Align logging with default convention

.github/workflows/test.yml

@@ -16,8 +16,9 @@ jobs:
       - uses: actions/checkout@v5
       - uses: actions/setup-go@v6
         with:
-          go-version: "1.24.2"
+          go-version: "stable"
       - run: |
+          go clean -modcache
           make test
   build:
     runs-on: ubuntu-latest
@@ -26,7 +27,8 @@ jobs:
       - uses: actions/checkout@v5
       - uses: actions/setup-go@v6
         with:
-          go-version: "1.24.2"
+          go-version: "stable"
       - run: |
+          go clean -modcache
           make build
           file bin/manager

.gitignore

@@ -33,3 +33,6 @@ deploy/secret.yaml
 # kuttl/kind
 tests/kind-logs-*/
 kubeconfig
+
+.gomodcache
+.gocache

Makefile

@@ -196,7 +196,7 @@ ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.4.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.1
+CONTROLLER_TOOLS_VERSION ?= v0.19.0
 ENVTEST_VERSION ?= release-0.19
 
 .PHONY: kustomize

api/v1alpha1/postgresuser_types.go

@@ -17,18 +17,27 @@ type PostgresUserSpec struct {
 	// +optional
 	Privileges string `json:"privileges"`
 	// +optional
+	AWS *PostgresUserAWSSpec `json:"aws,omitempty"`
+	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
 	// +optional
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+// PostgresUserAWSSpec encapsulates AWS specific configuration toggles.
+type PostgresUserAWSSpec struct {
+	// +optional
+	EnableIamAuth bool `json:"enableIamAuth,omitempty"`
+}
+
 // PostgresUserStatus defines the observed state of PostgresUser
 type PostgresUserStatus struct {
 	Succeeded     bool   `json:"succeeded"`
 	PostgresRole  string `json:"postgresRole"`
 	PostgresLogin string `json:"postgresLogin"`
 	PostgresGroup string `json:"postgresGroup"`
 	DatabaseName  string `json:"databaseName"`
+	EnableIamAuth bool   `json:"enableIamAuth"`
 }
 
 // +kubebuilder:object:root=true

charts/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -35,17 +35,29 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
+              aws:
+                description: AWS specific settings for the user
+                properties:
+                  enableIamAuth:
+                    description: Enable IAM authentication for this user (PostgreSQL on AWS RDS only)
+                    default: false
+                    type: boolean
+                type: object
               database:
+                description: Name of the PostgresDatabase this user will be related to
                 type: string
               labels:
                 additionalProperties:
                   type: string
                 type: object
               privileges:
+                description: List of privileges to grant to this user
                 type: string
               role:
+                description: Name of the PostgresRole this user will be associated with
                 type: string
               secretName:
+                description: Name of the secret to create with user credentials
                 type: string
               secretTemplate:
                 additionalProperties:
@@ -59,6 +71,9 @@ spec:
           status:
             description: PostgresUserStatus defines the observed state of PostgresUser
             properties:
+              enableIamAuth:
+                description: Reflects whether IAM authentication is enabled for this user.
+                type: boolean
               databaseName:
                 type: string
               postgresGroup:

config/crd/bases/db.movetokube.com_postgres.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: postgres.db.movetokube.com
 spec:
   group: db.movetokube.com
@@ -20,19 +20,14 @@ spec:
         description: Postgres is the Schema for the postgres API
         properties:
           apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
             type: string
           kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
             type: object

config/crd/bases/db.movetokube.com_postgresusers.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.1
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: postgresusers.db.movetokube.com
 spec:
   group: db.movetokube.com
@@ -20,19 +20,14 @@ spec:
         description: PostgresUser is the Schema for the postgresusers API
         properties:
           apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
             type: string
           kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
             type: object
@@ -43,17 +38,29 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
+              aws:
+                description: AWS specific settings for this user.
+                properties:
+                  enableIamAuth:
+                    description: Enable IAM authentication for this user (PostgreSQL on AWS RDS only)
+                    default: false
+                    type: boolean
+                type: object
               database:
+                description: Name of the PostgresDatabase this user will be related to
                 type: string
               labels:
                 additionalProperties:
                   type: string
                 type: object
               privileges:
+                description: List of privileges to grant to this user
                 type: string
               role:
+                description: Name of the PostgresRole this user will be associated with
                 type: string
               secretName:
+                description: Name of the secret to create with user credentials
                 type: string
               secretTemplate:
                 additionalProperties:
@@ -67,6 +74,9 @@ spec:
           status:
             description: PostgresUserStatus defines the observed state of PostgresUser
             properties:
+              enableIamAuth:
+                description: Reflects whether IAM authentication is enabled for this user.
+                type: boolean
               databaseName:
                 type: string
               postgresGroup:

go.mod

@@ -1,6 +1,6 @@
 module github.com/movetokube/postgres-operator
 
-go 1.24.0
+go 1.25.1
 
 require (
 	github.com/go-logr/logr v1.4.3
@@ -56,7 +56,7 @@ require (
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.7 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect

go.sum

@@ -122,8 +122,9 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

internal/controller/postgres_controller.go

@@ -256,7 +256,7 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		}
 	}
 
-	reqLogger.Info("reconciler done", "CR.Namespace", instance.Namespace, "CR.Name", instance.Name)
+	reqLogger.Info("Reconciling done")
 	return ctrl.Result{}, nil
 }
 func (r *PostgresReconciler) addFinalizer(reqLogger logr.Logger, m *dbv1alpha1.Postgres) error {

internal/controller/postgresuser_controller.go

@@ -33,6 +33,7 @@ type PostgresUserReconciler struct {
 	pgUriArgs      string
 	instanceFilter string
 	keepSecretName bool // use secret name as defined in PostgresUserSpec
+	cloudProvider  string
 }
 
 // NewPostgresUserReconciler returns a new reconcile.Reconciler
@@ -45,6 +46,7 @@ func NewPostgresUserReconciler(mgr manager.Manager, cfg *config.Cfg, pg postgres
 		pgUriArgs:      cfg.PostgresUriArgs,
 		instanceFilter: cfg.AnnotationFilter,
 		keepSecretName: cfg.KeepSecretName,
+		cloudProvider:  cfg.CloudProvider,
 	}
 }
 
@@ -171,6 +173,36 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		login = instance.Status.PostgresLogin
 	}
 
+	awsConfig := instance.Spec.AWS
+	awsIamRequested := awsConfig != nil && awsConfig.EnableIamAuth
+
+	if r.cloudProvider == "AWS" {
+		if awsIamRequested && !instance.Status.EnableIamAuth {
+			if err := r.pg.GrantRole("rds_iam", role); err != nil {
+				reqLogger.WithValues("role", role).Error(err, "failed to grant rds_iam role")
+			} else {
+				instance.Status.EnableIamAuth = true
+				if sErr := r.Status().Update(ctx, instance); sErr != nil {
+					reqLogger.WithValues("role", role).Error(sErr, "failed to update status after IAM grant")
+				}
+			}
+		}
+
+		// Revoke aws_iam role on transition: spec=false, status=true
+		if !awsIamRequested && instance.Status.EnableIamAuth {
+			if err := r.pg.RevokeRole("rds_iam", role); err != nil {
+				reqLogger.WithValues("role", role).Error(err, "failed to revoke rds_iam role")
+			} else {
+				instance.Status.EnableIamAuth = false
+				if sErr := r.Status().Update(ctx, instance); sErr != nil {
+					reqLogger.WithValues("role", role).Error(sErr, "failed to update status after IAM revoke")
+				}
+			}
+		}
+	} else if awsIamRequested {
+		reqLogger.WithValues("role", role).Info("IAM Auth requested while we are not running with AWS cloud provider config")
+	}
+
 	err = r.addFinalizer(ctx, reqLogger, instance)
 	if err != nil {
 		return r.requeue(ctx, instance, err)
@@ -213,7 +245,7 @@ func (r *PostgresUserReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return r.requeue(ctx, instance, err)
 	}
 
-	reqLogger.Info("reconciler done", "CR.Namespace", instance.Namespace, "CR.Name", instance.Name)
+	reqLogger.Info("Reconciling done")
 	return ctrl.Result{}, nil
 }