-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
add controller to create and delete individual usernames in mariadb
this is a first draft of a "create /drop account" controller that is separate from the main "create/drop database" controller, for the purpose of producing rotating username/passwords. The background for the change is based on discussions surrounding https://issues.redhat.com/browse/OSPRH-92 where internal control plane services such as Galera , Rabbit, Redis etc. would provide interfaces to add /remove arbitrary usernames, where a "password rotation" would involve adding a new username/password and having services switch there, retiring the old account once all finalizers have been removed.
Showing
12 changed files
with
648 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.11.1 | ||
creationTimestamp: null | ||
name: mariadbaccounts.mariadb.openstack.org | ||
spec: | ||
group: mariadb.openstack.org | ||
names: | ||
kind: MariaDBAccount | ||
listKind: MariaDBAccountList | ||
plural: mariadbaccounts | ||
singular: mariadbaccount | ||
scope: Namespaced | ||
versions: | ||
- name: v1beta1 | ||
schema: | ||
openAPIV3Schema: | ||
description: MariaDBAccount is the Schema for the mariadbaccounts API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: MariaDBAccountSpec defines the desired state of MariaDBAccount | ||
properties: | ||
secret: | ||
description: Name of secret which contains DatabasePassword | ||
type: string | ||
userName: | ||
description: UserName for new account | ||
type: string | ||
type: object | ||
status: | ||
description: MariaDBAccountStatus defines the observed state of MariaDBAccount | ||
properties: | ||
completed: | ||
type: boolean | ||
hash: | ||
additionalProperties: | ||
type: string | ||
description: Map of hashes to track e.g. job status | ||
type: object | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
config/crd/bases/mariadb.openstack.org_mariadbaccounts.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
--- | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
controller-gen.kubebuilder.io/version: v0.11.1 | ||
creationTimestamp: null | ||
name: mariadbaccounts.mariadb.openstack.org | ||
spec: | ||
group: mariadb.openstack.org | ||
names: | ||
kind: MariaDBAccount | ||
listKind: MariaDBAccountList | ||
plural: mariadbaccounts | ||
singular: mariadbaccount | ||
scope: Namespaced | ||
versions: | ||
- name: v1beta1 | ||
schema: | ||
openAPIV3Schema: | ||
description: MariaDBAccount is the Schema for the mariadbaccounts API | ||
properties: | ||
apiVersion: | ||
description: 'APIVersion defines the versioned schema of this representation | ||
of an object. Servers should convert recognized schemas to the latest | ||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
type: string | ||
kind: | ||
description: 'Kind is a string value representing the REST resource this | ||
object represents. Servers may infer this from the endpoint the client | ||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
type: string | ||
metadata: | ||
type: object | ||
spec: | ||
description: MariaDBAccountSpec defines the desired state of MariaDBAccount | ||
properties: | ||
secret: | ||
description: Name of secret which contains DatabasePassword | ||
type: string | ||
userName: | ||
description: UserName for new account | ||
type: string | ||
type: object | ||
status: | ||
description: MariaDBAccountStatus defines the observed state of MariaDBAccount | ||
properties: | ||
completed: | ||
type: boolean | ||
hash: | ||
additionalProperties: | ||
type: string | ||
description: Map of hashes to track e.g. job status | ||
type: object | ||
type: object | ||
type: object | ||
served: true | ||
storage: true | ||
subresources: | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,131 @@ | ||
package mariadb | ||
|
||
import ( | ||
"strings" | ||
|
||
util "github.com/openstack-k8s-operators/lib-common/modules/common/util" | ||
databasev1beta1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" | ||
batchv1 "k8s.io/api/batch/v1" | ||
corev1 "k8s.io/api/core/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
) | ||
|
||
type accountCreateOrDeleteOptions struct { | ||
UserName string | ||
DatabaseName string | ||
DatabaseHostname string | ||
DatabaseAdminUsername string | ||
} | ||
|
||
func CreateDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName string, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string) (*batchv1.Job, error) { | ||
|
||
opts := accountCreateOrDeleteOptions{account.Spec.UserName, databaseName, databaseHostName, "root"} | ||
dbCmd, err := util.ExecuteTemplateFile("account.sh", &opts) | ||
if err != nil { | ||
return nil, err | ||
} | ||
labels := map[string]string{ | ||
"owner": "mariadb-operator", "cr": account.Spec.UserName, "app": "mariadbschema", | ||
} | ||
job := &batchv1.Job{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
// provided db name is used as metadata name where underscore is a not allowed | ||
// character. Lets replace all underscores with hypen. Underscores in the db name are | ||
// possible. | ||
Name: strings.Replace(account.Spec.UserName, "_", "-", -1) + "-account-create", | ||
Namespace: account.Namespace, | ||
Labels: labels, | ||
}, | ||
Spec: batchv1.JobSpec{ | ||
Template: corev1.PodTemplateSpec{ | ||
Spec: corev1.PodSpec{ | ||
RestartPolicy: corev1.RestartPolicyOnFailure, | ||
ServiceAccountName: serviceAccountName, | ||
Containers: []corev1.Container{ | ||
{ | ||
Name: "mariadb-account-create", | ||
Image: containerImage, | ||
Command: []string{"/bin/sh", "-c", dbCmd}, | ||
Env: []corev1.EnvVar{ | ||
{ | ||
Name: "MYSQL_PWD", | ||
ValueFrom: &corev1.EnvVarSource{ | ||
SecretKeyRef: &corev1.SecretKeySelector{ | ||
LocalObjectReference: corev1.LocalObjectReference{ | ||
Name: databaseSecret, | ||
}, | ||
Key: "DbRootPassword", | ||
}, | ||
}, | ||
}, | ||
{ | ||
Name: "DatabasePassword", | ||
ValueFrom: &corev1.EnvVarSource{ | ||
SecretKeyRef: &corev1.SecretKeySelector{ | ||
LocalObjectReference: corev1.LocalObjectReference{ | ||
Name: account.Spec.Secret, | ||
}, | ||
Key: "DatabasePassword", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
return job, nil | ||
} | ||
|
||
func DeleteDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName string, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string) (*batchv1.Job, error) { | ||
|
||
opts := accountCreateOrDeleteOptions{account.Spec.UserName, databaseName, databaseHostName, "root"} | ||
|
||
delCmd, err := util.ExecuteTemplateFile("delete_account.sh", &opts) | ||
if err != nil { | ||
return nil, err | ||
} | ||
labels := map[string]string{ | ||
"owner": "mariadb-operator", "cr": account.Spec.UserName, "app": "mariadbschema", | ||
} | ||
job := &batchv1.Job{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: strings.Replace(account.Spec.UserName, "_", "", -1) + "-account-delete", | ||
Namespace: account.Namespace, | ||
Labels: labels, | ||
}, | ||
Spec: batchv1.JobSpec{ | ||
Template: corev1.PodTemplateSpec{ | ||
Spec: corev1.PodSpec{ | ||
RestartPolicy: corev1.RestartPolicyOnFailure, | ||
ServiceAccountName: serviceAccountName, | ||
Containers: []corev1.Container{ | ||
{ | ||
Name: "mariadb-account-delete", | ||
Image: containerImage, | ||
Command: []string{"/bin/sh", "-c", delCmd}, | ||
Env: []corev1.EnvVar{ | ||
{ | ||
Name: "MYSQL_PWD", | ||
ValueFrom: &corev1.EnvVarSource{ | ||
SecretKeyRef: &corev1.SecretKeySelector{ | ||
LocalObjectReference: corev1.LocalObjectReference{ | ||
Name: databaseSecret, | ||
}, | ||
Key: "DbRootPassword", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
} | ||
|
||
return job, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/bash | ||
export DatabasePassword=${DatabasePassword:?"Please specify a DatabasePassword variable."} | ||
|
||
mysql -h {{.DatabaseHostname}} -u {{.DatabaseAdminUsername}} -P 3306 -e "GRANT ALL PRIVILEGES ON {{.DatabaseName}}.* TO '{{.UserName}}'@'localhost' IDENTIFIED BY '$DatabasePassword';GRANT ALL PRIVILEGES ON {{.DatabaseName}}.* TO '{{.UserName}}'@'%' IDENTIFIED BY '$DatabasePassword';" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
|
||
mysql -h {{.DatabaseHostname}} -u {{.DatabaseAdminUsername}} -P 3306 -e "DROP USER IF EXISTS '{{.UserName}}'@'localhost'; DROP USER IF EXISTS '{{.UserName}}'@'%';" |