use system MariaDBAccount for the galera server's root pw

This commit ties together the previous ones to create a new
MariaDBAccount when a Galera instance is created, and then to
use the password from that account/secret in the mariadb
bootstrap/maintenance scripts.

Galera gets bootstrapped with this secret, then the mariadbaccount
controller, who is waiting for galera to be available to set up this
new "root" account, wakes up when galera is running, and changes
the root password to itself, establishing the initial job hash
for the mariadbaccount.

Author: zzzeek

api/bases/mariadb.openstack.org_galeras.yaml

@@ -78,8 +78,16 @@ spec:
                 maximum: 3
                 minimum: 0
                 type: integer
+              rootDatabaseAccount:
+                default: mariadbroot
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Deprecated; no longer used; see the "root" MariaDBAccount
+                  secret
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -118,7 +126,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object

api/v1beta1/galera_types.go

@@ -17,12 +17,12 @@ limitations under the License.
 package v1beta1
 
 import (
+	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
 const (
@@ -50,9 +50,17 @@ type GaleraSpec struct {
 
 // GaleraSpec defines the desired state of Galera
 type GaleraSpecCore struct {
-	// Name of the secret to look for password keys
-	// +kubebuilder:validation:Required
+	// Deprecated; no longer used; see the "root" MariaDBAccount
+	// secret
+	// +kubebuilder:validation:Optional
 	Secret string `json:"secret"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=mariadbroot
+	// RootDatabaseAccount - name of MariaDBAccount which will be used to
+	// generate root account / password.
+	RootDatabaseAccount string `json:"rootDatabaseAccount"`
+
 	// Storage class to host the mariadb databases
 	// +kubebuilder:validation:Required
 	StorageClass string `json:"storageClass"`

api/v1beta1/mariadbaccount_types.go

@@ -28,9 +28,6 @@ const (
 	// AccountDeleteHash hash
 	AccountDeleteHash = "accountdelete"
 
-	// DbRootPassword selector for galera root account
-	DbRootPasswordSelector = "DbRootPassword"
-
 	// DatabasePassword selector for MariaDBAccount->Secret
 	DatabasePasswordSelector = "DatabasePassword"
 )

api/v1beta1/mariadbdatabase_funcs.go

@@ -541,6 +541,47 @@ func DeleteDatabaseAndAccountFinalizers(
 	namespace string,
 ) error {
 
+	err := DeleteAccountFinalizers(
+		ctx,
+		h,
+		accountName,
+		namespace,
+	)
+	if err != nil {
+		return err
+	}
+
+	// also do a delete for "unused" MariaDBAccounts, associated with
+	// this MariaDBDatabase.
+	err = DeleteUnusedMariaDBAccountFinalizers(
+		ctx, h, name, accountName, namespace,
+	)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	}
+
+	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
+		err := h.GetClient().Update(ctx, mariaDBDatabase)
+		if err != nil && !k8s_errors.IsNotFound(err) {
+			return err
+		}
+		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
+	}
+
+	return nil
+}
+
+// DeleteAccountFinalizers performs just the primary account + secret finalizer
+// removal part of DeleteDatabaseAndAccountFinalizers
+func DeleteAccountFinalizers(
+	ctx context.Context,
+	h *helper.Helper,
+	accountName string,
+	namespace string,
+) error {
 	databaseAccount, err := GetAccount(ctx, h, accountName, namespace)
 	if err != nil && !k8s_errors.IsNotFound(err) {
 		return err
@@ -572,26 +613,6 @@ func DeleteDatabaseAndAccountFinalizers(
 		}
 	}
 
-	// also do a delete for "unused" MariaDBAccounts, associated with
-	// this MariaDBDatabase.
-	err = DeleteUnusedMariaDBAccountFinalizers(
-		ctx, h, name, accountName, namespace,
-	)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	}
-
-	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
-		err := h.GetClient().Update(ctx, mariaDBDatabase)
-		if err != nil && !k8s_errors.IsNotFound(err) {
-			return err
-		}
-		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
-	}
-
 	return nil
 }
 
@@ -811,6 +832,32 @@ func EnsureMariaDBAccount(ctx context.Context,
 	userNamePrefix string,
 ) (*MariaDBAccount, *corev1.Secret, error) {
 
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		userNamePrefix, "", map[string]string{})
+
+}
+
+// EnsureMariaDBSystemAccount ensures a MariaDBAccount has been created for a given
+// operator calling the function, and returns the MariaDBAccount and its
+// Secret for use in consumption into a configuration.
+// Unlike EnsureMariaDBAccount, the function accepts an exact username that
+// expected to remain constant, supporting in-place password changes for the
+// account.
+func EnsureMariaDBSystemAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, galeraInstanceName string, namespace string, requireTLS bool,
+	exactUserName string) (*MariaDBAccount, *corev1.Secret, error) {
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		"", exactUserName, map[string]string{"dbName": galeraInstanceName})
+}
+
+func ensureMariaDBAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, namespace string, requireTLS bool,
+	userNamePrefix string, exactUserName string, labels map[string]string,
+) (*MariaDBAccount, *corev1.Secret, error) {
 	if accountName == "" {
 		return nil, nil, fmt.Errorf("accountName is empty")
 	}
@@ -822,9 +869,20 @@ func EnsureMariaDBAccount(ctx context.Context,
 			return nil, nil, err
 		}
 
-		username, err := generateUniqueUsername(userNamePrefix)
-		if err != nil {
-			return nil, nil, err
+		var username string
+		var accountType AccountType
+
+		if exactUserName == "" {
+			accountType = "User"
+			username, err = generateUniqueUsername(userNamePrefix)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else if userNamePrefix != "" {
+			return nil, nil, fmt.Errorf("userNamePrefix and exactUserName are mutually exclusive")
+		} else {
+			accountType = "System"
+			username = exactUserName
 		}
 
 		account = &MariaDBAccount{
@@ -837,9 +895,10 @@ func EnsureMariaDBAccount(ctx context.Context,
 				// MariaDBAccount once this is filled in
 			},
 			Spec: MariaDBAccountSpec{
-				UserName:   username,
-				Secret:     fmt.Sprintf("%s-db-secret", accountName),
-				RequireTLS: requireTLS,
+				UserName:    username,
+				Secret:      fmt.Sprintf("%s-db-secret", accountName),
+				RequireTLS:  requireTLS,
+				AccountType: accountType,
 			},
 		}
 
@@ -874,7 +933,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 		}
 	}
 
-	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, map[string]string{})
+	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, labels)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -890,6 +949,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 	)
 
 	return account, dbSecret, nil
+
 }
 
 // generateUniqueUsername creates a MySQL-compliant database username based on

config/crd/bases/mariadb.openstack.org_galeras.yaml

@@ -78,8 +78,16 @@ spec:
                 maximum: 3
                 minimum: 0
                 type: integer
+              rootDatabaseAccount:
+                default: mariadbroot
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Deprecated; no longer used; see the "root" MariaDBAccount
+                  secret
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -118,7 +126,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object

controllers/galera_controller.go

@@ -33,7 +33,6 @@ import (
 	helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	common_rbac "github.com/openstack-k8s-operators/lib-common/modules/common/rbac"
-	secret "github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	commonstatefulset "github.com/openstack-k8s-operators/lib-common/modules/common/statefulset"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
@@ -489,7 +488,7 @@ func (r *GaleraReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 		{
 			APIGroups: []string{"mariadb.openstack.org"},
 			Resources: []string{"mariadbaccounts"},
-			Verbs:     []string{"get"},
+			Verbs:     []string{"get", "list"},
 		},
 		{
 			APIGroups: []string{""},
@@ -567,34 +566,28 @@ func (r *GaleraReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	clusterPropertiesEnv := make(map[string]env.Setter)
 
 	// Check and hash inputs
-	// NOTE do not hash the db root password, as its change requires
-	// more orchestration than a simple rolling restart
-	_, res, err := secret.VerifySecret(
-		ctx,
-		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
-		[]string{
-			"DbRootPassword",
-		},
-		helper.GetClient(),
-		time.Duration(5)*time.Second)
+
+	_, _, err = mariadbv1.EnsureMariaDBSystemAccount(
+		ctx, helper, instance.Spec.RootDatabaseAccount,
+		instance.Name, instance.Namespace, false, "root")
+
 	if err != nil {
-		if k8s_errors.IsNotFound(err) {
-			instance.Status.Conditions.Set(condition.FalseCondition(
-				condition.InputReadyCondition,
-				condition.RequestedReason,
-				condition.SeverityInfo,
-				condition.InputReadyWaitingMessage))
-			return res, fmt.Errorf("OpenStack secret %s not found", instance.Spec.Secret)
-		}
 		instance.Status.Conditions.Set(condition.FalseCondition(
-			condition.InputReadyCondition,
+			mariadbv1.MariaDBAccountReadyCondition,
 			condition.ErrorReason,
 			condition.SeverityWarning,
-			condition.InputReadyErrorMessage,
+			mariadbv1.MariaDBAccountNotReadyMessage,
 			err.Error()))
+
 		return ctrl.Result{}, err
 	}
-	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
+	instance.Status.Conditions.MarkTrue(
+		mariadbv1.MariaDBAccountReadyCondition,
+		mariadbv1.MariaDBAccountReadyMessage)
+
+	instance.Status.Conditions.MarkTrue(
+		condition.InputReadyCondition,
+		condition.InputReadyMessage)
 
 	//
 	// TLS input validation
@@ -1127,6 +1120,13 @@ func (r *GaleraReconciler) reconcileDelete(ctx context.Context, instance *databa
 		return ctrlResult, err
 	}
 
+	// remove finalizer from the system mariadbaccount and associated secret
+	err = mariadbv1.DeleteAccountFinalizers(
+		ctx, helper, instance.Spec.RootDatabaseAccount, instance.Namespace)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
 	// Service is deleted so remove the finalizer.
 	controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
 	helper.GetLogger().Info("Reconciled Service delete successfully")

controllers/mariadbaccount_controller.go

@@ -327,6 +327,7 @@ func (r *MariaDBAccountReconciler) reconcileDelete(
 	// implemented in the database either, so remove all finalizers and
 	// exit
 	if k8s_errors.IsNotFound(err) {
+		log.Info("Galera instance not found, so we will remove finalizers and exit")
 		if instance.IsUserAccount() {
 			// remove finalizer from the MariaDBDatabase instance
 			if controllerutil.RemoveFinalizer(mariadbDatabase, fmt.Sprintf("%s-%s", helper.GetFinalizer(), instance.Name)) {
@@ -572,7 +573,11 @@ func (r *MariaDBAccountReconciler) getGaleraForCreateOrDelete(
 	dbGalera, err = GetDatabaseObject(ctx, r.Client, dbName, instance.Namespace)
 
 	if err != nil {
-		log.Error(err, "Error retrieving Galera instance")
+		if k8s_errors.IsNotFound(err) {
+			log.Info(fmt.Sprintf("Galera instance '%s' does not exist", dbName))
+		} else {
+			log.Error(err, "Error retrieving Galera instance")
+		}
 
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			databasev1beta1.MariaDBServerReadyCondition,
@@ -687,6 +692,7 @@ func (r *MariaDBAccountReconciler) ensureAccountSecret(
 // as current primary secret
 func (r *MariaDBAccountReconciler) removeAccountAndSecretFinalizer(ctx context.Context,
 	helper *helper.Helper, instance *databasev1beta1.MariaDBAccount) error {
+
 	controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
 
 	return r.removeSecretFinalizer(