Labels and Annotations for Individual Services

This update adds support for labeling and annotating the Postgres,
pgAdmin and pgBouncer services individually. This allows these
services reconciled by PGO to have certain labels and/or annotations
configured that are not set on any other PGO objects.

Issue: [sc-14916]
resolves: #3265

Author: tjmoore4

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -10426,6 +10426,19 @@ spec:
                       service:
                         description: Specification of the service that exposes PgBouncer.
                         properties:
+                          metadata:
+                            description: Metadata contains metadata for PostgresCluster
+                              resources
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
                           nodePort:
                             description: The port on which this service is exposed
                               when type is NodePort or LoadBalancer. Value must be
@@ -10435,14 +10448,13 @@ spec:
                             format: int32
                             type: integer
                           type:
+                            default: ClusterIP
                             description: 'More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types'
                             enum:
                             - ClusterIP
                             - NodePort
                             - LoadBalancer
                             type: string
-                        required:
-                        - type
                         type: object
                       sidecars:
                         description: Configuration for pgBouncer sidecar containers
@@ -10641,6 +10653,18 @@ spec:
                 description: Specification of the service that exposes the PostgreSQL
                   primary instance.
                 properties:
+                  metadata:
+                    description: Metadata contains metadata for PostgresCluster resources
+                    properties:
+                      annotations:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    type: object
                   nodePort:
                     description: The port on which this service is exposed when type
                       is NodePort or LoadBalancer. Value must be in-range and not
@@ -10649,14 +10673,13 @@ spec:
                     format: int32
                     type: integer
                   type:
+                    default: ClusterIP
                     description: 'More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types'
                     enum:
                     - ClusterIP
                     - NodePort
                     - LoadBalancer
                     type: string
-                required:
-                - type
                 type: object
               shutdown:
                 description: Whether or not the PostgreSQL cluster should be stopped.
@@ -11810,6 +11833,19 @@ spec:
                       service:
                         description: Specification of the service that exposes pgAdmin.
                         properties:
+                          metadata:
+                            description: Metadata contains metadata for PostgresCluster
+                              resources
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
                           nodePort:
                             description: The port on which this service is exposed
                               when type is NodePort or LoadBalancer. Value must be
@@ -11819,14 +11855,13 @@ spec:
                             format: int32
                             type: integer
                           type:
+                            default: ClusterIP
                             description: 'More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types'
                             enum:
                             - ClusterIP
                             - NodePort
                             - LoadBalancer
                             type: string
-                        required:
-                        - type
                         type: object
                       tolerations:
                         description: 'Tolerations of a pgAdmin pod. Changing this

docs/content/references/crd.md

@@ -40,7 +40,7 @@ When your Postgres cluster is initialized, PGO will bootstrap a database and Pos
 
 All connections are over TLS. PGO provides its own certificate authority (CA) to allow you to securely connect your applications to your Postgres clusters. This allows you to use the [`verify-full` "SSL mode"](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) of Postgres, which provides eavesdropping protection and prevents MITM attacks. You can also choose to bring your own CA, which is described later in this tutorial in the [Customize Cluster]({{< relref "./customize-cluster.md" >}}) section.
 
-### Modifying Service Type
+### Modifying Service Type, NodePort Value and Metadata
 
 By default, PGO deploys Services with the `ClusterIP` Service type. Based on how you want to expose your database,
 you may want to modify the Services to use a different
@@ -53,17 +53,23 @@ You can modify the Services that PGO manages from the following attributes:
 - `spec.proxy.pgBouncer.service` - this manages the Service for connecting to the PgBouncer connection pooler.
 - `spec.userInterface.pgAdmin.service` - this manages the Service for connecting to the pgAdmin management tool.
 
-For example, to set the Postgres primary to use a `NodePort` service and specific `nodePort` value, you would add the
-following to your manifest:
+For example, say you want to set the Postgres primary to use a `NodePort` service, a specific `nodePort` value, and set
+a specific annotation and label, you would add the following to your manifest:
 
 ```yaml
 spec:
   service:
+    metadata:
+      annotations:
+        my-annotation: value1
+      labels:
+        my-label: value2
     type: NodePort
     nodePort: 32000
 ```
 
-For our `hippo` cluster, you would see the Service type and nodePort modification. For example:
+For our `hippo` cluster, you would see the Service type and nodePort modification as well as the annotation and label.
+For example:
 
 ```
 kubectl -n postgres-operator get svc --selector=postgres-operator.crunchydata.com/cluster=hippo
@@ -80,8 +86,28 @@ hippo-primary     ClusterIP   None            <none>        5432/TCP         48s
 hippo-replicas    ClusterIP   10.106.18.99    <none>        5432/TCP         48s
 ```
 
-Note that setting the `nodePort` value is not allowed when using the `ClusterIP` type, and it must be in-range and
-not otherwise in use or the operation will fail. Also, if you are exposing your Services externally and are relying on TLS
+and the top of the output from running
+
+```
+kubectl -n postgres-operator describe svc hippo-ha
+```
+
+will show our custom annotation and label have been added:
+
+```
+Name:              hippo-ha
+Namespace:         postgres-operator
+Labels:            my-label=value2
+                   postgres-operator.crunchydata.com/cluster=hippo
+                   postgres-operator.crunchydata.com/patroni=hippo-ha
+Annotations:       my-annotation: value1
+```
+
+Note that setting the `nodePort` value is not allowed when using the (default) `ClusterIP` type, and it must be in-range
+and not otherwise in use or the operation will fail. Additionally, be aware that any annotations or labels provided here
+will win in case of conflicts with any annotations or labels a user configures elsewhere.
+
+Finally, if you are exposing your Services externally and are relying on TLS
 verification, you will need to use the [custom TLS]({{< relref "tutorial/customize-cluster.md" >}}#customize-tls)
 features of PGO).
 

docs/content/tutorial/connect-cluster.md

@@ -237,7 +237,17 @@ func (r *Reconciler) generatePatroniLeaderLeaseService(
 	service.Annotations = naming.Merge(
 		cluster.Spec.Metadata.GetAnnotationsOrNil())
 	service.Labels = naming.Merge(
-		cluster.Spec.Metadata.GetLabelsOrNil(),
+		cluster.Spec.Metadata.GetLabelsOrNil())
+
+	if spec := cluster.Spec.Service; spec != nil {
+		service.Annotations = naming.Merge(service.Annotations,
+			spec.Metadata.GetAnnotationsOrNil())
+		service.Labels = naming.Merge(service.Labels,
+			spec.Metadata.GetLabelsOrNil())
+	}
+
+	// add our labels last so they aren't overwritten
+	service.Labels = naming.Merge(service.Labels,
 		map[string]string{
 			naming.LabelCluster: cluster.Name,
 			naming.LabelPatroni: naming.PatroniScope(cluster),