use system MariaDBAccount for the galera server's root pw

This commit ties together the previous ones to create a new
MariaDBAccount when a Galera instance is created, and then to
use the password from that account/secret in the mariadb
bootstrap/maintenance scripts.

Galera gets bootstrapped with this secret, then the mariadbaccount
controller, who is waiting for galera to be available to set up this
new "root" account, wakes up when galera is running, and changes
the root password to itself, establishing the initial job hash
for the mariadbaccount.

Author: zzzeek

api/bases/mariadb.openstack.org_galeras.yaml

@@ -78,8 +78,18 @@ spec:
                 maximum: 3
                 minimum: 0
                 type: integer
+              rootDatabaseAccount:
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                  this account is generated if not exists, and a name is chosen based
+                  on a naming convention if not present
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Name of the legacy secret to locate the initial galera root
+                  password
+                  this field will be removed once scripts can adjust to using root_auth.sh
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -118,7 +128,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object
@@ -237,6 +246,9 @@ spec:
                   the opentack-operator in the top-level CR (e.g. the ContainerImage)
                 format: int64
                 type: integer
+              rootDatabaseSecret:
+                description: name of the Secret that is being used for the root password
+                type: string
               safeToBootstrap:
                 description: Name of the node that can safely bootstrap a cluster
                 type: string

api/v1beta1/conditions.go

@@ -84,6 +84,8 @@ const (
 
 	MariaDBAccountReadyInitMessage = "MariaDBAccount create / drop not started"
 
+	MariaDBSystemAccountReadyMessage = "MariaDBAccount System account '%s' creation complete"
+
 	MariaDBAccountReadyMessage = "MariaDBAccount creation complete"
 
 	MariaDBAccountNotReadyMessage = "MariaDBAccount is not present: %s"

api/v1beta1/galera_types.go

@@ -17,12 +17,12 @@ limitations under the License.
 package v1beta1
 
 import (
+	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
 const (
@@ -50,9 +50,19 @@ type GaleraSpec struct {
 
 // GaleraSpec defines the desired state of Galera
 type GaleraSpecCore struct {
-	// Name of the secret to look for password keys
-	// +kubebuilder:validation:Required
+	// Name of the legacy secret to locate the initial galera root
+	// password
+	// this field will be removed once scripts can adjust to using root_auth.sh
+	// +kubebuilder:validation:Optional
 	Secret string `json:"secret"`
+
+	// RootDatabaseAccount - name of MariaDBAccount which will be used to
+	// generate root account / password.
+	// this account is generated if not exists, and a name is chosen based
+	// on a naming convention if not present
+	// +kubebuilder:validation:Optional
+	RootDatabaseAccount string `json:"rootDatabaseAccount"`
+
 	// Storage class to host the mariadb databases
 	// +kubebuilder:validation:Required
 	StorageClass string `json:"storageClass"`
@@ -109,6 +119,9 @@ type GaleraAttributes struct {
 type GaleraStatus struct {
 	// A map of database node attributes for each pod
 	Attributes map[string]GaleraAttributes `json:"attributes,omitempty"`
+	// name of the Secret that is being used for the root password
+	// +kubebuilder:validation:Optional
+	RootDatabaseSecret string `json:"rootDatabaseSecret"`
 	// Name of the node that can safely bootstrap a cluster
 	SafeToBootstrap string `json:"safeToBootstrap,omitempty"`
 	// Is the galera cluster currently running

api/v1beta1/mariadbaccount_types.go

@@ -28,9 +28,6 @@ const (
 	// AccountDeleteHash hash
 	AccountDeleteHash = "accountdelete"
 
-	// DbRootPassword selector for galera root account
-	DbRootPasswordSelector = "DbRootPassword"
-
 	// DatabasePassword selector for MariaDBAccount->Secret
 	DatabasePasswordSelector = "DatabasePassword"
 )

api/v1beta1/mariadbdatabase_funcs.go

@@ -541,6 +541,50 @@ func DeleteDatabaseAndAccountFinalizers(
 	namespace string,
 ) error {
 
+	err := DeleteAccountFinalizers(
+		ctx,
+		h,
+		accountName,
+		namespace,
+	)
+	if err != nil {
+		return err
+	}
+
+	// also do a delete for "unused" MariaDBAccounts, associated with
+	// this MariaDBDatabase.
+	err = DeleteUnusedMariaDBAccountFinalizers(
+		ctx, h, name, accountName, namespace,
+	)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	}
+
+	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
+		err := h.GetClient().Update(ctx, mariaDBDatabase)
+		if err != nil && !k8s_errors.IsNotFound(err) {
+			return err
+		}
+		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
+	}
+
+	return nil
+}
+
+// DeleteAccountFinalizers performs just the primary account + secret finalizer
+// removal part of DeleteDatabaseAndAccountFinalizers
+func DeleteAccountFinalizers(
+	ctx context.Context,
+	h *helper.Helper,
+	accountName string,
+	namespace string,
+) error {
+	if accountName == "" {
+		return fmt.Errorf("Account name is blank")
+	}
 	databaseAccount, err := GetAccount(ctx, h, accountName, namespace)
 	if err != nil && !k8s_errors.IsNotFound(err) {
 		return err
@@ -572,26 +616,6 @@ func DeleteDatabaseAndAccountFinalizers(
 		}
 	}
 
-	// also do a delete for "unused" MariaDBAccounts, associated with
-	// this MariaDBDatabase.
-	err = DeleteUnusedMariaDBAccountFinalizers(
-		ctx, h, name, accountName, namespace,
-	)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	}
-
-	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
-		err := h.GetClient().Update(ctx, mariaDBDatabase)
-		if err != nil && !k8s_errors.IsNotFound(err) {
-			return err
-		}
-		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
-	}
-
 	return nil
 }
 
@@ -811,6 +835,32 @@ func EnsureMariaDBAccount(ctx context.Context,
 	userNamePrefix string,
 ) (*MariaDBAccount, *corev1.Secret, error) {
 
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		userNamePrefix, "", "", map[string]string{})
+
+}
+
+// EnsureMariaDBSystemAccount ensures a MariaDBAccount has been created for a given
+// operator calling the function, and returns the MariaDBAccount and its
+// Secret for use in consumption into a configuration.
+// Unlike EnsureMariaDBAccount, the function accepts an exact username that
+// expected to remain constant, supporting in-place password changes for the
+// account.
+func EnsureMariaDBSystemAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, galeraInstanceName string, namespace string, requireTLS bool,
+	exactUserName string, exactPassword string) (*MariaDBAccount, *corev1.Secret, error) {
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		"", exactUserName, exactPassword, map[string]string{"dbName": galeraInstanceName})
+}
+
+func ensureMariaDBAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, namespace string, requireTLS bool,
+	userNamePrefix string, exactUserName string, exactPassword string, labels map[string]string,
+) (*MariaDBAccount, *corev1.Secret, error) {
 	if accountName == "" {
 		return nil, nil, fmt.Errorf("accountName is empty")
 	}
@@ -822,9 +872,20 @@ func EnsureMariaDBAccount(ctx context.Context,
 			return nil, nil, err
 		}
 
-		username, err := generateUniqueUsername(userNamePrefix)
-		if err != nil {
-			return nil, nil, err
+		var username string
+		var accountType AccountType
+
+		if exactUserName == "" {
+			accountType = "User"
+			username, err = generateUniqueUsername(userNamePrefix)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else if userNamePrefix != "" {
+			return nil, nil, fmt.Errorf("userNamePrefix and exactUserName are mutually exclusive")
+		} else {
+			accountType = "System"
+			username = exactUserName
 		}
 
 		account = &MariaDBAccount{
@@ -837,9 +898,10 @@ func EnsureMariaDBAccount(ctx context.Context,
 				// MariaDBAccount once this is filled in
 			},
 			Spec: MariaDBAccountSpec{
-				UserName:   username,
-				Secret:     fmt.Sprintf("%s-db-secret", accountName),
-				RequireTLS: requireTLS,
+				UserName:    username,
+				Secret:      fmt.Sprintf("%s-db-secret", accountName),
+				RequireTLS:  requireTLS,
+				AccountType: accountType,
 			},
 		}
 
@@ -849,6 +911,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 		if account.Spec.Secret == "" {
 			account.Spec.Secret = fmt.Sprintf("%s-db-secret", accountName)
 		}
+
 	}
 
 	dbSecret, _, err := secret.GetSecret(ctx, helper, account.Spec.Secret, namespace)
@@ -858,9 +921,14 @@ func EnsureMariaDBAccount(ctx context.Context,
 			return nil, nil, err
 		}
 
-		dbPassword, err := generateDBPassword()
-		if err != nil {
-			return nil, nil, err
+		var dbPassword string
+		if exactPassword == "" {
+			dbPassword, err = generateDBPassword()
+			if err != nil {
+				return nil, nil, err
+			}
+		} else {
+			dbPassword = exactPassword
 		}
 
 		dbSecret = &corev1.Secret{
@@ -874,7 +942,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 		}
 	}
 
-	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, map[string]string{})
+	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, labels)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -890,6 +958,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 	)
 
 	return account, dbSecret, nil
+
 }
 
 // generateUniqueUsername creates a MySQL-compliant database username based on

config/crd/bases/mariadb.openstack.org_galeras.yaml

@@ -78,8 +78,18 @@ spec:
                 maximum: 3
                 minimum: 0
                 type: integer
+              rootDatabaseAccount:
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                  this account is generated if not exists, and a name is chosen based
+                  on a naming convention if not present
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Name of the legacy secret to locate the initial galera root
+                  password
+                  this field will be removed once scripts can adjust to using root_auth.sh
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -118,7 +128,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object
@@ -237,6 +246,9 @@ spec:
                   the opentack-operator in the top-level CR (e.g. the ContainerImage)
                 format: int64
                 type: integer
+              rootDatabaseSecret:
+                description: name of the Secret that is being used for the root password
+                type: string
               safeToBootstrap:
                 description: Name of the node that can safely bootstrap a cluster
                 type: string