K8SPXC-1733 Ability to customize secrets generation

Customize secrets generation:
* keep current secret generation behavior as default
* Ability to customize the special symbols to include in secret
  generation
* Ability to customize min/max secret length

Linked to #2222

Author: fydrah

config/crd/bases/pxc.percona.com_perconaxtradbclusters.yaml

@@ -4414,6 +4414,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:

deploy/bundle.yaml

@@ -5454,6 +5454,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:

deploy/crd.yaml

@@ -5454,6 +5454,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:

deploy/cw-bundle.yaml

@@ -5454,6 +5454,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 128
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:

pkg/apis/pxc/v1/pxc_types.go

@@ -29,26 +29,27 @@ import (
 
 // PerconaXtraDBClusterSpec defines the desired state of PerconaXtraDBCluster
 type PerconaXtraDBClusterSpec struct {
-	Platform               version.Platform                     `json:"platform,omitempty"`
-	CRVersion              string                               `json:"crVersion,omitempty"`
-	Pause                  bool                                 `json:"pause,omitempty"`
-	SecretsName            string                               `json:"secretsName,omitempty"`
-	VaultSecretName        string                               `json:"vaultSecretName,omitempty"`
-	SSLSecretName          string                               `json:"sslSecretName,omitempty"`
-	SSLInternalSecretName  string                               `json:"sslInternalSecretName,omitempty"`
-	LogCollectorSecretName string                               `json:"logCollectorSecretName,omitempty"`
-	TLS                    *TLSSpec                             `json:"tls,omitempty"`
-	PXC                    *PXCSpec                             `json:"pxc,omitempty"`
-	ProxySQL               *ProxySQLSpec                        `json:"proxysql,omitempty"`
-	HAProxy                *HAProxySpec                         `json:"haproxy,omitempty"`
-	PMM                    *PMMSpec                             `json:"pmm,omitempty"`
-	LogCollector           *LogCollectorSpec                    `json:"logcollector,omitempty"`
-	Backup                 *PXCScheduledBackup                  `json:"backup,omitempty"`
-	UpdateStrategy         appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
-	UpgradeOptions         UpgradeOptions                       `json:"upgradeOptions,omitempty"`
-	AllowUnsafeConfig      bool                                 `json:"allowUnsafeConfigurations,omitempty"`
-	Unsafe                 UnsafeFlags                          `json:"unsafeFlags,omitempty"`
-	VolumeExpansionEnabled bool                                 `json:"enableVolumeExpansion,omitempty"`
+	Platform                  version.Platform                     `json:"platform,omitempty"`
+	CRVersion                 string                               `json:"crVersion,omitempty"`
+	Pause                     bool                                 `json:"pause,omitempty"`
+	SecretsName               string                               `json:"secretsName,omitempty"`
+	PasswordGenerationOptions *PasswordGenerationOptions           `json:"passwordGenerationOptions,omitempty"`
+	VaultSecretName           string                               `json:"vaultSecretName,omitempty"`
+	SSLSecretName             string                               `json:"sslSecretName,omitempty"`
+	SSLInternalSecretName     string                               `json:"sslInternalSecretName,omitempty"`
+	LogCollectorSecretName    string                               `json:"logCollectorSecretName,omitempty"`
+	TLS                       *TLSSpec                             `json:"tls,omitempty"`
+	PXC                       *PXCSpec                             `json:"pxc,omitempty"`
+	ProxySQL                  *ProxySQLSpec                        `json:"proxysql,omitempty"`
+	HAProxy                   *HAProxySpec                         `json:"haproxy,omitempty"`
+	PMM                       *PMMSpec                             `json:"pmm,omitempty"`
+	LogCollector              *LogCollectorSpec                    `json:"logcollector,omitempty"`
+	Backup                    *PXCScheduledBackup                  `json:"backup,omitempty"`
+	UpdateStrategy            appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
+	UpgradeOptions            UpgradeOptions                       `json:"upgradeOptions,omitempty"`
+	AllowUnsafeConfig         bool                                 `json:"allowUnsafeConfigurations,omitempty"`
+	Unsafe                    UnsafeFlags                          `json:"unsafeFlags,omitempty"`
+	VolumeExpansionEnabled    bool                                 `json:"enableVolumeExpansion,omitempty"`
 
 	// Deprecated, should be removed in the future. Use InitContainer.Image instead
 	InitImage string `json:"initImage,omitempty"`
@@ -61,6 +62,35 @@ type PerconaXtraDBClusterSpec struct {
 	Users []User `json:"users,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self.maxLength > self.minLength"
+type PasswordGenerationOptions struct {
+	// When set to true (the default), special symbols such as *!$%^ will be included in password generation
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=32
+	// +kubebuilder:default="!#$%&()*+,-.<=>?@[]^_{}~"
+	Symbols string `json:"symbols"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum=128
+	// +kubebuilder:validation:Minimum=8
+	// +kubebuilder:default=20
+	MaxLength int `json:"maxLength"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum=128
+	// +kubebuilder:validation:Minimum=8
+	// +kubebuilder:default=16
+	MinLength int `json:"minLength"`
+}
+
+func (cr *PerconaXtraDBCluster) setPasswordGenerationOptionsDefaults() {
+	if cr.Spec.PasswordGenerationOptions == nil {
+		cr.Spec.PasswordGenerationOptions = &PasswordGenerationOptions{
+			Symbols:   "!#$%&()*+,-.<=>?@[]^_{}~",
+			MaxLength: 20,
+			MinLength: 16,
+		}
+	}
+}
+
 type SecretKeySelector struct {
 	Name string `json:"name"`
 	Key  string `json:"key,omitempty"`
@@ -1190,6 +1220,7 @@ func (cr *PerconaXtraDBCluster) CheckNSetDefaults(serverVersion *version.ServerV
 
 	cr.setProbesDefaults()
 	cr.setPodSecurityContext()
+	cr.setPasswordGenerationOptionsDefaults()
 
 	if cr.Spec.EnableCRValidationWebhook == nil {
 		falseVal := false

pkg/apis/pxc/v1/zz_generated.deepcopy.go

@@ -39,7 +39,7 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 		if err := validatePasswords(secretObj); err != nil {
 			return nil, errors.Wrap(err, "validate passwords")
 		}
-		isChanged, err := setUserSecretDefaults(secretObj)
+		isChanged, err := setUserSecretDefaults(secretObj, cr.Spec.PasswordGenerationOptions)
 		if err != nil {
 			return nil, errors.Wrap(err, "set user secret defaults")
 		}
@@ -64,7 +64,7 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 		Type: corev1.SecretTypeOpaque,
 	}
 
-	if _, err = setUserSecretDefaults(secretObj); err != nil {
+	if _, err = setUserSecretDefaults(secretObj, cr.Spec.PasswordGenerationOptions); err != nil {
 		return nil, errors.Wrap(err, "set user secret defaults")
 	}
 
@@ -77,14 +77,14 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 	return secretObj, nil
 }
 
-func setUserSecretDefaults(secret *corev1.Secret) (isChanged bool, err error) {
+func setUserSecretDefaults(secret *corev1.Secret, secretsOptions *api.PasswordGenerationOptions) (isChanged bool, err error) {
 	if secret.Data == nil {
 		secret.Data = make(map[string][]byte)
 	}
 	users := []string{users.Root, users.Xtrabackup, users.Monitor, users.ProxyAdmin, users.Operator, users.Replication}
 	for _, user := range users {
 		if pass, ok := secret.Data[user]; !ok || len(pass) == 0 {
-			secret.Data[user], err = generatePass()
+			secret.Data[user], err = generatePass(secretsOptions)
 			if err != nil {
 				return false, errors.Wrapf(err, "create %s users password", user)
 			}
@@ -96,20 +96,18 @@ func setUserSecretDefaults(secret *corev1.Secret) (isChanged bool, err error) {
 }
 
 const (
-	passwordMaxLen = 20
-	passwordMinLen = 16
-	passSymbols    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
+	passBaseSymbols = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
 		"abcdefghijklmnopqrstuvwxyz" +
-		"0123456789" +
-		"!#$%&()*+,-.<=>?@[]^_{}~"
+		"0123456789"
 )
 
-// generatePass generates a random password
-func generatePass() ([]byte, error) {
+// generatePass generates a random password with or without special symbols
+func generatePass(secretsOptions *api.PasswordGenerationOptions) ([]byte, error) {
 	mrand.Seed(time.Now().UnixNano())
-	ln := mrand.Intn(passwordMaxLen-passwordMinLen) + passwordMinLen
+	ln := mrand.Intn(secretsOptions.MaxLength-secretsOptions.MinLength) + secretsOptions.MinLength
 	b := make([]byte, ln)
 	for i := 0; i < ln; i++ {
+		passSymbols := passBaseSymbols + secretsOptions.Symbols
 		randInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(passSymbols))))
 		if err != nil {
 			return nil, errors.Wrap(err, "get rand int")