Skip to content

DRAFT VERIFY: PG matrix should fail without #135 grant fix#153

Closed
peter-svensson wants to merge 2 commits into
mainfrom
test/pg-version-matrix-verify
Closed

DRAFT VERIFY: PG matrix should fail without #135 grant fix#153
peter-svensson wants to merge 2 commits into
mainfrom
test/pg-version-matrix-verify

Conversation

@peter-svensson

Copy link
Copy Markdown
Member

Verification PR. Branch is pre-#135 main + non-superuser PG matrix. Expect Integration Tests to fail on PG 16/17/18 with 'must be able to SET ROLE' (42501). Will close once verified — do not merge.

Deploy 5 versioned PostgreSQL instances (postgres-14 through
postgres-18) in the kind cluster and run a focused matrix test
exercising the CREATE USER + GRANT + CREATE DATABASE OWNER path
for each version.

PG 16+ tightened GRANT defaults to NOINHERIT, NOSET, NOADMIN.
A regression in the operator's admin-grant statement that omits
WITH INHERIT TRUE, SET TRUE will now fail loudly on PG 16/17/18
while still passing on PG 14/15. The matrix is light — one
Database CR per version, asserting Ready phase and secret
presence — so it stays cheap (~1 GB RAM, ~30-60s extra CI time)
while pinning behaviour across the supported version range.
Connecting as the built-in 'postgres' superuser bypasses the SET
ROLE check entirely (superusers can become any role unconditionally),
so the original matrix passed even on PG 16/17/18 where the bug
class is supposed to bite.

Bootstrap each PG instance with a non-superuser 'dbuo_admin' role
(LOGIN, CREATEDB, CREATEROLE, NOSUPERUSER, NOINHERIT) via a
ConfigMap-mounted /docker-entrypoint-initdb.d/init.sql. Repoint the
per-version connection-string Secrets at this admin. This mirrors
managed-PG providers (Scaleway managed RDB, self-hosted PG 16+
without RDS-style event triggers) where the admin is not a
superuser, so the operator's GRANT path is actually exercised.
@peter-svensson peter-svensson deleted the test/pg-version-matrix-verify branch May 7, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant