
+		cluster.Spec.UserInterface.PGAdmin.Config.LDAPBindPassword = &v1beta1.OptionalSecretKeyRef{
+			SecretKeyRef: v1beta1.SecretKeyRef{
 				Name: "podtest",
+				Key:  "podtestpw",
 			},
-			Key: "podtestpw",
 		}
 
 		call()

pkg/apis/postgres-operator.crunchydata.com/v1beta1/config_types.go

@@ -0,0 +1,52 @@
+// Copyright 2021 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+// +structType=atomic
+type OptionalSecretKeyRef struct {
+	SecretKeyRef `json:",inline"`
+
+	// Whether or not the Secret or its data must be defined. Defaults to false.
+	// +optional
+	Optional *bool `json:"optional,omitempty"`
+}
+
+// AsProjection returns a copy of this as a [corev1.SecretProjection].
+func (in *OptionalSecretKeyRef) AsProjection(path string) corev1.SecretProjection {
+	out := in.SecretKeyRef.AsProjection(path)
+	if in.Optional != nil {
+		v := *in.Optional
+		out.Optional = &v
+	}
+	return out
+}
+
+// +structType=atomic
+type SecretKeyRef struct {
+	// Name of the Secret.
+	// ---
+	// https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/core/validation#ValidateSecretName
+	// +required
+	Name DNS1123Subdomain `json:"name"`
+
+	// Name of the data field within the Secret.
+	// ---
+	// https://releases.k8s.io/v1.32.0/pkg/apis/core/validation/validation.go#L2867
+	// https://pkg.go.dev/k8s.io/apimachinery/pkg/util/validation#IsConfigMapKey
+	// +required
+	Key ConfigDataKey `json:"key"`
+}
+
+// AsProjection returns a copy of this as a [corev1.SecretProjection].
+func (in *SecretKeyRef) AsProjection(path string) corev1.SecretProjection {
+	var out corev1.SecretProjection
+	out.Name = in.Name
+	out.Items = []corev1.KeyToPath{{Key: in.Key, Path: path}}
+	return out
+}

pkg/apis/postgres-operator.crunchydata.com/v1beta1/config_types_test.go

@@ -0,0 +1,80 @@
+// Copyright 2021 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1_test
+
+import (
+	"strings"
+	"testing"
+
+	"gotest.tools/v3/assert"
+	"sigs.k8s.io/yaml"
+
+	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
+)
+
+func TestOptionalSecretKeyRefAsProjection(t *testing.T) {
+	t.Run("Null", func(t *testing.T) {
+		in := v1beta1.OptionalSecretKeyRef{}
+		in.Name, in.Key = "one", "two"
+
+		out := in.AsProjection("three")
+		b, err := yaml.Marshal(out)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, string(b), strings.TrimSpace(`
+items:
+- key: two
+  path: three
+name: one
+		`)+"\n")
+	})
+
+	t.Run("True", func(t *testing.T) {
+		True := true
+		in := v1beta1.OptionalSecretKeyRef{Optional: &True}
+		in.Name, in.Key = "one", "two"
+
+		out := in.AsProjection("three")
+		b, err := yaml.Marshal(out)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, string(b), strings.TrimSpace(`
+items:
+- key: two
+  path: three
+name: one
+optional: true
+		`)+"\n")
+	})
+
+	t.Run("False", func(t *testing.T) {
+		False := false
+		in := v1beta1.OptionalSecretKeyRef{Optional: &False}
+		in.Name, in.Key = "one", "two"
+
+		out := in.AsProjection("three")
+		b, err := yaml.Marshal(out)
+		assert.NilError(t, err)
+		assert.DeepEqual(t, string(b), strings.TrimSpace(`
+items:
+- key: two
+  path: three
+name: one
+optional: false
+		`)+"\n")
+	})
+}
+
+func TestSecretKeyRefAsProjection(t *testing.T) {
+	in := v1beta1.SecretKeyRef{Name: "asdf", Key: "foobar"}
+	out := in.AsProjection("some-path")
+
+	b, err := yaml.Marshal(out)
+	assert.NilError(t, err)
+	assert.DeepEqual(t, string(b), strings.TrimSpace(`
+items:
+- key: foobar
+  path: some-path
+name: asdf
+	`)+"\n")
+}

pkg/apis/postgres-operator.crunchydata.com/v1beta1/pgadmin_types.go

@@ -17,7 +17,7 @@ type PGAdminConfiguration struct {
 	// A Secret containing the value for the LDAP_BIND_PASSWORD setting.
 	// More info: https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
 	// +optional
-	LDAPBindPassword *corev1.SecretKeySelector `json:"ldapBindPassword,omitempty"`
+	LDAPBindPassword *OptionalSecretKeyRef `json:"ldapBindPassword,omitempty"`
 
 	// Settings for the pgAdmin server process. Keys should be uppercase and
 	// values must be constants.

pkg/apis/postgres-operator.crunchydata.com/v1beta1/shared_types.go

@@ -13,6 +13,25 @@ import (
 	"k8s.io/kube-openapi/pkg/validation/strfmt"
 )
 
+// ---
+// https://pkg.go.dev/k8s.io/apimachinery/pkg/util/validation#IsConfigMapKey
+//
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=253
+// +kubebuilder:validation:Pattern=`^[-._a-zA-Z0-9]+$`
+// +kubebuilder:validation:XValidation:rule=`self != "." && !self.startsWith("..")`,message=`cannot be "." or start with ".."`
+type ConfigDataKey = string
+
+// ---
+// https://docs.k8s.io/concepts/overview/working-with-objects/names/#dns-subdomain-names
+// https://pkg.go.dev/k8s.io/apimachinery/pkg/util/validation#IsDNS1123Subdomain
+// https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Format
+//
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=253
+// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?([.][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
+type DNS1123Subdomain = string
+
 // ---
 // Duration represents a string accepted by the Kubernetes API in the "duration"
 // [format]. This format extends the "duration" [defined by OpenAPI] by allowing

pkg/apis/postgres-operator.crunchydata.com/v1beta1/standalone_pgadmin_types.go

@@ -19,7 +19,7 @@ type StandalonePGAdminConfiguration struct {
 	// A Secret containing the value for the CONFIG_DATABASE_URI setting.
 	// More info: https://www.pgadmin.org/docs/pgadmin4/latest/external_database.html
 	// +optional
-	ConfigDatabaseURI *corev1.SecretKeySelector `json:"configDatabaseURI,omitempty"`
+	ConfigDatabaseURI *OptionalSecretKeyRef `json:"configDatabaseURI,omitempty"`
 
 	// Settings for the gunicorn server.
 	// More info: https://docs.gunicorn.org/en/latest/settings.html
@@ -32,7 +32,7 @@ type StandalonePGAdminConfiguration struct {
 	// A Secret containing the value for the LDAP_BIND_PASSWORD setting.
 	// More info: https://www.pgadmin.org/docs/pgadmin4/latest/ldap.html
 	// +optional
-	LDAPBindPassword *corev1.SecretKeySelector `json:"ldapBindPassword,omitempty"`
+	LDAPBindPassword *OptionalSecretKeyRef `json:"ldapBindPassword,omitempty"`
 
 	// Settings for the pgAdmin server process. Keys should be uppercase and
 	// values must be constants.