crossplane-contrib · fernandezcuesta · May 18, 2026 · May 18, 2026
diff --git a/apis/cluster/postgresql/v1alpha1/database_types.go b/apis/cluster/postgresql/v1alpha1/database_types.go
@@ -39,8 +39,20 @@ type DatabaseParameters struct {
 	// use the default (namely, the user executing the command). To create a
 	// database owned by another role, you must be a direct or indirect member
 	// of that role, or be a superuser.
+	// +optional
+	// +crossplane:generate:reference:type=Role
 	Owner *string `json:"owner,omitempty"`
 
+	// OwnerRef references the role object that will own this database.
+	// +immutable
+	// +optional
+	OwnerRef *xpv1.Reference `json:"ownerRef,omitempty"`
+
+	// OwnerSelector selects a reference to a Role that will own this database.
+	// +immutable
+	// +optional
+	OwnerSelector *xpv1.Selector `json:"ownerSelector,omitempty"`
+
 	// The name of the template from which to create the new database, or
 	// DEFAULT to use the default template (template1).
 	Template *string `json:"template,omitempty"`

diff --git a/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go b/apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/cluster/postgresql/v1alpha1/zz_generated.resolvers.go b/apis/cluster/postgresql/v1alpha1/zz_generated.resolvers.go
diff --git a/apis/namespaced/postgresql/v1alpha1/database_types.go b/apis/namespaced/postgresql/v1alpha1/database_types.go
@@ -40,8 +40,20 @@ type DatabaseParameters struct {
 	// use the default (namely, the user executing the command). To create a
 	// database owned by another role, you must be a direct or indirect member
 	// of that role, or be a superuser.
+	// +optional
+	// +crossplane:generate:reference:type=Role
 	Owner *string `json:"owner,omitempty"`
 
+	// OwnerRef references the role object that will own this database.
+	// +immutable
+	// +optional
+	OwnerRef *xpv1.NamespacedReference `json:"ownerRef,omitempty"`
+
+	// OwnerSelector selects a reference to a Role that will own this database.
+	// +immutable
+	// +optional
+	OwnerSelector *xpv1.NamespacedSelector `json:"ownerSelector,omitempty"`
+
 	// The name of the template from which to create the new database, or
 	// DEFAULT to use the default template (template1).
 	Template *string `json:"template,omitempty"`

diff --git a/apis/namespaced/postgresql/v1alpha1/zz_generated.deepcopy.go b/apis/namespaced/postgresql/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/namespaced/postgresql/v1alpha1/zz_generated.resolvers.go b/apis/namespaced/postgresql/v1alpha1/zz_generated.resolvers.go
diff --git a/cluster/local/postgresdb_functions.sh b/cluster/local/postgresdb_functions.sh
@@ -110,6 +110,23 @@ setup_postgresdb_tests(){
   echo_step_completed
 }
 
+check_database_owner_ref() {
+  echo_step "check if database created with ownerRef has correct owner"
+
+  local owner
+  owner=$(PGPASSWORD="${postgres_root_pw}" psql -h localhost -p 5432 -U postgres -d postgres -wtAc \
+    "SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = 'db-owner-ref';")
+  owner=$(echo "${owner}" | xargs)
+
+  if [ "${owner}" = "ownerrole" ]; then
+    echo_info "ownerRef resolved correctly: owner=${owner}"
+  else
+    echo_error "ERROR: expected owner 'ownerrole' but got '${owner}'"
+  fi
+
+  echo_step_completed
+}
+
 check_all_roles_privileges() {
   # check if granting mechanism is working properly
   echo_step "check if grant mechanism is working"
@@ -431,6 +448,7 @@ integration_tests_postgres() {
   setup_observe_only_database
   setup_postgresdb_tests
   check_observe_only_database
+  check_database_owner_ref
   check_all_roles_privileges
   check_all_schema_privileges
   check_custom_object_privileges

diff --git a/examples/cluster/postgresql/database.yaml b/examples/cluster/postgresql/database.yaml
@@ -17,6 +17,16 @@ spec:
 ---
 apiVersion: postgresql.sql.crossplane.io/v1alpha1
 kind: Database
+metadata:
+  name: db-owner-ref
+spec:
+  forProvider:
+    ownerSelector:
+      matchLabels:
+        role: owner
+---
+apiVersion: postgresql.sql.crossplane.io/v1alpha1
+kind: Database
 metadata:
   name: db-observe
 spec:

diff --git a/examples/cluster/postgresql/role.yaml b/examples/cluster/postgresql/role.yaml
@@ -32,6 +32,8 @@ apiVersion: postgresql.sql.crossplane.io/v1alpha1
 kind: Role
 metadata:
   name: ownerrole
+  labels:
+    role: owner
 spec:
   deletionPolicy:  Orphan
   writeConnectionSecretToRef:

diff --git a/examples/namespaced/postgresql/database.yaml b/examples/namespaced/postgresql/database.yaml
@@ -24,6 +24,20 @@ spec:
 ---
 apiVersion: postgresql.sql.m.crossplane.io/v1alpha1
 kind: Database
+metadata:
+  name: db-owner-ref
+  namespace: default
+spec:
+  forProvider:
+    ownerSelector:
+      matchLabels:
+        role: owner
+  providerConfigRef:
+    kind: ProviderConfig
+    name: default
+---
+apiVersion: postgresql.sql.m.crossplane.io/v1alpha1
+kind: Database
 metadata:
   name: db-observe
   namespace: default

diff --git a/examples/namespaced/postgresql/role.yaml b/examples/namespaced/postgresql/role.yaml
@@ -39,6 +39,8 @@ kind: Role
 metadata:
   name: ownerrole
   namespace: default
+  labels:
+    role: owner
 spec:
   writeConnectionSecretToRef:
     name: ownerrole-secret

diff --git a/package/crds/postgresql.sql.crossplane.io_databases.yaml b/package/crds/postgresql.sql.crossplane.io_databases.yaml
@@ -117,6 +117,82 @@ spec:
                       database owned by another role, you must be a direct or indirect member
                       of that role, or be a superuser.
                     type: string
+                  ownerRef:
+                    description: OwnerRef references the role object that will own
+                      this database.
+                    properties:
+                      name:
+                        description: Name of the referenced object.
+                        type: string
+                      policy:
+                        description: Policies for referencing.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    required:
+                    - name
+                    type: object
+                  ownerSelector:
+                    description: OwnerSelector selects a reference to a Role that
+                      will own this database.
+                    properties:
+                      matchControllerRef:
+                        description: |-
+                          MatchControllerRef ensures an object with the same controller reference
+                          as the selecting object is selected.
+                        type: boolean
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: MatchLabels ensures an object with matching labels
+                          is selected.
+                        type: object
+                      policy:
+                        description: Policies for selection.
+                        properties:
+                          resolution:
+                            default: Required
+                            description: |-
+                              Resolution specifies whether resolution of this reference is required.
+                              The default is 'Required', which means the reconcile will fail if the
+                              reference cannot be resolved. 'Optional' means this reference will be
+                              a no-op if it cannot be resolved.
+                            enum:
+                            - Required
+                            - Optional
+                            type: string
+                          resolve:
+                            description: |-
+                              Resolve specifies when this reference should be resolved. The default
+                              is 'IfNotPresent', which will attempt to resolve the reference only when
+                              the corresponding field is not present. Use 'Always' to resolve the
+                              reference on every reconcile.
+                            enum:
+                            - Always
+                            - IfNotPresent
+                            type: string
+                        type: object
+                    type: object
                   strategy:
                     description: |-
                       Strategy sets the method used to create the database from the template.