K8SPXC-1733 Ability to customize secrets generation

[fydrah]

Customize secrets generation:

• keep current secret generation behavior as default
• Ability to customize the special symbols to include in secret generation
• Ability to customize min/max secret length

Linked to #2222

CHANGE DESCRIPTION

Problem:
Short explanation of the problem.

By default, the operator generates his secrets for system users (root, xtrabackup, proxyadmin, replication,...etc...).
The current secrets generation is based on constants, prohibiting any customization:

const (
	passwordMaxLen = 20
	passwordMinLen = 16
	passSymbols    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
		"abcdefghijklmnopqrstuvwxyz" +
		"0123456789" +
		"!#$%&()*+,-.<=>?@[]^_{}~"
)

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:
Short explanation of the solution we are providing with this PR.

Proposal would be to have a minimal customization, e.g.:

• Enable/disable special symbols
• Customize min/max password length

Suggested implementation would be a dedicated configuration structure for generated secrets:

[...]
spec:
  generatedSecretsOptions:
    symbols: "-_+$%" # customize symbols you need. Keep the current behavior if omitted. Use empty string to disable symbols.
    minLength: 16
    maxLength: 20
[...]

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported PXC version?
• Does the change support oldest and newest supported Kubernetes version?

[it-percona-cla]

All committers have signed the CLA.

[gkech]

The changes to the image should be reverted to main across all the similar occurrences.

[gkech]

string(...) is not needed

[gkech]

Given that the configuration we introduce is related to the passwords that are provisioned through secrets and not for the secrets themselves, maybe we could adjust the naming of the new options accordingly. Some options:

• PasswordGenerationOptions - Most accurate and clear
• GeneratedPasswordOptions - Also clear and descriptive
• PasswordOptions - Simpler but still clear

PasswordGenerationOptions is the most suitable one IMO.

[egegunes]

I think PasswordGenerationOptions is good

[gkech]

cc @hors

[hors]

I think it would be better to reuse the naming from the “Password Validation Options” feature in MySQL. What do you think about:

spec:
  secretGenerationOptions:
    lengthMin: 16
    lengthMax: 32
    allowedSymbols: "!@#$%" # Overrides or supplements the default set

or

spec:
  passwordGenerationOptions:
    lengthMin: 16
    lengthMax: 32
    allowedSymbols: "!@#$%" # Overrides or supplements the default set

cc @egegunes @gkech

[gkech]

spec:
passwordGenerationOptions:
lengthMin: 16
lengthMax: 32
allowedSymbols: "!@#$%" # Overrides or supplements the default set

I would go with this ☝🏽

[fydrah]

option name change has been addressed

[gkech]

I believe in this test should we should focus on the following 2 scenarios:

• Default configuration of passwords with nil the new option
• The new option configured and asserting the specified symbols and lengths

[fydrah]

I made changes to the tests with dedicated context for both default behavior and custom password options. Were you thinking on a more detailed checks for the default behavior or is the current one sufficient?

[gkech]

But we are not actually testing that the existing nil configuration option actually does what we want.

We merely do the following in Create cluster with default secret generation behavior

		It("Should generate user secrets", func() {
			userSecrets := &corev1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Name:      cr.Name + "-secrets",
					Namespace: cr.Namespace,
				},
			}
			Expect(k8sClient.Get(ctx, client.ObjectKeyFromObject(userSecrets), userSecrets)).To(Succeed())
		})

Which is only fetching the secret without verifying that the default options are respected.

[fydrah]

I added a similar test for the default behavior

[gkech]

the unit test failures for proxysql password are unrelated to this pr and will be fixed under this pr: #2124

[egegunes]

this comment indicates the field is a boolean but actually is a string now, it needs to be updated

[fydrah]

comment fixed, I also added missing ones for max and min length

[egegunes]

I think max of MaxLength should be 32.

If you are using MySQL Replication, be aware that a password used by a replica as part of CHANGE REPLICATION SOURCE TO is effectively limited to 32 characters in length; if the password is longer, any excess characters are truncated.

https://dev.mysql.com/doc/refman/8.4/en/assigning-passwords.html

Only replication user is used for that but I think we can limit all users to max 32 to be safe in general.

[hors]

@fydrah, also, please add new options to deploy/cr.yaml as a commented by default

[fydrah]

good catch for the maxlength! it has been updated. cr updated too with default values in comment

[JNKPercona]

Test Name	Result	Time
auto-tuning-8-0	passed	00:18:44
backup-storage-tls-8-0	passed	00:22:30
cross-site-8-0	passed	00:34:22
custom-users-8-0	passed	00:12:29
demand-backup-cloud-8-0	passed	00:56:53
demand-backup-encrypted-with-tls-8-0	passed	00:44:31
demand-backup-8-0	passed	00:42:24
demand-backup-flow-control-8-0	passed	00:10:18
demand-backup-parallel-8-0	passed	00:08:40
demand-backup-without-passwords-8-0	passed	00:15:43
haproxy-5-7	passed	00:14:30
haproxy-8-0	passed	00:14:17
init-deploy-5-7	passed	00:16:14
init-deploy-8-0	passed	00:16:24
limits-8-0	passed	00:12:04
monitoring-2-0-8-0	passed	00:22:47
monitoring-pmm3-8-0	passed	00:18:20
one-pod-5-7	passed	00:14:31
one-pod-8-0	passed	00:13:52
pitr-8-0	passed	00:42:37
pitr-gap-errors-8-0	passed	00:53:33
proxy-protocol-8-0	passed	00:09:21
proxysql-sidecar-res-limits-8-0	passed	00:08:15
pvc-resize-5-7	passed	00:14:50
pvc-resize-8-0	passed	00:16:07
recreate-8-0	passed	00:16:41
restore-to-encrypted-cluster-8-0	passed	00:25:28
scaling-proxysql-8-0	passed	00:08:29
scaling-8-0	passed	00:10:30
scheduled-backup-5-7	passed	01:04:58
scheduled-backup-8-0	passed	01:03:12
security-context-8-0	passed	00:25:21
smart-update1-8-0	passed	00:33:20
smart-update2-8-0	passed	00:38:24
storage-8-0	passed	00:10:52
tls-issue-cert-manager-ref-8-0	passed	00:08:41
tls-issue-cert-manager-8-0	passed	00:11:19
tls-issue-self-8-0	passed	00:12:53
upgrade-consistency-8-0	passed	00:11:28
upgrade-haproxy-5-7	passed	00:24:27
upgrade-haproxy-8-0	passed	00:24:49
upgrade-proxysql-5-7	passed	00:15:37
upgrade-proxysql-8-0	passed	00:19:58
users-5-7	passed	00:26:36
users-8-0	passed	00:26:03
validation-hook-8-0	passed	00:01:43

Summary	Value
Tests Run	46/46
Job Duration	02:58:30
Total Test Time	17:15:29

commit: c0f6501
image: perconalab/percona-xtradb-cluster-operator:PR-2227-c0f65019

[hors]

@fydrah thank you for your contribution!