diff --git a/apis/apps/v1/componentdefinition_types.go b/apis/apps/v1/componentdefinition_types.go
index d602b67f9c0..b7015ef4771 100644
--- a/apis/apps/v1/componentdefinition_types.go
+++ b/apis/apps/v1/componentdefinition_types.go
@@ -1212,12 +1212,12 @@ type SystemAccount struct {
// +optional
InitAccount bool `json:"initAccount,omitempty"`
- // Defines the statement used to create the account with the necessary privileges.
+ // Defines the statements used to create, delete, and update the account.
//
// This field is immutable once set.
//
// +optional
- Statement string `json:"statement,omitempty"`
+ Statement *SystemAccountStatement `json:"statement,omitempty"`
// Specifies the policy for generating the account's password.
//
@@ -1225,13 +1225,29 @@ type SystemAccount struct {
//
// +optional
PasswordGenerationPolicy PasswordConfig `json:"passwordGenerationPolicy"`
+}
+
+type SystemAccountStatement struct {
+ // The statement to create a new account with the necessary privileges.
+ //
+ // This field is immutable once set.
+ //
+ // +optional
+ Create string `json:"create,omitempty"`
+
+ // The statement to delete a account.
+ //
+ // This field is immutable once set.
+ //
+ // +optional
+ Delete string `json:"delete,omitempty"`
- // Refers to the secret from which data will be copied to create the new account.
+ // The statement to update an existing account.
//
// This field is immutable once set.
//
// +optional
- SecretRef *ProvisionSecretRef `json:"secretRef,omitempty"`
+ Update string `json:"update,omitempty"`
}
type TLS struct {
@@ -1735,9 +1751,9 @@ type ComponentLifecycleActions struct {
//
// The container executing this action has access to following variables:
//
- // - KB_ACCOUNT_NAME: The name of the system account to be created.
- // - KB_ACCOUNT_PASSWORD: The password for the system account. // TODO: how to pass the password securely?
- // - KB_ACCOUNT_STATEMENT: The statement used to create the system account.
+ // - KB_ACCOUNT_NAME: The name of the system account to be manipulated.
+ // - KB_ACCOUNT_PASSWORD: The password for the system account.
+ // - KB_ACCOUNT_STATEMENT: The statement used to manipulate the system account.
//
// Note: This field is immutable once it has been set.
//
diff --git a/apis/apps/v1/types.go b/apis/apps/v1/types.go
index 5cf93cd6f2e..f31372d0376 100644
--- a/apis/apps/v1/types.go
+++ b/apis/apps/v1/types.go
@@ -347,6 +347,12 @@ type ComponentSystemAccount struct {
// +kubebuilder:validation:Required
Name string `json:"name"`
+ // Specifies whether the system account is disabled.
+ //
+ // +kubebuilder:default=false
+ // +optional
+ Disabled *bool `json:"disabled,omitempty"`
+
// Specifies the policy for generating the account's password.
//
// This field is immutable once set.
@@ -429,6 +435,12 @@ type ProvisionSecretRef struct {
//
// +kubebuilder:validation:Required
Namespace string `json:"namespace"`
+
+ // The key in the secret data that contains the password.
+ //
+ // +kubebuilder:default="password"
+ // +optional
+ Password string `json:"password,omitempty"`
}
// ClusterComponentConfig represents a config with its source bound.
diff --git a/apis/apps/v1/zz_generated.deepcopy.go b/apis/apps/v1/zz_generated.deepcopy.go
index 4524d020a5e..977074f8339 100644
--- a/apis/apps/v1/zz_generated.deepcopy.go
+++ b/apis/apps/v1/zz_generated.deepcopy.go
@@ -1553,6 +1553,11 @@ func (in *ComponentStatus) DeepCopy() *ComponentStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ComponentSystemAccount) DeepCopyInto(out *ComponentSystemAccount) {
*out = *in
+ if in.Disabled != nil {
+ in, out := &in.Disabled, &out.Disabled
+ *out = new(bool)
+ **out = **in
+ }
if in.PasswordConfig != nil {
in, out := &in.PasswordConfig, &out.PasswordConfig
*out = new(PasswordConfig)
@@ -3265,12 +3270,12 @@ func (in *SidecarDefinitionStatus) DeepCopy() *SidecarDefinitionStatus {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SystemAccount) DeepCopyInto(out *SystemAccount) {
*out = *in
- out.PasswordGenerationPolicy = in.PasswordGenerationPolicy
- if in.SecretRef != nil {
- in, out := &in.SecretRef, &out.SecretRef
- *out = new(ProvisionSecretRef)
+ if in.Statement != nil {
+ in, out := &in.Statement, &out.Statement
+ *out = new(SystemAccountStatement)
**out = **in
}
+ out.PasswordGenerationPolicy = in.PasswordGenerationPolicy
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SystemAccount.
@@ -3283,6 +3288,21 @@ func (in *SystemAccount) DeepCopy() *SystemAccount {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SystemAccountStatement) DeepCopyInto(out *SystemAccountStatement) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SystemAccountStatement.
+func (in *SystemAccountStatement) DeepCopy() *SystemAccountStatement {
+ if in == nil {
+ return nil
+ }
+ out := new(SystemAccountStatement)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TLS) DeepCopyInto(out *TLS) {
*out = *in
diff --git a/config/crd/bases/apps.kubeblocks.io_clusters.yaml b/config/crd/bases/apps.kubeblocks.io_clusters.yaml
index 8d2fa8aa8c8..9dd64a43b69 100644
--- a/config/crd/bases/apps.kubeblocks.io_clusters.yaml
+++ b/config/crd/bases/apps.kubeblocks.io_clusters.yaml
@@ -5311,6 +5311,10 @@ spec:
ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -5369,6 +5373,11 @@ spec:
namespace:
description: The namespace where the secret is located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains
+ the password.
+ type: string
required:
- name
- namespace
@@ -14047,6 +14056,11 @@ spec:
ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account
+ is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -14106,6 +14120,11 @@ spec:
description: The namespace where the secret is
located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains
+ the password.
+ type: string
required:
- name
- namespace
diff --git a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
index fe6bec4e932..a3568885f25 100644
--- a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
+++ b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
@@ -4501,9 +4501,9 @@ spec:
The container executing this action has access to following variables:
- - KB_ACCOUNT_NAME: The name of the system account to be created.
- - KB_ACCOUNT_PASSWORD: The password for the system account. // TODO: how to pass the password securely?
- - KB_ACCOUNT_STATEMENT: The statement used to create the system account.
+ - KB_ACCOUNT_NAME: The name of the system account to be manipulated.
+ - KB_ACCOUNT_PASSWORD: The password for the system account.
+ - KB_ACCOUNT_STATEMENT: The statement used to manipulate the system account.
Note: This field is immutable once it has been set.
@@ -16727,30 +16727,35 @@ spec:
Cannot be updated.
type: string
type: object
- secretRef:
+ statement:
description: |-
- Refers to the secret from which data will be copied to create the new account.
+ Defines the statements used to create, delete, and update the account.
This field is immutable once set.
properties:
- name:
- description: The unique identifier of the secret.
+ create:
+ description: |-
+ The statement to create a new account with the necessary privileges.
+
+
+ This field is immutable once set.
type: string
- namespace:
- description: The namespace where the secret is located.
+ delete:
+ description: |-
+ The statement to delete a account.
+
+
+ This field is immutable once set.
type: string
- required:
- - name
- - namespace
- type: object
- statement:
- description: |-
- Defines the statement used to create the account with the necessary privileges.
+ update:
+ description: |-
+ The statement to update an existing account.
- This field is immutable once set.
- type: string
+ This field is immutable once set.
+ type: string
+ type: object
required:
- name
type: object
diff --git a/config/crd/bases/apps.kubeblocks.io_components.yaml b/config/crd/bases/apps.kubeblocks.io_components.yaml
index 4b2c768c021..7f2a443af93 100644
--- a/config/crd/bases/apps.kubeblocks.io_components.yaml
+++ b/config/crd/bases/apps.kubeblocks.io_components.yaml
@@ -5505,6 +5505,10 @@ spec:
description: Overrides system accounts defined in referenced ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -5563,6 +5567,11 @@ spec:
namespace:
description: The namespace where the secret is located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains the
+ password.
+ type: string
required:
- name
- namespace
diff --git a/controllers/apps/component_controller_test.go b/controllers/apps/component_controller_test.go
index b98dda0faed..7ebc97f9b0c 100644
--- a/controllers/apps/component_controller_test.go
+++ b/controllers/apps/component_controller_test.go
@@ -963,98 +963,6 @@ var _ = Describe("Component Controller", func() {
})).Should(Succeed())
}
- testCompSystemAccount := func(compName, compDefName string) {
- createClusterObj(compName, compDefName, nil)
-
- By("check root account")
- rootSecretKey := types.NamespacedName{
- Namespace: compObj.Namespace,
- Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
- }
- Eventually(testapps.CheckObj(&testCtx, rootSecretKey, func(g Gomega, secret *corev1.Secret) {
- g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("root")))
- g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
- })).Should(Succeed())
-
- By("check admin account")
- adminSecretKey := types.NamespacedName{
- Namespace: compObj.Namespace,
- Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
- }
- Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
- g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
- g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
- })).Should(Succeed())
-
- By("mock component as Running")
- mockCompRunning(compName)
-
- By("wait accounts to be provisioned")
- Eventually(testapps.CheckObj(&testCtx, compKey, func(g Gomega, comp *kbappsv1.Component) {
- g.Expect(len(comp.Status.Conditions) > 0).Should(BeTrue())
- var cond *metav1.Condition
- for i, c := range comp.Status.Conditions {
- if c.Type == accountProvisionConditionType {
- cond = &comp.Status.Conditions[i]
- break
- }
- }
- g.Expect(cond).ShouldNot(BeNil())
- g.Expect(cond.Status).Should(BeEquivalentTo(metav1.ConditionTrue))
- g.Expect(cond.Message).ShouldNot(ContainSubstring("root"))
- g.Expect(cond.Message).Should(ContainSubstring("admin"))
- })).Should(Succeed())
- }
-
- testCompSystemAccountOverride := func(compName, compDefName string) {
- passwordConfig := &kbappsv1.PasswordConfig{
- Length: 29,
- }
- secret := corev1.Secret{
- ObjectMeta: metav1.ObjectMeta{
- Namespace: testCtx.DefaultNamespace,
- Name: "sysaccount-override",
- },
- StringData: map[string]string{
- constant.AccountPasswdForSecret: "sysaccount-override",
- },
- }
- secretRef := func() *kbappsv1.ProvisionSecretRef {
- Expect(testCtx.CreateObj(testCtx.Ctx, &secret)).Should(Succeed())
- return &kbappsv1.ProvisionSecretRef{
- Name: secret.Name,
- Namespace: testCtx.DefaultNamespace,
- }
- }
-
- createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
- f.AddSystemAccount("root", passwordConfig, nil).
- AddSystemAccount("admin", nil, secretRef()).
- AddSystemAccount("not-exist", nil, nil)
- })
-
- By("check root account")
- rootSecretKey := types.NamespacedName{
- Namespace: compObj.Namespace,
- Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
- }
- Eventually(testapps.CheckObj(&testCtx, rootSecretKey, func(g Gomega, secret *corev1.Secret) {
- g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("root")))
- g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
- g.Expect(secret.Data[constant.AccountPasswdForSecret]).Should(HaveLen(int(passwordConfig.Length)))
- })).Should(Succeed())
-
- By("check admin account")
- adminSecretKey := types.NamespacedName{
- Namespace: compObj.Namespace,
- Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
- }
- Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
- g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
- g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountPasswdForSecret, secret.Data[constant.AccountPasswdForSecret]))
- })).Should(Succeed())
- }
-
testCompVars := func(compName, compDefName string) {
compDefKey := client.ObjectKeyFromObject(compDefObj)
Eventually(testapps.GetAndChangeObj(&testCtx, compDefKey, func(compDef *kbappsv1.ComponentDefinition) {
@@ -1426,6 +1334,293 @@ var _ = Describe("Component Controller", func() {
checkRBACResourcesExistence(saName, true)
}
+ testCompSystemAccount := func(compName, compDefName string) {
+ secret := corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: testCtx.DefaultNamespace,
+ Name: "sysaccount-admin",
+ },
+ StringData: map[string]string{
+ constant.AccountPasswdForSecret: "sysaccount-admin",
+ },
+ }
+ secretRef := func() *kbappsv1.ProvisionSecretRef {
+ Expect(testCtx.CreateObj(testCtx.Ctx, &secret)).Should(Succeed())
+ return &kbappsv1.ProvisionSecretRef{
+ Name: secret.Name,
+ Namespace: testCtx.DefaultNamespace,
+ }
+ }
+
+ createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
+ f.AddSystemAccount("admin", false, nil, secretRef())
+ })
+
+ By("check root account")
+ var rootHashedPassword string
+ rootSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, rootSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("root")))
+ g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
+ rootHashedPassword = secret.Annotations[systemAccountHashAnnotation]
+ g.Expect(rootHashedPassword).Should(BeEmpty()) // kb generated password
+ })).Should(Succeed())
+
+ By("check admin account")
+ var adminHashedPassword string
+ adminSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
+ g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
+ adminHashedPassword = secret.Annotations[systemAccountHashAnnotation]
+ g.Expect(adminHashedPassword).ShouldNot(BeEmpty()) // user-provided
+ })).Should(Succeed())
+
+ By("mock component as Running")
+ mockCompRunning(compName)
+
+ By("wait accounts to be provisioned")
+ Eventually(testapps.CheckObj(&testCtx, compKey, func(g Gomega, comp *kbappsv1.Component) {
+ g.Expect(len(comp.Status.Conditions) > 0).Should(BeTrue())
+ var cond *metav1.Condition
+ for i, c := range comp.Status.Conditions {
+ if c.Type == accountProvisionConditionType {
+ cond = &comp.Status.Conditions[i]
+ break
+ }
+ }
+ g.Expect(cond).ShouldNot(BeNil())
+ g.Expect(cond.Status).Should(BeEquivalentTo(metav1.ConditionTrue))
+ g.Expect(cond.Message).Should(ContainSubstring(fmt.Sprintf("%s:%s", "root", rootHashedPassword)))
+ g.Expect(cond.Message).Should(ContainSubstring(fmt.Sprintf("%s:%s", "admin", adminHashedPassword)))
+ })).Should(Succeed())
+ }
+
+ testCompSystemAccountOverride := func(compName, compDefName string) {
+ passwordConfig := &kbappsv1.PasswordConfig{
+ Length: 29,
+ }
+ secret := corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: testCtx.DefaultNamespace,
+ Name: "sysaccount-override",
+ },
+ StringData: map[string]string{
+ constant.AccountPasswdForSecret: "sysaccount-override",
+ },
+ }
+ secretRef := func() *kbappsv1.ProvisionSecretRef {
+ Expect(testCtx.CreateObj(testCtx.Ctx, &secret)).Should(Succeed())
+ return &kbappsv1.ProvisionSecretRef{
+ Name: secret.Name,
+ Namespace: testCtx.DefaultNamespace,
+ }
+ }
+
+ createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
+ f.AddSystemAccount("root", false, passwordConfig, nil).
+ AddSystemAccount("admin", false, nil, secretRef())
+ })
+
+ By("check root account")
+ rootSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, rootSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("root")))
+ g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
+ g.Expect(secret.Data[constant.AccountPasswdForSecret]).Should(HaveLen(int(passwordConfig.Length)))
+ })).Should(Succeed())
+
+ By("check admin account")
+ adminSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountPasswdForSecret, secret.Data[constant.AccountPasswdForSecret]))
+ })).Should(Succeed())
+ }
+
+ testCompSystemAccountDisable := func(compName, compDefName string) {
+ passwordConfig := &kbappsv1.PasswordConfig{
+ Length: 29,
+ }
+
+ createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
+ f.AddSystemAccount("root", false, passwordConfig, nil).
+ // disable the admin account
+ AddSystemAccount("admin", true, passwordConfig, nil)
+ })
+
+ By("check root account")
+ rootSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
+ }
+ rootSecret := &corev1.Secret{}
+ Eventually(testapps.CheckObjExists(&testCtx, rootSecretKey, rootSecret, true)).Should(Succeed())
+
+ By("check admin account")
+ adminSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
+ }
+ adminSecret := &corev1.Secret{}
+ Consistently(testapps.CheckObjExists(&testCtx, adminSecretKey, adminSecret, false)).Should(Succeed())
+ }
+
+ testCompSystemAccountDisableAfterProvision := func(compName, compDefName string) {
+ passwordConfig := &kbappsv1.PasswordConfig{
+ Length: 29,
+ }
+
+ createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
+ f.AddSystemAccount("root", false, passwordConfig, nil).
+ AddSystemAccount("admin", false, passwordConfig, nil)
+ })
+
+ By("check the root account")
+ rootSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
+ }
+ rootSecret := &corev1.Secret{}
+ Eventually(testapps.CheckObjExists(&testCtx, rootSecretKey, rootSecret, true)).Should(Succeed())
+
+ By("check the admin account")
+ adminSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
+ }
+ adminSecret := &corev1.Secret{}
+ Eventually(testapps.CheckObjExists(&testCtx, adminSecretKey, adminSecret, true)).Should(Succeed())
+
+ By("disable the admin account")
+ Expect(testapps.GetAndChangeObj(&testCtx, clusterKey, func(cluster *kbappsv1.Cluster) {
+ for i, comp := range cluster.Spec.ComponentSpecs {
+ if comp.Name == compName {
+ for j, account := range cluster.Spec.ComponentSpecs[i].SystemAccounts {
+ if account.Name == "admin" {
+ cluster.Spec.ComponentSpecs[i].SystemAccounts[j].Disabled = ptr.To(true)
+ }
+ }
+ }
+ }
+ })()).Should(Succeed())
+
+ By("check the admin account is disabled")
+ Eventually(testapps.CheckObjExists(&testCtx, adminSecretKey, adminSecret, false)).Should(Succeed())
+ }
+
+ testCompSystemAccountUpdate := func(compName, compDefName string) {
+ passwordConfig := &kbappsv1.PasswordConfig{
+ Length: 29,
+ }
+ secret := corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Namespace: testCtx.DefaultNamespace,
+ Name: "sysaccount-update",
+ },
+ StringData: map[string]string{
+ "sysaccount-update": "sysaccount-update",
+ },
+ }
+ secretRef := func() *kbappsv1.ProvisionSecretRef {
+ Expect(testCtx.CreateObj(testCtx.Ctx, &secret)).Should(Succeed())
+ return &kbappsv1.ProvisionSecretRef{
+ Name: secret.Name,
+ Namespace: testCtx.DefaultNamespace,
+ Password: "sysaccount-update",
+ }
+ }
+
+ createClusterObj(compName, compDefName, func(f *testapps.MockClusterFactory) {
+ f.AddSystemAccount("root", false, passwordConfig, nil).
+ AddSystemAccount("admin", false, nil, secretRef())
+ })
+
+ By("check root account")
+ var rootHashedPassword string
+ rootSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "root"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, rootSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("root")))
+ g.Expect(secret.Data).Should(HaveKey(constant.AccountPasswdForSecret))
+ g.Expect(secret.Data[constant.AccountPasswdForSecret]).Should(HaveLen(int(passwordConfig.Length)))
+ rootHashedPassword = secret.Annotations[systemAccountHashAnnotation]
+ g.Expect(rootHashedPassword).Should(BeEmpty()) // kb generated password
+ })).Should(Succeed())
+
+ By("check admin account")
+ var adminHashedPassword string
+ adminSecretKey := types.NamespacedName{
+ Namespace: compObj.Namespace,
+ Name: constant.GenerateAccountSecretName(clusterObj.Name, compName, "admin"),
+ }
+ Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountPasswdForSecret, []byte("sysaccount-update")))
+ adminHashedPassword = secret.Annotations[systemAccountHashAnnotation]
+ g.Expect(adminHashedPassword).ShouldNot(BeEmpty()) // user-provided
+ })).Should(Succeed())
+
+ By("mock component as Running")
+ mockCompRunning(compName)
+
+ By("update the password of admin account")
+ Expect(testapps.GetAndChangeObj(&testCtx, client.ObjectKeyFromObject(&secret), func(obj *corev1.Secret) {
+ if obj.StringData == nil {
+ obj.StringData = map[string]string{}
+ }
+ obj.StringData["sysaccount-update"] = "sysaccount-update-new"
+ })()).Should(Succeed())
+
+ By("trigger the component to reconcile")
+ Expect(testapps.GetAndChangeObj(&testCtx, compKey, func(comp *kbappsv1.Component) {
+ if comp.Annotations == nil {
+ comp.Annotations = map[string]string{}
+ }
+ comp.Annotations["reconcile"] = time.Now().String()
+ })()).Should(Succeed())
+
+ By("check the admin account updated")
+ var updatedAdminHashedPassword string
+ Eventually(testapps.CheckObj(&testCtx, adminSecretKey, func(g Gomega, secret *corev1.Secret) {
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountNameForSecret, []byte("admin")))
+ g.Expect(secret.Data).Should(HaveKeyWithValue(constant.AccountPasswdForSecret, []byte("sysaccount-update-new")))
+ updatedAdminHashedPassword = secret.Annotations[systemAccountHashAnnotation]
+ g.Expect(updatedAdminHashedPassword).ShouldNot(BeEmpty()) // user-provided
+ g.Expect(updatedAdminHashedPassword).ShouldNot(Equal(adminHashedPassword))
+ })).Should(Succeed())
+
+ By("wait accounts to be updated")
+ Eventually(testapps.CheckObj(&testCtx, compKey, func(g Gomega, comp *kbappsv1.Component) {
+ g.Expect(len(comp.Status.Conditions) > 0).Should(BeTrue())
+ var cond *metav1.Condition
+ for i, c := range comp.Status.Conditions {
+ if c.Type == accountProvisionConditionType {
+ cond = &comp.Status.Conditions[i]
+ break
+ }
+ }
+ g.Expect(cond).ShouldNot(BeNil())
+ g.Expect(cond.Status).Should(BeEquivalentTo(metav1.ConditionTrue))
+ g.Expect(cond.Message).Should(ContainSubstring(fmt.Sprintf("%s:%s", "root", rootHashedPassword)))
+ g.Expect(cond.Message).Should(ContainSubstring(fmt.Sprintf("%s:%s", "admin", updatedAdminHashedPassword)))
+ })).Should(Succeed())
+ }
+
testThreeReplicas := func(compName, compDefName string) {
const replicas = 3
@@ -1621,14 +1816,6 @@ var _ = Describe("Component Controller", func() {
testCompService(defaultCompName, compDefName)
})
- It("with component system accounts", func() {
- testCompSystemAccount(defaultCompName, compDefName)
- })
-
- It("with component system accounts - override", func() {
- testCompSystemAccountOverride(defaultCompName, compDefName)
- })
-
It("with component vars", func() {
testCompVars(defaultCompName, compDefName)
})
@@ -1662,6 +1849,36 @@ var _ = Describe("Component Controller", func() {
})
})
+ Context("system account", func() {
+ BeforeEach(func() {
+ createAllDefinitionObjects()
+ })
+
+ AfterEach(func() {
+ cleanEnv()
+ })
+
+ It("provisioning", func() {
+ testCompSystemAccount(defaultCompName, compDefName)
+ })
+
+ It("override", func() {
+ testCompSystemAccountOverride(defaultCompName, compDefName)
+ })
+
+ It("disable", func() {
+ testCompSystemAccountDisable(defaultCompName, compDefName)
+ })
+
+ It("disable - after provision", func() {
+ testCompSystemAccountDisableAfterProvision(defaultCompName, compDefName)
+ })
+
+ It("update", func() {
+ testCompSystemAccountUpdate(defaultCompName, compDefName)
+ })
+ })
+
Context("h-scaling", func() {
BeforeEach(func() {
createAllDefinitionObjects()
diff --git a/controllers/apps/componentdefinition_controller.go b/controllers/apps/componentdefinition_controller.go
index ed7518649f8..6dc6d24d18d 100644
--- a/controllers/apps/componentdefinition_controller.go
+++ b/controllers/apps/componentdefinition_controller.go
@@ -342,19 +342,23 @@ func (r *ComponentDefinitionReconciler) validateConfigs(cli client.Client, rctx
func (r *ComponentDefinitionReconciler) validateSystemAccounts(cli client.Client, rctx intctrlutil.RequestCtx,
cmpd *appsv1.ComponentDefinition) error {
- for _, v := range cmpd.Spec.SystemAccounts {
- if v.SecretRef == nil && !v.InitAccount && (cmpd.Spec.LifecycleActions == nil || cmpd.Spec.LifecycleActions.AccountProvision == nil) {
- return fmt.Errorf(`the AccountProvision action is needed to provision system account %s`, v.Name)
- }
- }
if !checkUniqueItemWithValue(cmpd.Spec.SystemAccounts, "Name", nil) {
return fmt.Errorf("duplicate system accounts are not allowed")
}
+
+ hasNonInitAccount := false
for _, account := range cmpd.Spec.SystemAccounts {
- if !account.InitAccount && len(account.Statement) == 0 && account.SecretRef == nil {
- return fmt.Errorf("the Statement or SecretRef must be provided to create system account: %s", account.Name)
+ if account.InitAccount {
+ continue
+ }
+ hasNonInitAccount = true
+ if account.Statement == nil || len(account.Statement.Create) == 0 {
+ return fmt.Errorf("the create statement must be provided to provision system account: %s", account.Name)
}
}
+ if hasNonInitAccount && (cmpd.Spec.LifecycleActions == nil || cmpd.Spec.LifecycleActions.AccountProvision == nil) {
+ return fmt.Errorf("the AccountProvision action is needed to provision system accounts")
+ }
return nil
}
diff --git a/controllers/apps/transformer_cluster_component.go b/controllers/apps/transformer_cluster_component.go
index 49db7eedb8e..97365facfbf 100644
--- a/controllers/apps/transformer_cluster_component.go
+++ b/controllers/apps/transformer_cluster_component.go
@@ -196,6 +196,7 @@ func copyAndMergeComponent(oldCompObj, newCompObj *appsv1.Component) *appsv1.Com
compObjCopy.Spec.VolumeClaimTemplates = compProto.Spec.VolumeClaimTemplates
compObjCopy.Spec.Volumes = compProto.Spec.Volumes
compObjCopy.Spec.Services = compProto.Spec.Services
+ compObjCopy.Spec.SystemAccounts = compProto.Spec.SystemAccounts
compObjCopy.Spec.Replicas = compProto.Spec.Replicas
compObjCopy.Spec.Configs = compProto.Spec.Configs
compObjCopy.Spec.ServiceAccountName = compProto.Spec.ServiceAccountName
diff --git a/controllers/apps/transformer_cluster_sharding_account.go b/controllers/apps/transformer_cluster_sharding_account.go
index 3718ed19153..5e87e47fd24 100644
--- a/controllers/apps/transformer_cluster_sharding_account.go
+++ b/controllers/apps/transformer_cluster_sharding_account.go
@@ -118,17 +118,7 @@ func (t *clusterShardingAccountTransformer) newSystemAccountSecret(transCtx *clu
if err != nil {
return nil, err
}
-
- var password []byte
- switch {
- case account.SecretRef != nil:
- var err error
- if password, err = t.getPasswordFromSecret(transCtx, account); err != nil {
- return nil, err
- }
- default:
- password = t.buildPassword(transCtx, account, sharding.Name)
- }
+ password := t.buildPassword(transCtx, account, sharding.Name)
return t.newAccountSecretWithPassword(transCtx, sharding, accountName, password)
}
@@ -152,7 +142,6 @@ func (t *clusterShardingAccountTransformer) definedSystemAccount(transCtx *clust
if compAccount.PasswordConfig != nil {
account.PasswordGenerationPolicy = *compAccount.PasswordConfig
}
- account.SecretRef = compAccount.SecretRef
}
return *account
}
@@ -165,21 +154,6 @@ func (t *clusterShardingAccountTransformer) definedSystemAccount(transCtx *clust
return appsv1.SystemAccount{}, fmt.Errorf("system account %s not found in component definition %s", accountName, compDef.Name)
}
-func (t *clusterShardingAccountTransformer) getPasswordFromSecret(ctx graph.TransformContext, account appsv1.SystemAccount) ([]byte, error) {
- secretKey := types.NamespacedName{
- Namespace: account.SecretRef.Namespace,
- Name: account.SecretRef.Name,
- }
- secret := &corev1.Secret{}
- if err := ctx.GetClient().Get(ctx.GetContext(), secretKey, secret); err != nil {
- return nil, err
- }
- if len(secret.Data) == 0 || len(secret.Data[constant.AccountPasswdForSecret]) == 0 {
- return nil, fmt.Errorf("referenced account secret has no required credential field")
- }
- return secret.Data[constant.AccountPasswdForSecret], nil
-}
-
func (t *clusterShardingAccountTransformer) buildPassword(transCtx *clusterTransformContext, account appsv1.SystemAccount, shardingName string) []byte {
password := []byte(factory.GetRestoreSystemAccountPassword(transCtx.Cluster.Annotations, shardingName, account.Name))
if len(password) == 0 {
@@ -227,20 +201,21 @@ func (t *clusterShardingAccountTransformer) rewriteSystemAccount(transCtx *clust
var (
cluster = transCtx.Cluster
)
- account := appsv1.ComponentSystemAccount{
+ newAccount := appsv1.ComponentSystemAccount{
Name: accountName,
SecretRef: &appsv1.ProvisionSecretRef{
Name: shardingAccountSecretName(cluster.Name, sharding.Name, accountName),
Namespace: cluster.Namespace,
},
}
- for i := range sharding.Template.SystemAccounts {
- if sharding.Template.SystemAccounts[i].Name == accountName {
- sharding.Template.SystemAccounts[i] = account
+ for i, account := range sharding.Template.SystemAccounts {
+ if account.Name == accountName {
+ newAccount.Disabled = account.Disabled
+ sharding.Template.SystemAccounts[i] = newAccount
return
}
}
- sharding.Template.SystemAccounts = []appsv1.ComponentSystemAccount{account}
+ sharding.Template.SystemAccounts = []appsv1.ComponentSystemAccount{newAccount}
}
func shardingAccountSecretName(cluster, sharding, account string) string {
diff --git a/controllers/apps/transformer_component_account.go b/controllers/apps/transformer_component_account.go
index 71412527443..dcb8616f0b7 100644
--- a/controllers/apps/transformer_component_account.go
+++ b/controllers/apps/transformer_component_account.go
@@ -24,9 +24,11 @@ import (
"reflect"
"strings"
+ "golang.org/x/crypto/bcrypt"
+ "golang.org/x/exp/maps"
corev1 "k8s.io/api/core/v1"
- apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"sigs.k8s.io/controller-runtime/pkg/client"
appsv1 "github.com/apecloud/kubeblocks/apis/apps/v1"
@@ -40,6 +42,11 @@ import (
ctrlutil "github.com/apecloud/kubeblocks/pkg/controllerutil"
)
+const (
+ systemAccountLabel = "apps.kubeblocks.io/system-account"
+ systemAccountHashAnnotation = "apps.kubeblocks.io/system-account-hash"
+)
+
// componentAccountTransformer handles component system accounts.
type componentAccountTransformer struct{}
@@ -55,56 +62,105 @@ func (t *componentAccountTransformer) Transform(ctx graph.TransformContext, dag
return nil
}
- synthesizeComp := transCtx.SynthesizeComponent
+ synthesizedComp := transCtx.SynthesizeComponent
graphCli, _ := transCtx.Client.(model.GraphClient)
- for _, account := range synthesizeComp.SystemAccounts {
- existSecret, err := t.checkAccountSecretExist(ctx, synthesizeComp, account)
- if err != nil {
+ // exist account objects
+ secrets, err := listSystemAccountObjects(ctx, synthesizedComp)
+ if err != nil {
+ return err
+ }
+ runningNameSet := sets.New(maps.Keys(secrets)...)
+
+ // proto accounts
+ accounts, err := synthesizeSystemAccounts(transCtx.CompDef.Spec.SystemAccounts,
+ transCtx.Component.Spec.SystemAccounts, false)
+ if err != nil {
+ return err
+ }
+ protoNameSet := sets.New(maps.Keys(accounts)...)
+
+ createSet, deleteSet, updateSet := setDiff(runningNameSet, protoNameSet)
+
+ for _, name := range sets.List(createSet) {
+ if err := t.createAccount(transCtx, dag, graphCli, accounts[name]); err != nil {
return err
}
- secret, err := t.buildAccountSecret(transCtx, synthesizeComp, account)
- if err != nil {
+ }
+
+ for _, name := range sets.List(deleteSet) {
+ t.deleteAccount(transCtx, dag, graphCli, secrets[name])
+ }
+
+ for _, name := range sets.List(updateSet) {
+ if err := t.updateAccount(transCtx, dag, graphCli, accounts[name], secrets[name]); err != nil {
return err
}
+ }
- if existSecret == nil {
- graphCli.Create(dag, secret, inUniversalContext4G())
- continue
- }
+ return nil
+}
- // just update existed account secret metadata if needed
- existSecretCopy := existSecret.DeepCopy()
- ctrlutil.MergeMetadataMapInplace(secret.Labels, &existSecretCopy.Labels)
- ctrlutil.MergeMetadataMapInplace(secret.Annotations, &existSecretCopy.Annotations)
- if !reflect.DeepEqual(existSecret, existSecretCopy) {
- graphCli.Update(dag, existSecret, existSecretCopy, inUniversalContext4G())
- }
+func (t *componentAccountTransformer) createAccount(transCtx *componentTransformContext,
+ dag *graph.DAG, graphCli model.GraphClient, account synthesizedSystemAccount) error {
+ secret, err := t.buildAccountSecret(transCtx, transCtx.SynthesizeComponent, account)
+ if err != nil {
+ return err
+ }
+ if err = t.buildAccountHash(account, nil, secret); err != nil {
+ return err
}
- // TODO: (good-first-issue) if an account is deleted from the Spec, the secret and account should be deleted
+ graphCli.Create(dag, secret, inUniversalContext4G())
return nil
}
-func (t *componentAccountTransformer) checkAccountSecretExist(ctx graph.TransformContext,
- synthesizeComp *component.SynthesizedComponent, account appsv1.SystemAccount) (*corev1.Secret, error) {
- secretKey := types.NamespacedName{
- Namespace: synthesizeComp.Namespace,
- Name: constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, account.Name),
+func (t *componentAccountTransformer) deleteAccount(transCtx *componentTransformContext,
+ dag *graph.DAG, graphCli model.GraphClient, secret *corev1.Secret) {
+ graphCli.Delete(dag, secret, inUniversalContext4G())
+}
+
+func (t *componentAccountTransformer) updateAccount(transCtx *componentTransformContext,
+ dag *graph.DAG, graphCli model.GraphClient, account synthesizedSystemAccount, running *corev1.Secret) error {
+ secret, err := t.buildAccountSecret(transCtx, transCtx.SynthesizeComponent, account)
+ if err != nil {
+ return err
}
- secret := &corev1.Secret{}
- err := ctx.GetClient().Get(ctx.GetContext(), secretKey, secret)
- switch {
- case err == nil:
- return secret, nil
- case apierrors.IsNotFound(err):
- return nil, nil
- default:
- return nil, err
+ if err = t.buildAccountHash(account, running, secret); err != nil {
+ return err
+ }
+
+ runningCopy := running.DeepCopy()
+ if account.SecretRef != nil {
+ // sync password from the external secret
+ runningCopy.Data[constant.AccountPasswdForSecret] = secret.Data[constant.AccountPasswdForSecret]
+ }
+ ctrlutil.MergeMetadataMapInplace(secret.Labels, &runningCopy.Labels)
+ ctrlutil.MergeMetadataMapInplace(secret.Annotations, &runningCopy.Annotations)
+ if !reflect.DeepEqual(running, runningCopy) {
+ graphCli.Update(dag, running, runningCopy, inUniversalContext4G())
+ }
+ return nil
+}
+
+func (t *componentAccountTransformer) buildAccountHash(account synthesizedSystemAccount, running, secret *corev1.Secret) error {
+ if account.SecretRef == nil {
+ return nil
+ }
+ if running != nil {
+ hashedPassword := running.Annotations[systemAccountHashAnnotation]
+ if verifySystemAccountPassword(secret, []byte(hashedPassword)) {
+ if secret.Annotations == nil {
+ secret.Annotations = map[string]string{}
+ }
+ secret.Annotations[systemAccountHashAnnotation] = hashedPassword
+ return nil // have the same password
+ }
}
+ return signatureSystemAccountPassword(secret)
}
func (t *componentAccountTransformer) buildAccountSecret(ctx *componentTransformContext,
- synthesizeComp *component.SynthesizedComponent, account appsv1.SystemAccount) (*corev1.Secret, error) {
+ synthesizeComp *component.SynthesizedComponent, account synthesizedSystemAccount) (*corev1.Secret, error) {
var password []byte
switch {
case account.SecretRef != nil:
@@ -118,7 +174,7 @@ func (t *componentAccountTransformer) buildAccountSecret(ctx *componentTransform
return t.buildAccountSecretWithPassword(ctx, synthesizeComp, account, password)
}
-func (t *componentAccountTransformer) getPasswordFromSecret(ctx graph.TransformContext, account appsv1.SystemAccount) ([]byte, error) {
+func (t *componentAccountTransformer) getPasswordFromSecret(ctx graph.TransformContext, account synthesizedSystemAccount) ([]byte, error) {
secretKey := types.NamespacedName{
Namespace: account.SecretRef.Namespace,
Name: account.SecretRef.Name,
@@ -127,13 +183,18 @@ func (t *componentAccountTransformer) getPasswordFromSecret(ctx graph.TransformC
if err := ctx.GetClient().Get(ctx.GetContext(), secretKey, secret); err != nil {
return nil, err
}
- if len(secret.Data) == 0 || len(secret.Data[constant.AccountPasswdForSecret]) == 0 {
- return nil, fmt.Errorf("referenced account secret has no required credential field")
+
+ passwordKey := constant.AccountPasswdForSecret
+ if len(account.SecretRef.Password) > 0 {
+ passwordKey = account.SecretRef.Password
+ }
+ if len(secret.Data) == 0 || len(secret.Data[passwordKey]) == 0 {
+ return nil, fmt.Errorf("referenced account secret has no required credential field: %s", passwordKey)
}
- return secret.Data[constant.AccountPasswdForSecret], nil
+ return secret.Data[passwordKey], nil
}
-func (t *componentAccountTransformer) buildPassword(ctx *componentTransformContext, account appsv1.SystemAccount) []byte {
+func (t *componentAccountTransformer) buildPassword(ctx *componentTransformContext, account synthesizedSystemAccount) []byte {
// get restore password if exists during recovery.
password := factory.GetRestoreSystemAccountPassword(ctx.SynthesizeComponent.Annotations, ctx.SynthesizeComponent.Name, account.Name)
if account.InitAccount && password == "" {
@@ -147,7 +208,7 @@ func (t *componentAccountTransformer) buildPassword(ctx *componentTransformConte
return []byte(password)
}
-func (t *componentAccountTransformer) generatePassword(account appsv1.SystemAccount) []byte {
+func (t *componentAccountTransformer) generatePassword(account synthesizedSystemAccount) []byte {
config := account.PasswordGenerationPolicy
passwd, _ := common.GeneratePassword((int)(config.Length), (int)(config.NumDigits), (int)(config.NumSymbols), false, config.Seed)
switch config.LetterCase {
@@ -160,21 +221,107 @@ func (t *componentAccountTransformer) generatePassword(account appsv1.SystemAcco
}
func (t *componentAccountTransformer) buildAccountSecretWithPassword(ctx *componentTransformContext,
- synthesizeComp *component.SynthesizedComponent, account appsv1.SystemAccount, password []byte) (*corev1.Secret, error) {
+ synthesizeComp *component.SynthesizedComponent, account synthesizedSystemAccount, password []byte) (*corev1.Secret, error) {
secretName := constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, account.Name)
secret := builder.NewSecretBuilder(synthesizeComp.Namespace, secretName).
// Priority: static < dynamic < built-in
AddLabelsInMap(synthesizeComp.StaticLabels).
AddLabelsInMap(synthesizeComp.DynamicLabels).
AddLabelsInMap(constant.GetCompLabels(synthesizeComp.ClusterName, synthesizeComp.Name)).
+ AddLabels(systemAccountLabel, account.Name).
AddAnnotationsInMap(synthesizeComp.StaticAnnotations).
AddAnnotationsInMap(synthesizeComp.DynamicAnnotations).
PutData(constant.AccountNameForSecret, []byte(account.Name)).
PutData(constant.AccountPasswdForSecret, password).
- SetImmutable(true).
+ // SetImmutable(true).
GetObject()
if err := setCompOwnershipNFinalizer(ctx.Component, secret); err != nil {
return nil, err
}
return secret, nil
}
+
+func listSystemAccountObjects(ctx graph.TransformContext,
+ synthesizedComp *component.SynthesizedComponent) (map[string]*corev1.Secret, error) {
+ opts := []client.ListOption{
+ client.InNamespace(synthesizedComp.Namespace),
+ client.MatchingLabels(constant.GetCompLabels(synthesizedComp.ClusterName, synthesizedComp.Name)),
+ }
+ secretList := &corev1.SecretList{}
+ if err := ctx.GetClient().List(ctx.GetContext(), secretList, opts...); err != nil {
+ return nil, err
+ }
+
+ m := make(map[string]*corev1.Secret)
+ for i, secret := range secretList.Items {
+ if accountName, ok := secret.Labels[systemAccountLabel]; ok {
+ m[accountName] = &secretList.Items[i]
+ }
+ }
+ return m, nil
+}
+
+func signatureSystemAccountPassword(secret *corev1.Secret) error {
+ password := secret.Data[constant.AccountPasswdForSecret]
+ hashedPassword, err := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
+ if err != nil {
+ return err
+ }
+ if secret.Annotations == nil {
+ secret.Annotations = map[string]string{}
+ }
+ secret.Annotations[systemAccountHashAnnotation] = string(hashedPassword)
+ return nil
+}
+
+func verifySystemAccountPassword(secret *corev1.Secret, hashedPassword []byte) bool {
+ password := secret.Data[constant.AccountPasswdForSecret]
+ err := bcrypt.CompareHashAndPassword(hashedPassword, password)
+ return err == nil
+}
+
+type synthesizedSystemAccount struct {
+ appsv1.SystemAccount
+ Disabled *bool
+ SecretRef *appsv1.ProvisionSecretRef
+}
+
+func synthesizeSystemAccounts(compDefAccounts []appsv1.SystemAccount,
+ compAccounts []appsv1.ComponentSystemAccount, keepDisabled bool) (map[string]synthesizedSystemAccount, error) {
+ accounts := make(map[string]synthesizedSystemAccount)
+ for _, account := range compDefAccounts {
+ accounts[account.Name] = synthesizedSystemAccount{
+ SystemAccount: account,
+ }
+ }
+
+ merge := func(account synthesizedSystemAccount, compAccount appsv1.ComponentSystemAccount) synthesizedSystemAccount {
+ if compAccount.PasswordConfig != nil {
+ account.PasswordGenerationPolicy = *compAccount.PasswordConfig
+ }
+ account.Disabled = compAccount.Disabled
+ account.SecretRef = compAccount.SecretRef
+ return account
+ }
+
+ for i := range compAccounts {
+ account, ok := accounts[compAccounts[i].Name]
+ if !ok {
+ return nil, fmt.Errorf("system account %s not defined in component definition", compAccounts[i].Name)
+ }
+ accounts[account.Name] = merge(account, compAccounts[i])
+ }
+
+ if !keepDisabled {
+ for _, name := range maps.Keys(accounts) {
+ account := accounts[name]
+ if account.Disabled != nil && *account.Disabled {
+ if account.InitAccount {
+ return nil, fmt.Errorf("cannot disable init system account: %s", name)
+ }
+ delete(accounts, name)
+ }
+ }
+ }
+ return accounts, nil
+}
diff --git a/controllers/apps/transformer_component_account_provision.go b/controllers/apps/transformer_component_account_provision.go
index 1598da82963..2431b7f7675 100644
--- a/controllers/apps/transformer_component_account_provision.go
+++ b/controllers/apps/transformer_component_account_provision.go
@@ -20,12 +20,15 @@ along with this program. If not, see .
package apps
import (
+ "fmt"
+ "reflect"
"slices"
"strings"
+ "golang.org/x/exp/maps"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/types"
+ "k8s.io/apimachinery/pkg/util/sets"
"sigs.k8s.io/controller-runtime/pkg/client"
appsv1 "github.com/apecloud/kubeblocks/apis/apps/v1"
@@ -59,59 +62,161 @@ func (t *componentAccountProvisionTransformer) Transform(ctx graph.TransformCont
return nil
}
- if len(transCtx.SynthesizeComponent.SystemAccounts) == 0 {
+ comp := transCtx.Component
+ compDef := transCtx.CompDef
+
+ // provision accounts only when the component is running
+ if comp.Status.Phase != appsv1.RunningComponentPhase {
return nil
}
- if transCtx.Component.Status.Phase != appsv1.RunningComponentPhase {
+
+ // has no lifecycle actions defined, skip the account provision
+ lifecycleActions := compDef.Spec.LifecycleActions
+ if lifecycleActions == nil || lifecycleActions.AccountProvision == nil {
return nil
}
- // TODO: (good-first-issue) if the component's account is deleted by user, we should re-provision it
- cond, provisioned := t.isProvisioned(transCtx)
- if provisioned {
- return nil
+
+ accounts, _ := synthesizeSystemAccounts(compDef.Spec.SystemAccounts, comp.Spec.SystemAccounts, true)
+
+ secrets, err1 := listSystemAccountObjects(ctx, transCtx.SynthesizeComponent)
+ if err1 != nil {
+ return err1
}
+ protoNameSet := sets.New(maps.Keys(secrets)...)
- lifecycleActions := transCtx.CompDef.Spec.LifecycleActions
- if lifecycleActions == nil || lifecycleActions.AccountProvision == nil {
+ cond := t.provisionCond(transCtx)
+ provisionedNameSet := t.getProvisionedAccounts(cond)
+
+ createSet, deleteSet, updateSet := setDiff(provisionedNameSet, protoNameSet)
+ if len(createSet) == 0 && len(deleteSet) == 0 && len(updateSet) == 0 {
return nil
}
- lfa, err := t.lifecycleAction(transCtx)
- if err != nil {
- return err
- }
- for _, account := range transCtx.SynthesizeComponent.SystemAccounts {
- // The secret of initAccount should be rendered into the config file,
- // or injected into the container through specific account&password environment variables name supported by the engine.
- // When the engine starts up, it will automatically load and create this account.
- if account.InitAccount {
- continue
+ lfa, err2 := t.lifecycleAction(transCtx)
+ if err2 != nil {
+ return err2
+ }
+
+ var err3 error
+ condCopy := cond.DeepCopy()
+ for _, name := range sets.List(createSet) {
+ if err := t.createAccount(transCtx, lfa, &cond, accounts[name], secrets[name]); err != nil {
+ if err3 == nil {
+ err3 = err
+ }
}
- if t.isAccountProvisioned(cond, account) {
- continue
+ }
+
+ for _, name := range sets.List(deleteSet) {
+ if err := t.deleteAccount(transCtx, lfa, &cond, accounts[name]); err != nil {
+ if err3 == nil {
+ err3 = err
+ }
+ }
+ }
+
+ for _, name := range sets.List(updateSet) {
+ if err := t.updateAccount(transCtx, lfa, &cond, accounts[name], secrets[name]); err != nil {
+ if err3 == nil {
+ err3 = err
+ }
}
+ }
+
+ t.provisionCondDone(transCtx, condCopy, &cond, err3)
+
+ return err3
+}
+
+func (t *componentAccountProvisionTransformer) lifecycleAction(transCtx *componentTransformContext) (lifecycle.Lifecycle, error) {
+ synthesizedComp := transCtx.SynthesizeComponent
+ pods, err := component.ListOwnedPods(transCtx.Context, transCtx.Client,
+ synthesizedComp.Namespace, synthesizedComp.ClusterName, synthesizedComp.Name)
+ if err != nil {
+ return nil, err
+ }
+ lfa, err := lifecycle.New(synthesizedComp.Namespace, synthesizedComp.ClusterName, synthesizedComp.Name,
+ synthesizedComp.LifecycleActions, synthesizedComp.TemplateVars, nil, pods...)
+ if err != nil {
+ return nil, err
+ }
+ return lfa, nil
+}
+
+func (t *componentAccountProvisionTransformer) createAccount(transCtx *componentTransformContext,
+ lfa lifecycle.Lifecycle, cond *metav1.Condition, account synthesizedSystemAccount, secret *corev1.Secret) error {
+ var (
+ err error
+ )
+
+ // The secret of an initial account should be injected into the container through
+ // specific account&password environment variables name supported by the engine.
+ // When the engine starts up, it will automatically load and create this account.
+ if !account.InitAccount {
+ // TODO: restore account secret from backup.
if transCtx.SynthesizeComponent.Annotations[constant.RestoreFromBackupAnnotationKey] == "" {
- // TODO: restore account secret from backup.
// provision account when the component is not recovered from backup
- if err = t.provisionAccount(transCtx, cond, lfa, account); err != nil {
- t.markProvisionAsFailed(transCtx, &cond, err)
- return err
- }
+ err = t.provision(transCtx, lfa, account.Statement.Create, secret)
}
- t.markAccountProvisioned(&cond, account)
}
- t.markProvisioned(transCtx, cond)
- return nil
+ if err == nil {
+ // TODO: how about the password restored from backup?
+ t.updateProvisionedAccount(cond, account.Name, secret.Annotations[systemAccountHashAnnotation])
+ }
+ return err
+}
+
+func (t *componentAccountProvisionTransformer) deleteAccount(transCtx *componentTransformContext,
+ lfa lifecycle.Lifecycle, cond *metav1.Condition, account synthesizedSystemAccount) error {
+ if account.Statement == nil || len(account.Statement.Delete) == 0 {
+ return fmt.Errorf("has no delete statement defined for system account: %s", account.Name)
+ }
+
+ err := lfa.AccountProvision(transCtx.Context, transCtx.Client, nil, account.Statement.Delete, account.Name, "")
+ if lifecycle.IgnoreNotDefined(err) == nil {
+ t.removeProvisionedAccount(cond, account.Name)
+ }
+ return lifecycle.IgnoreNotDefined(err)
+}
+
+func (t *componentAccountProvisionTransformer) updateAccount(transCtx *componentTransformContext,
+ lfa lifecycle.Lifecycle, cond *metav1.Condition, account synthesizedSystemAccount, secret *corev1.Secret) error {
+ hashedPassword := t.hashedPasswordFromCond(cond, account.Name)
+ if hashedPassword == "" {
+ return nil // passwords that generated by KB or restored from backup, do not support updating?
+ }
+ if verifySystemAccountPassword(secret, []byte(hashedPassword)) {
+ return nil // the password is not changed
+ }
+
+ if account.Statement == nil || len(account.Statement.Update) == 0 {
+ return fmt.Errorf("has no update statement defined for system account: %s", account.Name)
+ }
+
+ // TODO: how to notify other apps to update the new password?
+
+ err := t.provision(transCtx, lfa, account.Statement.Update, secret)
+ if err == nil {
+ t.updateProvisionedAccount(cond, account.Name, secret.Annotations[systemAccountHashAnnotation])
+ }
+ return err
}
-func (t *componentAccountProvisionTransformer) isProvisioned(transCtx *componentTransformContext) (metav1.Condition, bool) {
+func (t *componentAccountProvisionTransformer) provision(transCtx *componentTransformContext,
+ lfa lifecycle.Lifecycle, statement string, secret *corev1.Secret) error {
+ username, password := secret.Data[constant.AccountNameForSecret], secret.Data[constant.AccountPasswdForSecret]
+ if len(username) == 0 || len(password) == 0 {
+ return nil
+ }
+ err := lfa.AccountProvision(transCtx.Context, transCtx.Client, nil, statement, string(username), string(password))
+ return lifecycle.IgnoreNotDefined(err)
+}
+
+func (t *componentAccountProvisionTransformer) provisionCond(transCtx *componentTransformContext) metav1.Condition {
for _, cond := range transCtx.Component.Status.Conditions {
if cond.Type == accountProvisionConditionType {
- if cond.Status == metav1.ConditionTrue {
- return cond, true
- }
- return cond, false
+ return cond
}
}
return metav1.Condition{
@@ -121,21 +226,23 @@ func (t *componentAccountProvisionTransformer) isProvisioned(transCtx *component
LastTransitionTime: metav1.Now(),
Reason: accountProvisionConditionReasonInProgress,
Message: "",
- }, false
+ }
}
-func (t *componentAccountProvisionTransformer) markProvisionAsFailed(transCtx *componentTransformContext, cond *metav1.Condition, err error) {
- cond.Status = metav1.ConditionFalse
- cond.ObservedGeneration = transCtx.Component.Generation
- cond.LastTransitionTime = metav1.Now()
- // cond.Reason = err.Error() // TODO: error
-}
+func (t *componentAccountProvisionTransformer) provisionCondDone(transCtx *componentTransformContext,
+ condCopy, cond *metav1.Condition, err error) {
+ if err == nil {
+ cond.Status = metav1.ConditionTrue
+ cond.Reason = accountProvisionConditionReasonDone
+ } else {
+ cond.Status = metav1.ConditionFalse
+ // cond.Reason = err.Error() // TODO: error
+ }
-func (t *componentAccountProvisionTransformer) markProvisioned(transCtx *componentTransformContext, cond metav1.Condition) {
- cond.Status = metav1.ConditionTrue
+ if !reflect.DeepEqual(cond, condCopy) {
+ cond.LastTransitionTime = metav1.Now()
+ }
cond.ObservedGeneration = transCtx.Component.Generation
- cond.LastTransitionTime = metav1.Now()
- cond.Reason = accountProvisionConditionReasonDone
conditions := transCtx.Component.Status.Conditions
if conditions == nil {
@@ -145,78 +252,67 @@ func (t *componentAccountProvisionTransformer) markProvisioned(transCtx *compone
for i, c := range conditions {
if c.Type == cond.Type {
existed = true
- conditions[i] = cond
+ conditions[i] = *cond
}
}
if !existed {
- conditions = append(conditions, cond)
+ conditions = append(conditions, *cond)
}
transCtx.Component.Status.Conditions = conditions
}
-func (t *componentAccountProvisionTransformer) isAccountProvisioned(cond metav1.Condition, account appsv1.SystemAccount) bool {
- if len(cond.Message) == 0 {
- return false
+func (t *componentAccountProvisionTransformer) getProvisionedAccounts(cond metav1.Condition) sets.Set[string] {
+ accounts := sets.New[string]()
+ if len(cond.Message) > 0 {
+ for _, e := range strings.Split(cond.Message, ",") {
+ if len(e) > 0 {
+ accounts.Insert(strings.Split(e, ":")[0])
+ }
+ }
}
- accounts := strings.Split(cond.Message, ",")
- return slices.Contains(accounts, account.Name)
+ return accounts
}
-func (t *componentAccountProvisionTransformer) markAccountProvisioned(cond *metav1.Condition, account appsv1.SystemAccount) {
- if len(cond.Message) == 0 {
- cond.Message = account.Name
- return
+func (t *componentAccountProvisionTransformer) updateProvisionedAccount(cond *metav1.Condition, account, hashedPassword string) {
+ accounts := make([]string, 0)
+ if len(cond.Message) > 0 {
+ accounts = strings.Split(cond.Message, ",")
}
- accounts := strings.Split(cond.Message, ",")
- if slices.Contains(accounts, account.Name) {
- return
+ idx := slices.IndexFunc(accounts, func(s string) bool {
+ return strings.HasPrefix(s, fmt.Sprintf("%s:", account))
+ })
+ if idx >= 0 {
+ accounts[idx] = fmt.Sprintf("%s:%s", account, hashedPassword)
+ } else {
+ accounts = append(accounts, fmt.Sprintf("%s:%s", account, hashedPassword))
}
- accounts = append(accounts, account.Name)
cond.Message = strings.Join(accounts, ",")
}
-func (t *componentAccountProvisionTransformer) lifecycleAction(transCtx *componentTransformContext) (lifecycle.Lifecycle, error) {
- synthesizedComp := transCtx.SynthesizeComponent
- pods, err := component.ListOwnedPods(transCtx.Context, transCtx.Client,
- synthesizedComp.Namespace, synthesizedComp.ClusterName, synthesizedComp.Name)
- if err != nil {
- return nil, err
- }
- lfa, err := lifecycle.New(synthesizedComp.Namespace, synthesizedComp.ClusterName, synthesizedComp.Name,
- synthesizedComp.LifecycleActions, synthesizedComp.TemplateVars, nil, pods...)
- if err != nil {
- return nil, err
- }
- return lfa, nil
-}
-
-func (t *componentAccountProvisionTransformer) provisionAccount(transCtx *componentTransformContext,
- _ metav1.Condition, lfa lifecycle.Lifecycle, account appsv1.SystemAccount) error {
-
- synthesizedComp := transCtx.SynthesizeComponent
- secret, err := t.getAccountSecret(transCtx, synthesizedComp, account)
- if err != nil {
- return err
- }
-
- username, password := secret.Data[constant.AccountNameForSecret], secret.Data[constant.AccountPasswdForSecret]
- if len(username) == 0 || len(password) == 0 {
- return nil
+func (t *componentAccountProvisionTransformer) removeProvisionedAccount(cond *metav1.Condition, account string) {
+ accounts := make([]string, 0)
+ if len(cond.Message) > 0 {
+ accounts = strings.Split(cond.Message, ",")
}
-
- err = lfa.AccountProvision(transCtx.Context, transCtx.Client, nil, account.Statement, string(username), string(password))
- return lifecycle.IgnoreNotDefined(err)
+ accounts = slices.DeleteFunc(accounts, func(s string) bool {
+ return strings.HasPrefix(s, fmt.Sprintf("%s:", account))
+ })
+ cond.Message = strings.Join(accounts, ",")
}
-func (t *componentAccountProvisionTransformer) getAccountSecret(ctx graph.TransformContext,
- synthesizeComp *component.SynthesizedComponent, account appsv1.SystemAccount) (*corev1.Secret, error) {
- secretKey := types.NamespacedName{
- Namespace: synthesizeComp.Namespace,
- Name: constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, account.Name),
+func (t *componentAccountProvisionTransformer) hashedPasswordFromCond(cond *metav1.Condition, account string) string {
+ accounts := make([]string, 0)
+ if len(cond.Message) > 0 {
+ accounts = strings.Split(cond.Message, ",")
}
- secret := &corev1.Secret{}
- if err := ctx.GetClient().Get(ctx.GetContext(), secretKey, secret); err != nil {
- return nil, err
+ idx := slices.IndexFunc(accounts, func(s string) bool {
+ return strings.HasPrefix(s, fmt.Sprintf("%s:", account))
+ })
+ if idx >= 0 {
+ val := strings.Split(accounts[idx], ":")
+ if len(val) == 2 {
+ return val[1]
+ }
}
- return secret, nil
+ return ""
}
diff --git a/deploy/helm/crds/apps.kubeblocks.io_clusters.yaml b/deploy/helm/crds/apps.kubeblocks.io_clusters.yaml
index 8d2fa8aa8c8..9dd64a43b69 100644
--- a/deploy/helm/crds/apps.kubeblocks.io_clusters.yaml
+++ b/deploy/helm/crds/apps.kubeblocks.io_clusters.yaml
@@ -5311,6 +5311,10 @@ spec:
ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -5369,6 +5373,11 @@ spec:
namespace:
description: The namespace where the secret is located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains
+ the password.
+ type: string
required:
- name
- namespace
@@ -14047,6 +14056,11 @@ spec:
ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account
+ is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -14106,6 +14120,11 @@ spec:
description: The namespace where the secret is
located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains
+ the password.
+ type: string
required:
- name
- namespace
diff --git a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
index fe6bec4e932..a3568885f25 100644
--- a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
+++ b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
@@ -4501,9 +4501,9 @@ spec:
The container executing this action has access to following variables:
- - KB_ACCOUNT_NAME: The name of the system account to be created.
- - KB_ACCOUNT_PASSWORD: The password for the system account. // TODO: how to pass the password securely?
- - KB_ACCOUNT_STATEMENT: The statement used to create the system account.
+ - KB_ACCOUNT_NAME: The name of the system account to be manipulated.
+ - KB_ACCOUNT_PASSWORD: The password for the system account.
+ - KB_ACCOUNT_STATEMENT: The statement used to manipulate the system account.
Note: This field is immutable once it has been set.
@@ -16727,30 +16727,35 @@ spec:
Cannot be updated.
type: string
type: object
- secretRef:
+ statement:
description: |-
- Refers to the secret from which data will be copied to create the new account.
+ Defines the statements used to create, delete, and update the account.
This field is immutable once set.
properties:
- name:
- description: The unique identifier of the secret.
+ create:
+ description: |-
+ The statement to create a new account with the necessary privileges.
+
+
+ This field is immutable once set.
type: string
- namespace:
- description: The namespace where the secret is located.
+ delete:
+ description: |-
+ The statement to delete a account.
+
+
+ This field is immutable once set.
type: string
- required:
- - name
- - namespace
- type: object
- statement:
- description: |-
- Defines the statement used to create the account with the necessary privileges.
+ update:
+ description: |-
+ The statement to update an existing account.
- This field is immutable once set.
- type: string
+ This field is immutable once set.
+ type: string
+ type: object
required:
- name
type: object
diff --git a/deploy/helm/crds/apps.kubeblocks.io_components.yaml b/deploy/helm/crds/apps.kubeblocks.io_components.yaml
index 4b2c768c021..7f2a443af93 100644
--- a/deploy/helm/crds/apps.kubeblocks.io_components.yaml
+++ b/deploy/helm/crds/apps.kubeblocks.io_components.yaml
@@ -5505,6 +5505,10 @@ spec:
description: Overrides system accounts defined in referenced ComponentDefinition.
items:
properties:
+ disabled:
+ default: false
+ description: Specifies whether the system account is disabled.
+ type: boolean
name:
description: The name of the system account.
type: string
@@ -5563,6 +5567,11 @@ spec:
namespace:
description: The namespace where the secret is located.
type: string
+ password:
+ default: password
+ description: The key in the secret data that contains the
+ password.
+ type: string
required:
- name
- namespace
diff --git a/docs/developer_docs/api-reference/cluster.md b/docs/developer_docs/api-reference/cluster.md
index 450c3fb9003..5f838c556c1 100644
--- a/docs/developer_docs/api-reference/cluster.md
+++ b/docs/developer_docs/api-reference/cluster.md
@@ -5770,8 +5770,9 @@ This action is designed to create system accounts that are utilized for replicat
and other administrative tasks.
The container executing this action has access to following variables:
-- KB_ACCOUNT_NAME: The name of the system account to be created.
-- KB_ACCOUNT_STATEMENT: The statement used to create the system account.
+- KB_ACCOUNT_NAME: The name of the system account to be manipulated.
+- KB_ACCOUNT_PASSWORD: The password for the system account.
+- KB_ACCOUNT_STATEMENT: The statement used to manipulate the system account.
Note: This field is immutable once it has been set.
@@ -6435,6 +6436,18 @@ string
+disabled
+
+bool
+
+ |
+
+(Optional)
+ Specifies whether the system account is disabled.
+ |
+
+
+
passwordConfig
@@ -8719,7 +8732,7 @@ Defaults to 3. Minimum value is 1.
ProvisionSecretRef
-(Appears on:ComponentSystemAccount, SystemAccount)
+(Appears on:ComponentSystemAccount)
ProvisionSecretRef represents the reference to a secret.
@@ -8754,6 +8767,18 @@ string
The namespace where the secret is located.
|
+
+
+password
+
+string
+
+ |
+
+(Optional)
+ The key in the secret data that contains the password.
+ |
+
Range
@@ -11183,12 +11208,14 @@ bool
statement
-string
+
+SystemAccountStatement
+
|
(Optional)
- Defines the statement used to create the account with the necessary privileges.
+Defines the statements used to create, delete, and update the account.
This field is immutable once set.
|
@@ -11207,18 +11234,59 @@ PasswordConfig
This field is immutable once set.
+
+
+SystemAccountStatement
+
+
+(Appears on:SystemAccount)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
-secretRef
+create
-
-ProvisionSecretRef
-
+string
|
(Optional)
- Refers to the secret from which data will be copied to create the new account.
+The statement to create a new account with the necessary privileges.
+This field is immutable once set.
+ |
+
+
+
+delete
+
+string
+
+ |
+
+(Optional)
+ The statement to delete a account.
+This field is immutable once set.
+ |
+
+
+
+update
+
+string
+
+ |
+
+(Optional)
+ The statement to update an existing account.
This field is immutable once set.
|
diff --git a/pkg/constant/labels.go b/pkg/constant/labels.go
index 05a867e870c..12163c1ca2e 100644
--- a/pkg/constant/labels.go
+++ b/pkg/constant/labels.go
@@ -82,15 +82,6 @@ func GetCompLabelsWithDef(clusterName, compName, compDef string, labels ...map[s
return withShardingNameLabel(m, labels...)
}
-func GetConfigurationLabels(clusterName, compName, cmTplName string) map[string]string {
- return map[string]string{
- AppManagedByLabelKey: AppName,
- AppInstanceLabelKey: clusterName,
- KBAppComponentLabelKey: compName,
- CMTemplateNameLabelKey: cmTplName,
- }
-}
-
func withShardingNameLabel(labels map[string]string, extraLabels ...map[string]string) map[string]string {
for _, m := range extraLabels {
if m != nil {
@@ -102,3 +93,12 @@ func withShardingNameLabel(labels map[string]string, extraLabels ...map[string]s
}
return labels
}
+
+func GetConfigurationLabels(clusterName, compName, cmTplName string) map[string]string {
+ return map[string]string{
+ AppManagedByLabelKey: AppName,
+ AppInstanceLabelKey: clusterName,
+ KBAppComponentLabelKey: compName,
+ CMTemplateNameLabelKey: cmTplName,
+ }
+}
diff --git a/pkg/controller/builder/builder_component_definition.go b/pkg/controller/builder/builder_component_definition.go
index 92497251145..bd439f84dfe 100644
--- a/pkg/controller/builder/builder_component_definition.go
+++ b/pkg/controller/builder/builder_component_definition.go
@@ -192,19 +192,6 @@ func (builder *ComponentDefinitionBuilder) SetReplicasLimit(minReplicas, maxRepl
return builder
}
-func (builder *ComponentDefinitionBuilder) AddSystemAccount(accountName string, initAccount bool, statement string) *ComponentDefinitionBuilder {
- account := appsv1.SystemAccount{
- Name: accountName,
- InitAccount: initAccount,
- Statement: statement,
- }
- if builder.get().Spec.SystemAccounts == nil {
- builder.get().Spec.SystemAccounts = make([]appsv1.SystemAccount, 0)
- }
- builder.get().Spec.SystemAccounts = append(builder.get().Spec.SystemAccounts, account)
- return builder
-}
-
func (builder *ComponentDefinitionBuilder) SetUpdateStrategy(strategy *appsv1.UpdateStrategy) *ComponentDefinitionBuilder {
builder.get().Spec.UpdateStrategy = strategy
return builder
diff --git a/pkg/controller/component/component_version.go b/pkg/controller/component/component_version.go
index d34b6abd16b..16d642d23df 100644
--- a/pkg/controller/component/component_version.go
+++ b/pkg/controller/component/component_version.go
@@ -216,6 +216,9 @@ func actionsToResolveImage(compDef *appsv1.ComponentDefinition) map[string]*apps
if compDef.Spec.LifecycleActions.RoleProbe != nil {
actions[normalize("roleProbe")] = &compDef.Spec.LifecycleActions.RoleProbe.Action
}
+ if compDef.Spec.LifecycleActions.AvailableProbe != nil {
+ actions[normalize("availableProbe")] = &compDef.Spec.LifecycleActions.AvailableProbe.Action
+ }
return actions
}
diff --git a/pkg/controller/component/its_convertor.go b/pkg/controller/component/its_convertor.go
index e1e9653be8f..70fde3c7024 100644
--- a/pkg/controller/component/its_convertor.go
+++ b/pkg/controller/component/its_convertor.go
@@ -72,8 +72,8 @@ func (c *itsCredentialConvertor) convert(args ...any) (any, error) {
return nil, err
}
- credential := func(sysAccount kbappsv1.SystemAccount) *workloads.Credential {
- secretName := constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, sysAccount.Name)
+ credential := func(sysAccount string) *workloads.Credential {
+ secretName := constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, sysAccount)
return &workloads.Credential{
Username: workloads.CredentialVar{
ValueFrom: &corev1.EnvVarSource{
@@ -99,9 +99,9 @@ func (c *itsCredentialConvertor) convert(args ...any) (any, error) {
}
// use first init account as the default credential
- for index, sysAccount := range synthesizeComp.SystemAccounts {
+ for _, sysAccount := range synthesizeComp.SystemAccounts {
if sysAccount.InitAccount {
- return credential(synthesizeComp.SystemAccounts[index]), nil
+ return credential(sysAccount.Name), nil
}
}
return nil, nil
diff --git a/pkg/controller/component/synthesize_component.go b/pkg/controller/component/synthesize_component.go
index f3f102ccd8f..91bd46d386d 100644
--- a/pkg/controller/component/synthesize_component.go
+++ b/pkg/controller/component/synthesize_component.go
@@ -95,7 +95,7 @@ func BuildSynthesizedComponent(ctx context.Context, cli client.Reader,
MinReadySeconds: compDefObj.Spec.MinReadySeconds,
PolicyRules: compDefObj.Spec.PolicyRules,
LifecycleActions: compDefObj.Spec.LifecycleActions,
- SystemAccounts: mergeSystemAccounts(compDefObj.Spec.SystemAccounts, comp.Spec.SystemAccounts),
+ SystemAccounts: compDefObj.Spec.SystemAccounts,
Replicas: comp.Spec.Replicas,
Resources: comp.Spec.Resources,
TLSConfig: comp.Spec.TLSConfig,
@@ -210,35 +210,6 @@ func mergeUserDefinedEnv(synthesizedComp *SynthesizedComponent, comp *appsv1.Com
return nil
}
-func mergeSystemAccounts(compDefAccounts []appsv1.SystemAccount,
- compAccounts []appsv1.ComponentSystemAccount) []appsv1.SystemAccount {
- if len(compAccounts) == 0 {
- return compDefAccounts
- }
-
- override := func(compAccount appsv1.ComponentSystemAccount, idx int) {
- if compAccount.PasswordConfig != nil {
- compDefAccounts[idx].PasswordGenerationPolicy = *compAccount.PasswordConfig
- }
- compDefAccounts[idx].SecretRef = compAccount.SecretRef
- }
-
- tbl := make(map[string]int)
- for i, account := range compDefAccounts {
- tbl[account.Name] = i
- }
-
- for _, account := range compAccounts {
- idx, ok := tbl[account.Name]
- if !ok {
- continue // ignore it silently
- }
- override(account, idx)
- }
-
- return compDefAccounts
-}
-
func buildSchedulingPolicy(synthesizedComp *SynthesizedComponent, comp *appsv1.Component) {
if comp.Spec.SchedulingPolicy != nil {
schedulingPolicy := comp.Spec.SchedulingPolicy
diff --git a/pkg/controller/lifecycle/lfa_account.go b/pkg/controller/lifecycle/lfa_account.go
index bdf438c1eb8..a70b9893ca1 100644
--- a/pkg/controller/lifecycle/lfa_account.go
+++ b/pkg/controller/lifecycle/lfa_account.go
@@ -46,9 +46,9 @@ func (a *accountProvision) name() string {
func (a *accountProvision) parameters(ctx context.Context, cli client.Reader) (map[string]string, error) {
// The container executing this action has access to following variables:
//
- // - KB_ACCOUNT_NAME: The name of the system account to be created.
+ // - KB_ACCOUNT_NAME: The name of the system account to be manipulated.
// - KB_ACCOUNT_PASSWORD: The password for the system account.
- // - KB_ACCOUNT_STATEMENT: The statement used to create the system account.
+ // - KB_ACCOUNT_STATEMENT: The statement used to manipulate the system account.
return map[string]string{
accountName: a.user,
accountPassword: a.password,
diff --git a/pkg/testutil/apps/cluster_factory.go b/pkg/testutil/apps/cluster_factory.go
index d9c31b53543..ef5961b25fa 100644
--- a/pkg/testutil/apps/cluster_factory.go
+++ b/pkg/testutil/apps/cluster_factory.go
@@ -21,6 +21,7 @@ package apps
import (
corev1 "k8s.io/api/core/v1"
+ "k8s.io/utils/ptr"
appsv1 "github.com/apecloud/kubeblocks/apis/apps/v1"
)
@@ -206,11 +207,12 @@ func (factory *MockClusterFactory) AddComponentService(serviceName string, servi
})
}
-func (factory *MockClusterFactory) AddSystemAccount(name string, passwordConfig *appsv1.PasswordConfig, secretRef *appsv1.ProvisionSecretRef) *MockClusterFactory {
+func (factory *MockClusterFactory) AddSystemAccount(name string, disabled bool, passwordConfig *appsv1.PasswordConfig, secretRef *appsv1.ProvisionSecretRef) *MockClusterFactory {
return factory.lastComponentRef(func(comp *appsv1.ClusterComponentSpec) {
comp.SystemAccounts = append(comp.SystemAccounts,
appsv1.ComponentSystemAccount{
Name: name,
+ Disabled: ptr.To(disabled),
PasswordConfig: passwordConfig,
SecretRef: secretRef,
})
diff --git a/pkg/testutil/apps/componentdefinition_factory.go b/pkg/testutil/apps/componentdefinition_factory.go
index 8871c693202..72d57b55472 100644
--- a/pkg/testutil/apps/componentdefinition_factory.go
+++ b/pkg/testutil/apps/componentdefinition_factory.go
@@ -267,7 +267,9 @@ func (f *MockComponentDefinitionFactory) AddSystemAccount(accountName string, in
account := kbappsv1.SystemAccount{
Name: accountName,
InitAccount: initAccount,
- Statement: statement,
+ Statement: &kbappsv1.SystemAccountStatement{
+ Create: statement,
+ },
}
if f.Get().Spec.SystemAccounts == nil {
f.Get().Spec.SystemAccounts = make([]kbappsv1.SystemAccount, 0)
diff --git a/pkg/testutil/apps/constant.go b/pkg/testutil/apps/constant.go
index c18fa35603d..825030be311 100644
--- a/pkg/testutil/apps/constant.go
+++ b/pkg/testutil/apps/constant.go
@@ -196,8 +196,12 @@ var (
},
},
{
- Name: "admin",
- Statement: "CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT ALL PRIVILEGES ON *.* TO $(USERNAME);",
+ Name: "admin",
+ Statement: &appsv1.SystemAccountStatement{
+ Create: "CREATE USER $(USERNAME) IDENTIFIED BY '$(PASSWORD)'; GRANT ALL PRIVILEGES ON *.* TO $(USERNAME);",
+ Delete: "DROP USER '$(USERNAME)'@'%';",
+ Update: "ALTER USER '$(USERNAME)'@'%' IDENTIFIED BY '$(PASSWORD)';",
+ },
PasswordGenerationPolicy: appsv1.PasswordConfig{
Length: 10,
NumDigits: 5,
diff --git a/pkg/testutil/apps/kb_agent_util.go b/pkg/testutil/apps/kb_agent_util.go
index c869bc9cfdf..a813cd20bf6 100644
--- a/pkg/testutil/apps/kb_agent_util.go
+++ b/pkg/testutil/apps/kb_agent_util.go
@@ -85,57 +85,6 @@ func MockKBAgentClient4HScale(testCtx *testutil.TestContext, clusterKey types.Na
})
}
-func MockKBAgentClient4Workload(testCtx *testutil.TestContext, pods []*corev1.Pod) {
- const (
- memberJoinCompletedLabel = "test.kubeblock.io/memberjoin-completed"
- memberLeaveCompletedLabel = "test.kubeblock.io/memberleave-completed"
- )
-
- rsp := kbagentproto.ActionResponse{Message: "mock success"}
- handleMemberLeave := func(podName string) (kbagentproto.ActionResponse, error) {
- for _, pod := range pods {
- if pod.Name != podName {
- continue
- }
- pod.Labels[memberLeaveCompletedLabel] = "true"
- err := testCtx.Cli.Update(testCtx.Ctx, pod)
- if err != nil {
- return kbagentproto.ActionResponse{}, err
- }
- }
- return rsp, nil
- }
-
- handleMemberJoin := func(podName string) (kbagentproto.ActionResponse, error) {
- for _, pod := range pods {
- if pod.Name != podName {
- continue
- }
- pod.Labels[memberJoinCompletedLabel] = "true"
- err := testCtx.Cli.Update(testCtx.Ctx, pod)
- if err != nil {
- return kbagentproto.ActionResponse{}, err
- }
- }
- return rsp, nil
- }
-
- MockKBAgentClient(func(recorder *kbacli.MockClientMockRecorder) {
- recorder.Action(gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, req kbagentproto.ActionRequest) (kbagentproto.ActionResponse, error) {
- switch req.Action {
- case "memberLeave":
- podName := req.Parameters["KB_LEAVE_MEMBER_POD_NAME"]
- return handleMemberLeave(podName)
- case "memberJoin":
- podName := req.Parameters["KB_JOIN_MEMBER_POD_NAME"]
- return handleMemberJoin(podName)
- default:
- return rsp, nil
- }
- }).AnyTimes()
- })
-}
-
func MockKBAgentContainer() corev1.Container {
return corev1.Container{
Name: kbagent.ContainerName,
diff --git a/pkg/testutil/dataprotection/backup_utils.go b/pkg/testutil/dataprotection/backup_utils.go
index 29f3f7e8ca6..aaecfeec62a 100644
--- a/pkg/testutil/dataprotection/backup_utils.go
+++ b/pkg/testutil/dataprotection/backup_utils.go
@@ -187,7 +187,7 @@ func NewFakeCluster(testCtx *testutil.TestContext) *BackupClusterInfo {
cluster := testapps.NewClusterFactory(testCtx.DefaultNamespace, ClusterName, "").
AddLabels(constant.AppInstanceLabelKey, ClusterName).
AddComponent("test-cmp", "test-cmpd").
- AddSystemAccount("test-account", nil, nil).
+ AddSystemAccount("test-account", false, nil, nil).
Create(testCtx).GetObject()
podName := ClusterName + "-" + ComponentName