Merge pull request #179 from zzzeek/remove_secret_from_db

Remove secret from MariaDBDatabase and use MariaDBAccount instead

api/bases/mariadb.openstack.org_mariadbdatabases.yaml

@@ -47,17 +47,57 @@ spec:
                 description: Name of the database in MariaDB
                 type: string
               secret:
-                description: Name of secret which contains DatabasePassword
+                description: Name of secret which contains DatabasePassword (deprecated)
                 type: string
-            required:
-            - defaultCharacterSet
-            - defaultCollation
             type: object
           status:
             description: MariaDBDatabaseStatus defines the observed state of MariaDBDatabase
             properties:
               completed:
                 type: boolean
+              conditions:
+                description: Deployment Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: Severity provides a classification of Reason code,
+                        so the current situation is immediately understandable and
+                        could act accordingly. It is meant for situations where Status=False
+                        and it should be indicated if it is just informational, warning
+                        (next reconciliation might fix it) or an error (e.g. DB create
+                        issue and no actions to automatically resolve the issue can/should
+                        be done). For conditions where Status=Unknown or Status=True
+                        the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
               hash:
                 additionalProperties:
                   type: string

api/v1beta1/conditions.go

@@ -77,6 +77,8 @@ const (
 
 	MariaDBServerReadyMessage = "MariaDB / Galera server ready"
 
+	MariaDBServerNotBootstrappedMessage = "MariaDB / Galera server not bootstrapped"
+
 	MariaDBAccountReadyInitMessage = "MariaDBAccount create / drop not started"
 
 	MariaDBAccountReadyMessage = "MariaDBAccount creation complete"

api/v1beta1/mariadbdatabase_funcs.go

@@ -121,6 +121,11 @@ func (d *Database) GetDatabase() *MariaDBDatabase {
 	return d.database
 }
 
+// GetAccount - returns the account
+func (d *Database) GetAccount() *MariaDBAccount {
+	return d.account
+}
+
 // CreateOrPatchDB - create or patch the service DB instance
 // Deprecated. Use CreateOrPatchDBByName instead. If you want to use the
 // default the DB service instance of the deployment then pass "openstack" as
@@ -162,6 +167,22 @@ func (d *Database) CreateOrPatchDBByName(
 		}
 	}
 
+	account := d.account
+	if account == nil {
+		account = &MariaDBAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      d.databaseUser,
+				Namespace: d.namespace,
+				Labels: map[string]string{
+					"mariaDBDatabaseName": d.name,
+				},
+			},
+			Spec: MariaDBAccountSpec{
+				UserName: d.databaseUser,
+				Secret:   d.secret,
+			},
+		}
+	}
 	// set the database hostname on the db instance
 	err := d.setDatabaseHostname(ctx, h, name)
 	if err != nil {
@@ -174,8 +195,6 @@ func (d *Database) CreateOrPatchDBByName(
 			d.labels,
 		)
 
-		db.Spec.Secret = d.secret
-
 		err := controllerutil.SetControllerReference(h.GetBeforeObject(), db, h.GetScheme())
 		if err != nil {
 			return err
@@ -200,6 +219,36 @@ func (d *Database) CreateOrPatchDBByName(
 		return ctrl.Result{RequeueAfter: time.Second * 5}, nil
 	}
 
+	op_acc, err_acc := controllerutil.CreateOrPatch(ctx, h.GetClient(), account, func() error {
+		account.Labels = util.MergeStringMaps(
+			account.GetLabels(),
+			d.labels,
+		)
+
+		err := controllerutil.SetControllerReference(h.GetBeforeObject(), account, h.GetScheme())
+		if err != nil {
+			return err
+		}
+
+		// If the service object doesn't have our finalizer, add it.
+		controllerutil.AddFinalizer(account, h.GetFinalizer())
+
+		return nil
+	})
+
+	if err_acc != nil && !k8s_errors.IsNotFound(err_acc) {
+		return ctrl.Result{}, util.WrapErrorForObject(
+			fmt.Sprintf("Error create or update account object %s", account.Name),
+			account,
+			err_acc,
+		)
+	}
+
+	if op_acc != controllerutil.OperationResultNone {
+		util.LogForObject(h, fmt.Sprintf("Account object %s created or patched", account.Name), account)
+		return ctrl.Result{RequeueAfter: time.Second * 5}, nil
+	}
+
 	err = d.getDBWithName(
 		ctx,
 		h,
@@ -211,7 +260,9 @@ func (d *Database) CreateOrPatchDBByName(
 	return ctrl.Result{}, nil
 }
 
-// WaitForDBCreatedWithTimeout - wait until the MariaDBDatabase is initialized and reports Status.Completed == true
+// WaitForDBCreatedWithTimeout - wait until the MariaDBDatabase and MariaDBAccounts are
+// initialized and reports Status.Conditions.IsTrue(MariaDBDatabaseReadyCondition)
+// and Status.Conditions.IsTrue(MariaDBAccountReadyCondition)
 func (d *Database) WaitForDBCreatedWithTimeout(
 	ctx context.Context,
 	h *helper.Helper,
@@ -226,7 +277,7 @@ func (d *Database) WaitForDBCreatedWithTimeout(
 		return ctrl.Result{}, err
 	}
 
-	if !d.database.Status.Completed || k8s_errors.IsNotFound(err) {
+	if !d.database.Status.Conditions.IsTrue(MariaDBDatabaseReadyCondition) {
 		util.LogForObject(
 			h,
 			fmt.Sprintf("Waiting for service DB %s to be created", d.database.Name),
@@ -236,6 +287,26 @@ func (d *Database) WaitForDBCreatedWithTimeout(
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
 	}
 
+	if !d.account.Status.Conditions.IsTrue(MariaDBAccountReadyCondition) {
+		util.LogForObject(
+			h,
+			fmt.Sprintf("Waiting for service account %s to be created", d.account.Name),
+			d.account,
+		)
+
+		return ctrl.Result{RequeueAfter: requeueAfter}, nil
+	}
+
+	if k8s_errors.IsNotFound(err) {
+		util.LogForObject(
+			h,
+			fmt.Sprintf("DB or account objects not yet found %s", d.database.Name),
+			d.database,
+		)
+
+		return ctrl.Result{RequeueAfter: requeueAfter}, nil
+	}
+
 	return ctrl.Result{}, nil
 }
 
@@ -262,13 +333,15 @@ func (d *Database) getDBWithName(
 	if namespace == "" {
 		namespace = h.GetBeforeObject().GetNamespace()
 	}
+
 	err := h.GetClient().Get(
 		ctx,
 		types.NamespacedName{
 			Name:      name,
 			Namespace: namespace,
 		},
 		db)
+
 	if err != nil {
 		if k8s_errors.IsNotFound(err) {
 			return util.WrapErrorForObject(
@@ -287,6 +360,35 @@ func (d *Database) getDBWithName(
 
 	d.database = db
 
+	account := &MariaDBAccount{}
+	username := d.databaseUser
+
+	err = h.GetClient().Get(
+		ctx,
+		types.NamespacedName{
+			Name:      username,
+			Namespace: namespace,
+		},
+		account)
+
+	if err != nil {
+		if k8s_errors.IsNotFound(err) {
+			return util.WrapErrorForObject(
+				fmt.Sprintf("Failed to get %s account %s ", username, namespace),
+				h.GetBeforeObject(),
+				err,
+			)
+		}
+
+		return util.WrapErrorForObject(
+			fmt.Sprintf("account error %s %s ", username, namespace),
+			h.GetBeforeObject(),
+			err,
+		)
+	}
+
+	d.account = account
+
 	return nil
 }
 

api/v1beta1/mariadbdatabase_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -30,20 +31,23 @@ const (
 
 // MariaDBDatabaseSpec defines the desired state of MariaDBDatabase
 type MariaDBDatabaseSpec struct {
-	// Name of secret which contains DatabasePassword
-	Secret string `json:"secret,omitempty"`
+	// Name of secret which contains DatabasePassword (deprecated)
+	Secret *string `json:"secret,omitempty"`
 	// Name of the database in MariaDB
 	Name string `json:"name,omitempty"`
 	// +kubebuilder:default=utf8
 	// Default character set for this database
-	DefaultCharacterSet string `json:"defaultCharacterSet"`
+	DefaultCharacterSet string `json:"defaultCharacterSet,omitempty"`
 	// +kubebuilder:default=utf8_general_ci
 	// Default collation for this database
-	DefaultCollation string `json:"defaultCollation"`
+	DefaultCollation string `json:"defaultCollation,omitempty"`
 }
 
 // MariaDBDatabaseStatus defines the observed state of MariaDBDatabase
 type MariaDBDatabaseStatus struct {
+	// Deployment Conditions
+	Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`
+
 	Completed bool `json:"completed,omitempty"`
 	// Map of hashes to track e.g. job status
 	Hash map[string]string `json:"hash,omitempty"`
@@ -84,6 +88,7 @@ const (
 // Database -
 type Database struct {
 	database         *MariaDBDatabase
+	account          *MariaDBAccount
 	databaseHostname string
 	databaseName     string
 	databaseUser     string