K8SPSMDB-1164: Allow creating user with $external database #1690

inelpandzic · 2024-10-30T12:24:46Z

CHANGE DESCRIPTION

Problem:
There was no ability to add a user to $external database because setting user.PasswordSecretRef was mandatory and for a user with $external database we don't provide user credentials, since they are handled by the external provider.

Solution:
Add a support to create user with $external database.

Note:
This PR also adds support for generating user pass/secret if it is not set. Task https://perconadev.atlassian.net/browse/K8SPSMDB-1171
Also covers task: https://perconadev.atlassian.net/browse/K8SPSMDB-1162

CHECKLIST

Jira

Is the Jira ticket created and referenced properly?
Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

Is an E2E test/test case added for the new feature/change?
Are unit tests added where appropriate?
Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

Are all needed new/changed options added to default YAML files?
Are all needed new/changed options added to the Helm Chart?
Did we add proper logging messages for operator actions?
Did we ensure compatibility with the previous version or cluster upgrade process?
Does the change support oldest and newest supported MongoDB version?
Does the change support oldest and newest supported Kubernetes version?

hors

@inelpandzic please add test case for https://github.com/percona/percona-server-mongodb-operator/blob/main/e2e-tests/ldap-tls/run test as well. We need to be sure that it works

secret.

inelpandzic · 2024-11-13T08:23:09Z

@inelpandzic please add test case for https://github.com/percona/percona-server-mongodb-operator/blob/main/e2e-tests/ldap-tls/run test as well. We need to be sure that it works

@hors I was thinking about this but now I'm positive we don't need to do it since it will not provide any value. The way that you enable external authentication ability is simply by creating a user with $external database that will set user authentication method to external. We are testing this in custom-users-roles/custom-users-roles-sharded tests and with that we are 100% sure that this works.

If we need to add this test as well to make sure it works, then we would need to cover Kerberos and other external auth providers.

egegunes · 2024-11-15T12:15:18Z

pkg/controller/perconaservermongodb/custom_users.go

+	if err != nil && name != defaultName {
+		return nil, errors.Wrap(err, "failed to get user secret")
+	}


I don't understand why we don't create the secret object if user just wants to customize its name. Was it like this in the spec? @spron-in @eleo007

Not sure what do you mean by "user just wants to customize its name", but how this behaves is like this:

If in the spec the user sets passwordSecretRef.name we will look for that secret. If we don't find it we will fail creating that user.

If the user does not set passwordSecretRef.name, we will create secret {cluster-name}-custom-user-secret, generate a password for the user and set it by the key named after user name.

And yes, I'll add this to the spec as well.

egegunes · 2024-11-18T18:23:05Z

@inelpandzic looks like now you need to fix role order in e2e test 😄

inelpandzic · 2024-11-18T18:29:03Z

@inelpandzic looks like now you need to fix role order in e2e test 😄

Yeah, I know... :)

github-actions · 2024-11-25T18:00:35Z