Skip to content

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)#1

Open
matthewgreenwaldagility wants to merge 19 commits into
masterfrom
feat/psql-inheritance
Open

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)#1
matthewgreenwaldagility wants to merge 19 commits into
masterfrom
feat/psql-inheritance

Conversation

@matthewgreenwaldagility
Copy link
Copy Markdown
Owner

@matthewgreenwaldagility matthewgreenwaldagility commented Apr 24, 2026

Closes crossplane-contrib#359

What this does

Adds a withInherit boolean field to spec.forProvider on the PostgreSQL Grant resource, enabling WITH INHERIT FALSE on role membership grants — a feature introduced in PostgreSQL 16.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
spec:
  forProvider:
    withInherit: false   # emits: GRANT admin TO master_user WITH INHERIT FALSE
    roleRef:
      name: master-user
    memberOfRef:
      name: admin-role

When withInherit is omitted, behaviour is unchanged. When combined with withOption: ADMIN, the emitted SQL is WITH ADMIN OPTION, INHERIT FALSE.

The field is only valid on memberOf grants — setting it on a privilege grant (privileges field) returns a validation error.

Motivation

The primary use case is RDS PostgreSQL with IAM database authentication. Without this field, granting a master user membership in an admin role that holds rds_iam creates a transitive chain (master_user → admin → rds_iam), which causes RDS to route all connections for that user through PAM/IAM token verification, breaking password authentication. WITH INHERIT FALSE grants membership (satisfying ALTER DEFAULT PRIVILEGES FOR ROLE admin) without inheriting rds_iam.

Changes

File Change
apis/cluster/postgresql/v1alpha1/grant_types.go Add WithInherit *bool field to GrantParameters
apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go Regenerated
package/crds/postgresql.sql.crossplane.io_grants.yaml Regenerated — CRD schema updated
pkg/controller/cluster/postgresql/grant/reconciler.go New membershipWithClauses helper; selectGrantQuery filters pg_auth_members.inherit_option when set; createGrantQueries uses new helper; validation rejects withInherit on privilege grants
pkg/controller/cluster/postgresql/grant/reconciler_test.go 7 new test cases covering WithInherit nil/true/false for both Observe and Create
examples/cluster/postgresql/grant-with-inherit-false.yaml New example illustrating the RDS IAM pattern
Makefile Bump GOLANGCILINT_VERSION from 2.1.22.10.1 to match CI and support Go 1.26
README.md Fix stale Go version (1.18→1.26.1), add mise recommendation, fix copy-paste "Developing locally" section (was provider-helm content), add Schema to PostgreSQL resource list, fix example paths

Testing

make reviewable passes (generate + lint + all 26 test packages).

The inherit_option column on pg_auth_members was added in PostgreSQL 16. Setting withInherit on an older cluster will result in a SQL error, which is the expected and documented behaviour.

matthewgreenwaldagility and others added 19 commits April 24, 2026 17:39
@matthewgreenwaldagility
feat: adding support for psql inherit
78e6ce2 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
@matthewgreenwaldagility
fix: GOLANGCILINT_VERSION
d9fc847 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
@matthewgreenwaldagility
docs: updating docs for other contributors
6b33fed 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
@dependabot
chore: bump codecov/codecov-action from 5.5.2 to 6.0.0
2637501 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@671740a...57e3a13)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore: bump docker/login-action from 4.0.0 to 4.1.0
6028015 
Bumps [docker/login-action](https://github.com/docker/login-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](docker/login-action@b45d80f...4907a6d)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@fernandezcuesta
Merge pull request crossplane-contrib#371 from crossplane-contrib/dep…
9d317d4 
…endabot/github_actions/docker/login-action-4.1.0

chore: bump docker/login-action from 4.0.0 to 4.1.0
@fernandezcuesta
Merge branch 'master' into dependabot/github_actions/codecov/codecov-…
827179f 
…action-6.0.0
@fernandezcuesta
Merge pull request crossplane-contrib#370 from crossplane-contrib/dep…
0c8113b 
…endabot/github_actions/codecov/codecov-action-6.0.0

chore: bump codecov/codecov-action from 5.5.2 to 6.0.0
@dependabot
chore: bump github.com/antchfx/xpath from 1.2.0 to 1.3.6 (crossplane-…
e1a7a6a 
…contrib#349)

Bumps [github.com/antchfx/xpath](https://github.com/antchfx/xpath) from 1.2.0 to 1.3.6.
- [Release notes](https://github.com/antchfx/xpath/releases)
- [Commits](antchfx/xpath@v1.2.0...v1.3.6)

---
updated-dependencies:
- dependency-name: github.com/antchfx/xpath
  dependency-version: 1.3.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump actions/cache from 5.0.3 to 5.0.5 (crossplane-contrib#367)
b2d3216 
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.3 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@cdf6c1f...27d5ce7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump github.com/microsoft/go-mssqldb from 1.9.8 to 1.10.0 (cro…
551f9ab 
…ssplane-contrib#364)

Bumps [github.com/microsoft/go-mssqldb](https://github.com/microsoft/go-mssqldb) from 1.9.8 to 1.10.0.
- [Release notes](https://github.com/microsoft/go-mssqldb/releases)
- [Changelog](https://github.com/microsoft/go-mssqldb/blob/main/CHANGELOG.md)
- [Commits](microsoft/go-mssqldb@v1.9.8...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/microsoft/go-mssqldb
  dependency-version: 1.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump actions/upload-artifact from 7.0.0 to 7.0.1 (crossplane-c…
78d2989 
…ontrib#368)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump github/codeql-action from 4.35.1 to 4.35.4 (crossplane-co…
7f5b05b 
…ntrib#369)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.35.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@c10b806...68bde55)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump distroless/static in /cluster/images/provider-sql (crossp…
a42cef5 
…lane-contrib#356)

Bumps distroless/static from `f512d81` to `e3f9456`.

---
updated-dependencies:
- dependency-name: distroless/static
  dependency-version: nonroot
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore: bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 (crossplan…
4eb5d8a 
…e-contrib#360)

Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.41.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.41.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.41.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @chlunde
chore: bump github.com/lib/pq from 1.11.2 to 1.12.3 (crossplane-contr…
e5cd72d 
…ib#365)

* chore: bump github.com/lib/pq from 1.11.2 to 1.12.3

Bumps [github.com/lib/pq](https://github.com/lib/pq) from 1.11.2 to 1.12.3.
- [Release notes](https://github.com/lib/pq/releases)
- [Changelog](https://github.com/lib/pq/blob/master/CHANGELOG.md)
- [Commits](lib/pq@v1.11.2...v1.12.3)

---
updated-dependencies:
- dependency-name: github.com/lib/pq
  dependency-version: 1.12.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: use pqerror package for pq 1.12, pq.ErrorCode type is deprecated

Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
@dependabot @chlunde
chore: bump github.com/crossplane/crossplane-runtime/v2 from 2.1.0 to…
ce2184f 
… 2.2.1 (crossplane-contrib#366)

* chore: bump github.com/crossplane/crossplane-runtime/v2

Bumps [github.com/crossplane/crossplane-runtime/v2](https://github.com/crossplane/crossplane-runtime) from 2.1.0 to 2.2.1.
- [Release notes](https://github.com/crossplane/crossplane-runtime/releases)
- [Changelog](https://github.com/crossplane/crossplane-runtime/blob/main/RELEASE.md)
- [Commits](crossplane/crossplane-runtime@v2.1.0...v2.2.1)

---
updated-dependencies:
- dependency-name: github.com/crossplane/crossplane-runtime/v2
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: regenerate CRDs with controller-gen v0.20.0

Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>

* chore: golangci: two deprecated function we have to continue using

Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
@alexdor
feat(postgres): Add support for setting STRATEGY during db creation (c…
3aac97c 
…rossplane-contrib#343)

* feat(postgres): Add support for setting STRATEGY during db creation

Add PostgreSQL Database strategy support for template-based database creation and make its lifecycle explicit in the API. The new strategy field is treated as create-time-only, and validated so updates do not silently drift from the real database state.

Fail fast when strategy is requested against PostgreSQL versions older than 15 instead of letting CREATE DATABASE fail with a less clear SQL error.

closes crossplane-contrib#341

Signed-off-by: Alexandros Dorodoulis <aldor94@gmail.com>

* fix: correct kubebuilder validation rules

Signed-off-by: Alexandros Dorodoulis <aldor94@gmail.com>

---------

Signed-off-by: Alexandros Dorodoulis <aldor94@gmail.com>
@matthewgreenwaldagility
Merge branch 'master' into feat/psql-inheritance
0384a85
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)

3 participants

@matthewgreenwaldagility @fernandezcuesta @alexdor