Ensure Kubernetes Secrets associated with backups are deleted when specified.

Jonathan S. Katz · jkatz · commit 655cf2bbcc87 · 2019-11-11T13:08:46.000-05:00
During a PostgreSQL delete operation where the user explicitly specifies to
delete the backups `e.g. pgo delete cluster clustername --delete-backups`, the
`&lt;clustername&gt;-pgbackrest-repo-config` secret was not being deleted. Given all
the backups for that cluster are destroyed, the secret is effectively moot and
should be removed.

This ensures that the `&lt;clustername&gt;-pgbackrest-repo-config` secret is removed
when `--delete-backups` is specified. However, if only `--delete-data` is
specified but not `--delete-backups`, the aforementioned secret remains.

Issue: [ch6254]
diff --git a/pgo-rmdata/rmdata/process.go b/pgo-rmdata/rmdata/process.go
@@ -17,6 +17,8 @@ limitations under the License.
 
 import (
 	"errors"
+	"fmt"
+
 	crv1 "github.com/crunchydata/postgres-operator/apis/cr/v1"
 	"github.com/crunchydata/postgres-operator/config"
 	"github.com/crunchydata/postgres-operator/kubeapi"
@@ -99,6 +101,7 @@ func Delete(request Request) {
 		removeBackrestRepo(request)
 		removeBackupJobs(request)
 		removeBackups(request)
+		removeBackupSecrets(request)
 	}
 
 	//handle the case of 'pgo delete cluster mycluster'
@@ -157,6 +160,31 @@ func removeBackups(request Request) {
 
 }
 
+// removeBackupSecrets removes any secrets that are associated with backups
+// for this cluster, in particular, the secret that is used by the pgBackRest
+// repository that is available for this cluster.
+func removeBackupSecrets(request Request) {
+	// first, derive the secrename of the pgBackRest repo, which is the
+	// "`clusterName`-`LABEL_BACKREST_REPO_SECRET`"
+	secretName := fmt.Sprintf("%s-%s",
+		request.ClusterName, config.LABEL_BACKREST_REPO_SECRET)
+	log.Debugf("removeBackupSecrets: %s", secretName)
+
+	// we can attempt to delete the secret directly without making any further
+	// API calls. Even if we did a "get", there could still be a race with some
+	// independent process (e.g. an external user) deleting the secret before we
+	// get to it. The main goal is to have the secret deleted
+	//
+	// we'll also check to see if there was an error, but if there is we'll only
+	// log the fact there was an error; this function is just a pass through
+	if err := kubeapi.DeleteSecret(request.Clientset, secretName, request.Namespace); err != nil {
+		log.Error(err)
+	}
+
+	// and done!
+	return
+}
+
 func removeData(request Request) {
 	//get the replicas
 	selector := config.LABEL_PG_CLUSTER + "=" + request.ClusterName + "," + config.LABEL_SERVICE_NAME + "=" + request.ClusterName + "-replica"
