diff --git a/apis/mariadb/v1/mariadbprovider_types.go b/apis/mariadb/v1/mariadbprovider_types.go index 52f8965..beba45e 100644 --- a/apis/mariadb/v1/mariadbprovider_types.go +++ b/apis/mariadb/v1/mariadbprovider_types.go @@ -22,21 +22,27 @@ import ( // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + // MariaDBProviderSpec defines the desired state of MariaDBProvider type MariaDBProviderSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file // These are the spec options for providers - Environment string `json:"environment,omitempty"` - Hostname string `json:"hostname,omitempty"` - ReadReplicaHostnames []string `json:"readReplicaHostnames,omitempty"` - Password string `json:"password,omitempty"` - Port string `json:"port,omitempty"` - Username string `json:"user,omitempty"` - Type string `json:"type,omitempty"` - Name string `json:"name,omitempty"` - Namespace string `json:"namespace,omitempty"` + Environment string `json:"environment,omitempty"` + Hostname string `json:"hostname,omitempty"` + ReadReplicaHostnames []string `json:"readReplicaHostnames,omitempty"` + Password string `json:"password,omitempty"` + PasswordSecretRef *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Port string `json:"port,omitempty"` + Username string `json:"user,omitempty"` + Type string `json:"type,omitempty"` + Name string `json:"name,omitempty"` + Namespace string `json:"namespace,omitempty"` } // MariaDBProviderStatus defines the observed state of MariaDBProvider diff --git a/apis/mariadb/v1/zz_generated.deepcopy.go b/apis/mariadb/v1/zz_generated.deepcopy.go index cccdb19..53d3d4c 100644 --- a/apis/mariadb/v1/zz_generated.deepcopy.go +++ b/apis/mariadb/v1/zz_generated.deepcopy.go @@ -237,6 +237,11 @@ func (in *MariaDBProviderSpec) DeepCopyInto(out *MariaDBProviderSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBProviderSpec. @@ -263,3 +268,18 @@ func (in *MariaDBProviderStatus) DeepCopy() *MariaDBProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeyRef) DeepCopyInto(out *SecretKeyRef) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeyRef. +func (in *SecretKeyRef) DeepCopy() *SecretKeyRef { + if in == nil { + return nil + } + out := new(SecretKeyRef) + in.DeepCopyInto(out) + return out +} diff --git a/apis/mongodb/v1/mongodbprovider_types.go b/apis/mongodb/v1/mongodbprovider_types.go index c736f03..e989399 100644 --- a/apis/mongodb/v1/mongodbprovider_types.go +++ b/apis/mongodb/v1/mongodbprovider_types.go @@ -22,19 +22,25 @@ import ( // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + // MongoDBProviderSpec defines the desired state of MongoDBProvider type MongoDBProviderSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file // These are the spec options for providers - Environment string `json:"environment,omitempty"` - Hostname string `json:"hostname,omitempty"` - Password string `json:"password,omitempty"` - Port string `json:"port,omitempty"` - Username string `json:"user,omitempty"` - Auth MongoDBAuth `json:"auth,omitempty"` - Type string `json:"type,omitempty"` + Environment string `json:"environment,omitempty"` + Hostname string `json:"hostname,omitempty"` + Password string `json:"password,omitempty"` + PasswordSecretRef *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Port string `json:"port,omitempty"` + Username string `json:"user,omitempty"` + Auth MongoDBAuth `json:"auth,omitempty"` + Type string `json:"type,omitempty"` } // MongoDBAuth defines the authorisation mechanisms that mongo can use diff --git a/apis/mongodb/v1/zz_generated.deepcopy.go b/apis/mongodb/v1/zz_generated.deepcopy.go index 593d991..15543ab 100644 --- a/apis/mongodb/v1/zz_generated.deepcopy.go +++ b/apis/mongodb/v1/zz_generated.deepcopy.go @@ -182,7 +182,7 @@ func (in *MongoDBProvider) DeepCopyInto(out *MongoDBProvider) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status } @@ -239,6 +239,11 @@ func (in *MongoDBProviderList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MongoDBProviderSpec) DeepCopyInto(out *MongoDBProviderSpec) { *out = *in + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(SecretKeyRef) + **out = **in + } out.Auth = in.Auth } @@ -266,3 +271,18 @@ func (in *MongoDBProviderStatus) DeepCopy() *MongoDBProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeyRef) DeepCopyInto(out *SecretKeyRef) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeyRef. +func (in *SecretKeyRef) DeepCopy() *SecretKeyRef { + if in == nil { + return nil + } + out := new(SecretKeyRef) + in.DeepCopyInto(out) + return out +} diff --git a/apis/postgres/v1/postgresqlprovider_types.go b/apis/postgres/v1/postgresqlprovider_types.go index 31d2960..a97e0e8 100644 --- a/apis/postgres/v1/postgresqlprovider_types.go +++ b/apis/postgres/v1/postgresqlprovider_types.go @@ -22,20 +22,27 @@ import ( // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. +// SecretKeyRef references a specific key inside a Kubernetes Secret +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + // PostgreSQLProviderSpec defines the desired state of PostgreSQLProvider type PostgreSQLProviderSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file // These are the spec options for providers - Environment string `json:"environment,omitempty"` - Hostname string `json:"hostname,omitempty"` - Password string `json:"password,omitempty"` - Port string `json:"port,omitempty"` - Username string `json:"user,omitempty"` - Name string `json:"name,omitempty"` - Namespace string `json:"namespace,omitempty"` - Type string `json:"type,omitempty"` + Environment string `json:"environment,omitempty"` + Hostname string `json:"hostname,omitempty"` + Password string `json:"password,omitempty"` + PasswordSecretRef *SecretKeyRef `json:"passwordSecretRef,omitempty"` + Port string `json:"port,omitempty"` + Username string `json:"user,omitempty"` + Name string `json:"name,omitempty"` + Namespace string `json:"namespace,omitempty"` + Type string `json:"type,omitempty"` } // PostgreSQLProviderStatus defines the observed state of PostgreSQLProvider diff --git a/apis/postgres/v1/zz_generated.deepcopy.go b/apis/postgres/v1/zz_generated.deepcopy.go index dddf5d8..e53eac0 100644 --- a/apis/postgres/v1/zz_generated.deepcopy.go +++ b/apis/postgres/v1/zz_generated.deepcopy.go @@ -165,7 +165,7 @@ func (in *PostgreSQLProvider) DeepCopyInto(out *PostgreSQLProvider) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status } @@ -222,6 +222,11 @@ func (in *PostgreSQLProviderList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PostgreSQLProviderSpec) DeepCopyInto(out *PostgreSQLProviderSpec) { *out = *in + if in.PasswordSecretRef != nil { + in, out := &in.PasswordSecretRef, &out.PasswordSecretRef + *out = new(SecretKeyRef) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgreSQLProviderSpec. @@ -248,3 +253,18 @@ func (in *PostgreSQLProviderStatus) DeepCopy() *PostgreSQLProviderStatus { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretKeyRef) DeepCopyInto(out *SecretKeyRef) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeyRef. +func (in *SecretKeyRef) DeepCopy() *SecretKeyRef { + if in == nil { + return nil + } + out := new(SecretKeyRef) + in.DeepCopyInto(out) + return out +} diff --git a/charts/dbaas-operator/templates/clusterrole.yaml b/charts/dbaas-operator/templates/clusterrole.yaml index 2feac9e..76c9d46 100644 --- a/charts/dbaas-operator/templates/clusterrole.yaml +++ b/charts/dbaas-operator/templates/clusterrole.yaml @@ -15,6 +15,14 @@ rules: - patch - update - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch - apiGroups: - mariadb.amazee.io resources: diff --git a/charts/dbaas-operator/templates/role.yaml b/charts/dbaas-operator/templates/role.yaml index 5b4bd9a..460b0ac 100644 --- a/charts/dbaas-operator/templates/role.yaml +++ b/charts/dbaas-operator/templates/role.yaml @@ -31,4 +31,12 @@ rules: resources: - events verbs: - - create \ No newline at end of file + - create +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/charts/mariadbprovider/templates/mariadbprovider.yaml b/charts/mariadbprovider/templates/mariadbprovider.yaml index 5d018ee..10b0d6d 100644 --- a/charts/mariadbprovider/templates/mariadbprovider.yaml +++ b/charts/mariadbprovider/templates/mariadbprovider.yaml @@ -9,7 +9,12 @@ spec: hostname: {{ $providerConfig.hostname | quote }} readReplicaHostnames: {{- toYaml $providerConfig.readReplicaHostnames | nindent 4 }} + passwordSecretRef: + name: {{ $providerConfig.passwordSecretRef.name | quote }} + key: {{ $providerConfig.passwordSecretRef.key | quote }} + {{- else if $providerConfig.password }} password: {{ $providerConfig.password | quote }} + {{- end }} port: {{ $providerConfig.port | quote }} user: {{ $providerConfig.user | quote }} type: {{ $providerConfig.type | quote | default "generic" }} diff --git a/charts/mongodbprovider/templates/mongodbprovider.yaml b/charts/mongodbprovider/templates/mongodbprovider.yaml index db58a73..bc244b5 100644 --- a/charts/mongodbprovider/templates/mongodbprovider.yaml +++ b/charts/mongodbprovider/templates/mongodbprovider.yaml @@ -7,7 +7,12 @@ metadata: spec: environment: {{ $providerConfig.environment | quote }} hostname: {{ $providerConfig.hostname | quote }} + passwordSecretRef: + name: {{ $providerConfig.passwordSecretRef.name | quote }} + key: {{ $providerConfig.passwordSecretRef.key | quote }} + {{- else if $providerConfig.password }} password: {{ $providerConfig.password | quote }} + {{- end }} port: {{ $providerConfig.port | quote }} user: {{ $providerConfig.user | quote }} type: {{ $providerConfig.type | quote | default "generic" }} diff --git a/charts/postgresqlprovider/templates/postgresqlprovider.yaml b/charts/postgresqlprovider/templates/postgresqlprovider.yaml index aa24d43..f5e9f8a 100644 --- a/charts/postgresqlprovider/templates/postgresqlprovider.yaml +++ b/charts/postgresqlprovider/templates/postgresqlprovider.yaml @@ -7,7 +7,12 @@ metadata: spec: environment: {{ $providerConfig.environment | quote }} hostname: {{ $providerConfig.hostname | quote }} + passwordSecretRef: + name: {{ $providerConfig.passwordSecretRef.name | quote }} + key: {{ $providerConfig.passwordSecretRef.key | quote }} + {{- else if $providerConfig.password }} password: {{ $providerConfig.password | quote }} + {{- end }} port: {{ $providerConfig.port | quote }} user: {{ $providerConfig.user | quote }} type: {{ $providerConfig.type | quote | default "generic" }} diff --git a/config/crd/bases/mariadb.amazee.io_mariadbconsumers.yaml b/config/crd/bases/mariadb.amazee.io_mariadbconsumers.yaml index e3ab97d..976ee5f 100644 --- a/config/crd/bases/mariadb.amazee.io_mariadbconsumers.yaml +++ b/config/crd/bases/mariadb.amazee.io_mariadbconsumers.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -87,9 +86,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/mariadb.amazee.io_mariadbproviders.yaml b/config/crd/bases/mariadb.amazee.io_mariadbproviders.yaml index 383f40b..f9ed817 100644 --- a/config/crd/bases/mariadb.amazee.io_mariadbproviders.yaml +++ b/config/crd/bases/mariadb.amazee.io_mariadbproviders.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -47,6 +46,16 @@ spec: type: string password: type: string + passwordSecretRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object port: type: string readReplicaHostnames: @@ -64,9 +73,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/mongodb.amazee.io_mongodbconsumers.yaml b/config/crd/bases/mongodb.amazee.io_mongodbconsumers.yaml index 78ad4b4..6e78722 100644 --- a/config/crd/bases/mongodb.amazee.io_mongodbconsumers.yaml +++ b/config/crd/bases/mongodb.amazee.io_mongodbconsumers.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -103,9 +102,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/mongodb.amazee.io_mongodbproviders.yaml b/config/crd/bases/mongodb.amazee.io_mongodbproviders.yaml index c934cc3..1a33a3c 100644 --- a/config/crd/bases/mongodb.amazee.io_mongodbproviders.yaml +++ b/config/crd/bases/mongodb.amazee.io_mongodbproviders.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -56,6 +55,16 @@ spec: type: string password: type: string + passwordSecretRef: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object port: type: string type: @@ -69,9 +78,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/postgres.amazee.io_postgresqlconsumers.yaml b/config/crd/bases/postgres.amazee.io_postgresqlconsumers.yaml index 70792b7..c15f48a 100644 --- a/config/crd/bases/postgres.amazee.io_postgresqlconsumers.yaml +++ b/config/crd/bases/postgres.amazee.io_postgresqlconsumers.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -80,9 +79,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/crd/bases/postgres.amazee.io_postgresqlproviders.yaml b/config/crd/bases/postgres.amazee.io_postgresqlproviders.yaml index d5e2810..0edb2d3 100644 --- a/config/crd/bases/postgres.amazee.io_postgresqlproviders.yaml +++ b/config/crd/bases/postgres.amazee.io_postgresqlproviders.yaml @@ -1,4 +1,3 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -48,6 +47,18 @@ spec: type: string password: type: string + passwordSecretRef: + description: SecretKeyRef references a specific key inside a Kubernetes + Secret + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object port: type: string type: @@ -61,9 +72,3 @@ spec: type: object served: true storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7185da4..2c123ff 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,9 +1,7 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: @@ -22,25 +20,6 @@ rules: - mariadb.amazee.io resources: - mariadbconsumers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mariadb.amazee.io - resources: - - mariadbconsumers/status - verbs: - - get - - patch - - update -- apiGroups: - - mariadb.amazee.io - resources: - mariadbproviders verbs: - create @@ -53,6 +32,7 @@ rules: - apiGroups: - mariadb.amazee.io resources: + - mariadbconsumers/status - mariadbproviders/status verbs: - get @@ -62,25 +42,6 @@ rules: - mongodb.amazee.io resources: - mongodbconsumers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mongodb.amazee.io - resources: - - mongodbconsumers/status - verbs: - - get - - patch - - update -- apiGroups: - - mongodb.amazee.io - resources: - mongodbproviders verbs: - create @@ -93,6 +54,7 @@ rules: - apiGroups: - mongodb.amazee.io resources: + - mongodbconsumers/status - mongodbproviders/status verbs: - get @@ -102,25 +64,6 @@ rules: - postgres.amazee.io resources: - postgresqlconsumers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - postgres.amazee.io - resources: - - postgresqlconsumers/status - verbs: - - get - - patch - - update -- apiGroups: - - postgres.amazee.io - resources: - postgresqlproviders verbs: - create @@ -133,6 +76,7 @@ rules: - apiGroups: - postgres.amazee.io resources: + - postgresqlconsumers/status - postgresqlproviders/status verbs: - get diff --git a/controllers/mariadb/mariadbprovider_controller.go b/controllers/mariadb/mariadbprovider_controller.go index 94779de..e06a63b 100644 --- a/controllers/mariadb/mariadbprovider_controller.go +++ b/controllers/mariadb/mariadbprovider_controller.go @@ -17,16 +17,24 @@ package controllers import ( "context" + "fmt" "github.com/go-logr/logr" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" mariadbv1 "github.com/amazeeio/dbaas-operator/apis/mariadb/v1" + corev1 "k8s.io/api/core/v1" ) +type PasswordSecretRef struct { + Name string + Key string +} + // MariaDBProviderReconciler reconciles a MariaDBProvider object type MariaDBProviderReconciler struct { client.Client @@ -36,6 +44,7 @@ type MariaDBProviderReconciler struct { Hostname string ReadReplicaHostnames []string Password string + PasswordSecretRef *PasswordSecretRef Port string Username string Type string @@ -61,6 +70,28 @@ func (r *MariaDBProviderReconciler) Reconcile(ctx context.Context, req ctrl.Requ // LabelAppType: "database-provider", // } + var password string + if mariaDBProvider.Spec.PasswordSecretRef != nil { + var secret corev1.Secret + secretName := types.NamespacedName{ + Name: mariaDBProvider.Spec.PasswordSecretRef.Name, + Namespace: req.Namespace, + } + err := r.Get(ctx, secretName, &secret) + if err != nil { + return ctrl.Result{}, fmt.Errorf("failed to get Secret %s: %w", secretName.Name, err) + } + + val, ok := secret.Data[mariaDBProvider.Spec.PasswordSecretRef.Key] + if !ok { + return ctrl.Result{}, fmt.Errorf("key %s not found in Secret %s", mariaDBProvider.Spec.PasswordSecretRef.Key, secret.Name) + } + password = string(val) + } else { + password = mariaDBProvider.Spec.Password + } + r.Password = password // Optional: make it available on the reconciler + // examine DeletionTimestamp to determine if object is under deletion if mariaDBProvider.ObjectMeta.DeletionTimestamp.IsZero() { // The object is not being deleted, so if it does not have our finalizer, diff --git a/controllers/mongodb/mongodbprovider_controller.go b/controllers/mongodb/mongodbprovider_controller.go index 870c69e..2f7d474 100644 --- a/controllers/mongodb/mongodbprovider_controller.go +++ b/controllers/mongodb/mongodbprovider_controller.go @@ -17,13 +17,14 @@ package controllers import ( "context" + "fmt" + mongodbv1 "github.com/amazeeio/dbaas-operator/apis/mongodb/v1" "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - - mongodbv1 "github.com/amazeeio/dbaas-operator/apis/mongodb/v1" ) // MongoDBProviderReconciler reconciles a MongoDBProvider object @@ -37,14 +38,38 @@ type MongoDBProviderReconciler struct { // +kubebuilder:rbac:groups=mongodb.amazee.io,resources=mongodbproviders/status,verbs=get;update;patch // Reconcile . -func (r *MongoDBProviderReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { - // ctx := context.Background() - _ = r.Log.WithValues("mongodbprovider", req.NamespacedName) +func (r *MongoDBProviderReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + ctx := context.Background() var mongodbProvider mongodbv1.MongoDBProvider if err := r.Get(ctx, req.NamespacedName, &mongodbProvider); err != nil { return ctrl.Result{}, ignoreNotFound(err) } + + var password string + if mongodbProvider.Spec.PasswordSecretRef != nil { + var secret corev1.Secret + secretName := mongodbProvider.Spec.PasswordSecretRef.Name + secretKey := mongodbProvider.Spec.PasswordSecretRef.Key + + if err := r.Get(ctx, client.ObjectKey{Namespace: req.Namespace, Name: secretName}, &secret); err != nil { + fmt.Printf("failed to get password secret %q: %v\n", secretName, err) + return ctrl.Result{}, err + } + + pwBytes, found := secret.Data[secretKey] + if !found { + err := fmt.Errorf("password key %q not found in secret %q", secretKey, secretName) + fmt.Printf("error reading secret key: secretName=%q, secretKey=%q, error=%v\n", secretName, secretKey, err) + return ctrl.Result{}, err + } + + password = string(pwBytes) + } else { + password = mongodbProvider.Spec.Password + } + // if there is no password in secret, use password as string + _ = password // your logic here finalizerName := "finalizer.provider.mongodb.amazee.io/v1" diff --git a/controllers/postgres/postgresqlprovider_controller.go b/controllers/postgres/postgresqlprovider_controller.go index 2969e34..fb22357 100644 --- a/controllers/postgres/postgresqlprovider_controller.go +++ b/controllers/postgres/postgresqlprovider_controller.go @@ -17,13 +17,14 @@ package controllers import ( "context" + "fmt" + postgresv1 "github.com/amazeeio/dbaas-operator/apis/postgres/v1" "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - - postgresv1 "github.com/amazeeio/dbaas-operator/apis/postgres/v1" ) // PostgreSQLProviderReconciler reconciles a PostgreSQLProvider object @@ -46,7 +47,20 @@ func (r *PostgreSQLProviderReconciler) Reconcile(ctx context.Context, req ctrl.R } // your logic here finalizerName := "finalizer.provider.postgres.amazee.io/v1" - + // Resolve password from secret if specified + if postgresqlProvider.Spec.PasswordSecretRef != nil { + secretRef := postgresqlProvider.Spec.PasswordSecretRef + var secret corev1.Secret + secretKey := client.ObjectKey{Name: secretRef.Name, Namespace: req.Namespace} + if err := r.Get(ctx, secretKey, &secret); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to get secret %s: %w", secretRef.Name, err) + } + password, ok := secret.Data[secretRef.Key] + if !ok { + return ctrl.Result{}, fmt.Errorf("key %s not found in secret %s", secretRef.Key, secretRef.Name) + } + postgresqlProvider.Spec.Password = string(password) + } // examine DeletionTimestamp to determine if object is under deletion if postgresqlProvider.ObjectMeta.DeletionTimestamp.IsZero() { // The object is not being deleted, so if it does not have our finalizer, diff --git a/test-resources/mariadb/provider-azure-password-secret.yaml b/test-resources/mariadb/provider-azure-password-secret.yaml new file mode 100644 index 0000000..bb8f146 --- /dev/null +++ b/test-resources/mariadb/provider-azure-password-secret.yaml @@ -0,0 +1,42 @@ +apiVersion: mariadb.amazee.io/v1 +kind: MariaDBProvider +metadata: + name: mariadbprovider-testing-azure +spec: + environment: azure + type: azure + hostname: azure.mariadb.172.17.0.1.nip.io + readReplicaHostnames: + - azure.mariadb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '33066' + user: root + +--- +apiVersion: mariadb.amazee.io/v1 +kind: MariaDBProvider +metadata: + name: mariadbprovider-testing-azure-longhost +spec: + environment: azure-long + type: azure + hostname: a.very.very.long.hostname.for.azure.mariadb.172.17.0.1.nip.io + readReplicaHostnames: + - a.very.very.long.hostname.for.azure.mariadb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '33066' + user: root + +--- +apiVersion: v1 +kind: Secret +metadata: + name: my-db-secret + namespace: default +type: Opaque +data: + password: cGFzc3dvcmQ= # base64-encoded value of "password" \ No newline at end of file diff --git a/test-resources/mariadb/provider-multi-password-secret.yaml b/test-resources/mariadb/provider-multi-password-secret.yaml new file mode 100644 index 0000000..d96f711 --- /dev/null +++ b/test-resources/mariadb/provider-multi-password-secret.yaml @@ -0,0 +1,41 @@ +# Test: This resource intentionally uses the `password` field directly +# and does NOT provide `passwordSecretRef`, to ensure the controller +# correctly uses the plain string password when a secret is not configured. +apiVersion: mariadb.amazee.io/v1 +kind: MariaDBProvider +metadata: + name: mariadbprovider-testing-multi1 +spec: + environment: multi + hostname: multi1.mariadb.172.17.0.1.nip.io + readReplicaHostnames: + - multi1.mariadb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '33066' + user: root +--- +apiVersion: mariadb.amazee.io/v1 +kind: MariaDBProvider +metadata: + name: mariadbprovider-testing-multi2 +spec: + environment: multi + hostname: multi2.mariadb.172.17.0.1.nip.io + readReplicaHostnames: + - multi2.mariadb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '33067' + user: root + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-secret +type: Opaque +data: + password: cGFzc3dvcmQ= # base64 encoded string of "password" diff --git a/test-resources/mariadb/provider-multi.yaml b/test-resources/mariadb/provider-multi.yaml index 14058d2..2bc72f3 100644 --- a/test-resources/mariadb/provider-multi.yaml +++ b/test-resources/mariadb/provider-multi.yaml @@ -1,3 +1,6 @@ +# Test: This resource intentionally uses the `password` field directly +# and does NOT provide `passwordSecretRef`, to ensure the controller +# correctly uses the plain string password when a secret is not configured. apiVersion: mariadb.amazee.io/v1 kind: MariaDBProvider metadata: diff --git a/test-resources/mariadb/provider-password-secret.yaml b/test-resources/mariadb/provider-password-secret.yaml new file mode 100644 index 0000000..1b72331 --- /dev/null +++ b/test-resources/mariadb/provider-password-secret.yaml @@ -0,0 +1,24 @@ +apiVersion: mariadb.amazee.io/v1 +kind: MariaDBProvider +metadata: + name: mariadbprovider-testing +spec: + environment: test + hostname: mariadb.172.17.0.1.nip.io + readReplicaHostnames: + - mariadb.172.17.0.1.nip.io + passwordSecretRef: + name: my-db-secret + key: password + port: '33066' + user: root + +--- +apiVersion: v1 +kind: Secret +metadata: + name: my-db-secret + namespace: default +type: Opaque +data: + password: cGFzc3dvcmQ= # base64-encoded value of "password" \ No newline at end of file diff --git a/test-resources/mariadb/provider.yaml b/test-resources/mariadb/provider.yaml index e9351fb..ab96345 100644 --- a/test-resources/mariadb/provider.yaml +++ b/test-resources/mariadb/provider.yaml @@ -9,4 +9,4 @@ spec: - mariadb.172.17.0.1.nip.io password: password port: '33066' - user: root \ No newline at end of file + user: root diff --git a/test-resources/mongodb/provider-password-secret.yaml b/test-resources/mongodb/provider-password-secret.yaml new file mode 100644 index 0000000..e8a3378 --- /dev/null +++ b/test-resources/mongodb/provider-password-secret.yaml @@ -0,0 +1,25 @@ +apiVersion: mongodb.amazee.io/v1 +kind: MongoDBProvider +metadata: + name: mongodbprovider-testing +spec: + environment: test + hostname: mongodb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '27017' + user: root + auth: + mechanism: SCRAM-SHA-1 + source: admin + tls: false + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-secret +type: Opaque +data: + password: cGFzc3dvcmQ= # base64 encoded string of "password" \ No newline at end of file diff --git a/test-resources/mongodb/provider-tls-password-secret.yaml b/test-resources/mongodb/provider-tls-password-secret.yaml new file mode 100644 index 0000000..9294a96 --- /dev/null +++ b/test-resources/mongodb/provider-tls-password-secret.yaml @@ -0,0 +1,25 @@ +apiVersion: mongodb.amazee.io/v1 +kind: MongoDBProvider +metadata: + name: mongodbprovider-tls-testing +spec: + environment: tls-test + hostname: mongodb.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '27018' + user: root + auth: + mechanism: SCRAM-SHA-1 + source: admin + tls: true + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-secret +type: Opaque +data: + password: cGFzc3dvcmQ= # base64 encoded string of "password" diff --git a/test-resources/operator.yaml b/test-resources/operator.yaml index 38560ef..2c08abd 100644 --- a/test-resources/operator.yaml +++ b/test-resources/operator.yaml @@ -10,7 +10,6 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.2.4 - creationTimestamp: null name: mariadbconsumers.mariadb.amazee.io spec: group: mariadb.amazee.io @@ -94,42 +93,48 @@ spec: served: true storage: true schema: - openAPIV3Schema: - description: MariaDBProvider is the Schema for the mariadbproviders API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: MariaDBProviderSpec defines the desired state of MariaDBProvider + validation: + openAPIV3Schema: + description: MariaDBProvider is the Schema for the mariadbproviders API properties: - environment: - description: These are the spec options for providers - type: string - mariadb_hostname: - type: string - mariadb_password: - type: string - mariadb_port: + apiVersion: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string - mariadb_readreplica_hostname: + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string - mariadb_user: - type: string - type: object - status: - description: MariaDBProviderStatus defines the observed state of MariaDBProvider - type: object - type: object + metadata: + type: object + spec: + description: MariaDBProviderSpec defines the desired state of MariaDBProvider + properties: + environment: + description: These are the spec options for providers + type: string + mariadb_hostname: + type: string + passwordSecretRef: + type: object + properties: + name: + type: string + key: + type: string + mariadb_port: + type: string + mariadb_readreplica_hostname: + type: string + mariadb_user: + type: string + type: object + status: + description: MariaDBProviderStatus defines the observed state of MariaDBProvider + type: object + type: object status: acceptedNames: kind: "" @@ -173,7 +178,6 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: dbaas-operator-manager-role rules: - apiGroups: diff --git a/test-resources/postgres/provider-password-secret.yaml b/test-resources/postgres/provider-password-secret.yaml new file mode 100644 index 0000000..56c21cf --- /dev/null +++ b/test-resources/postgres/provider-password-secret.yaml @@ -0,0 +1,22 @@ +apiVersion: postgres.amazee.io/v1 +kind: PostgreSQLProvider +metadata: + name: postgreprovider-testing +spec: + environment: test + hostname: postgres.172.17.0.1.nip.io + passwordSecretRef: + name: mariadb-secret + key: password + port: '5432' + user: postgres + + +--- +apiVersion: v1 +kind: Secret +metadata: + name: mariadb-secret +type: Opaque +data: + password: cGFzc3dvcmQ= # base64 encoded string of "password" \ No newline at end of file