Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow creation & deletion of users with the operator #29

Merged
merged 7 commits into from
Mar 8, 2021
Merged

Allow creation & deletion of users with the operator #29

merged 7 commits into from
Mar 8, 2021

Conversation

coro
Copy link
Contributor

@coro coro commented Mar 4, 2021
edited
Loading

This PR allows for the creation & deletion of users. Update of users & their credentials is not currently supported.

TODOs:

- Generate a Secret containing the credentials for the user
- We can make the user controller own the generated Secret, so that any updates to it will trigger the User controller to reconcile again
- Add a Status to the User object, with a .status.credentials key pointing to a credentials Secret

  • Allow the provision of the user with a pre-defined password through a Secret supplied in the object Spec
  • Allow a User to be updated, either by:
    • Updating the User Spec in the User object
    • Updating the credential Secret generated when the User is first created

This closes #3

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed

@MirahImage
Copy link
Member

I'm wondering about the secret structure and how it's likely to be used, including potentially conforming to provisioned service secret specification to allow for ducktyping. In particular, I suspect that we would like to have the secret contain both username and password fields (potentially decoupling the resource name from the username).

coro added 2 commits March 5, 2021 10:17
@coro
Merge branch 'main' into user-controller
2f102a7
@coro
Store User credentials in a Secret
2305176 
This Secret is owned by the User controller, and so is deleted when the
User object is deleted. The reference to the Secret is presented in the
Status of the User.
ChunyiLyu
ChunyiLyu reviewed Mar 8, 2021
View reviewed changes
internal/user_settings.go Outdated Show resolved Hide resolved
ChunyiLyu
ChunyiLyu reviewed Mar 8, 2021
View reviewed changes
Copy link
Contributor

@ChunyiLyu ChunyiLyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments. Overall looks good

@ChunyiLyu
Copy link
Contributor

Question: what would happen if the created credential secret was modified (.data or annotations/labels)? Does that trigger a reconcile() since the controller is watching object? Would you ended up having a newly generated user secret as a result of that?

@coro
Copy link
Contributor Author

coro commented Mar 8, 2021

Question: what would happen if the created credential secret was modified (.data or annotations/labels)? Does that trigger a reconcile() since the controller is watching object? Would you ended up having a newly generated user secret as a result of that?

What I'd like to happen is it triggers the reconcile, and is treated as the ultimate source of truth. So a new secret is not created, and the password hash of the user is regenerated and updated if the secret data was changed.

Having said that, what happens if the data for the username is changed? You then would be left with a User object that is tied to a Secret containing credentials for a different user. Not quite sure how to deal with that just yet.

coro added 4 commits March 8, 2021 11:12
@coro
Fix encoding of credential strings
6c14045 
The corev1 Secret interface takes the raw fields and stores them as
base64-encoded values - there is no need to pre-encode them oneself.
@coro
Merge branch 'main' into user-controller
ff6d983
@coro
Apply review markups
903a1fe 
Thanks @ChunyiLyu !
@coro
Use URL Base64 encoding to generate passwords
80f89e1 
This brings it in line wiht the cluster operator, rather than using
standard encoding
@coro coro marked this pull request as ready for review March 8, 2021 11:55
@coro coro changed the title WIP: Allow creation & deletion of users with the operator Allow creation & deletion of users with the operator Mar 8, 2021
@coro coro merged commit 6b045e6 into main Mar 8, 2021
@MirahImage MirahImage deleted the user-controller branch March 9, 2021 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChunyiLyu ChunyiLyu ChunyiLyu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use the operator to create users
3 participants
@coro @MirahImage @ChunyiLyu