Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need a way to create a users inside RDS #2078

Open
gecube opened this issue May 28, 2024 · 2 comments
Open

Need a way to create a users inside RDS #2078

gecube opened this issue May 28, 2024 · 2 comments
Labels
kind/support Categorizes issue or PR as a support question. service/rds Indicates issues or PRs that are related to rds-controller.

Comments

@gecube
Copy link

gecube commented May 28, 2024

Good day!

We are very excited with RDS controller and its features. And we want very much to utilise it to fulfil the whole lifecycle of RDS database. We checked and many features like restoration from the snapshots works like a charm. But we are missing one feature. We are using Teleport solution extensively for a proper access to different services. And it support RDS as well. Unfortunately, we need to go to DB and create a user:

CREATE USER alice;
GRANT rds_iam TO Alice;

or

CREATE USER alice IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT ALL ON `%`.* TO 'alice'@'%';
FLUSH PRIVILEGES;

https://goteleport.com/docs/database-access/guides/rds/

It could not be done right now with the RDS controller. So I need to workaround it with a dirty hack - create a separate Kubernetes job which would be run right after the creation of RDS itself and the job will create this users by direct SQL queries.

I'd like to ask to propose some good way how to create such a RDS with a set of users right from the RDS controller in one-go.
@a-hilaly a-hilaly added service/rds Indicates issues or PRs that are related to rds-controller. kind/support Categorizes issue or PR as a support question. labels May 29, 2024
@a-hilaly
Copy link
Member

Good day @gecube !

Currently ACK controllers try to focus on only interacting with AWS API (The control plane) an purposefully avoid interacting with resource such as tables/databases (Dataplane). Interacting with such layers is super tricky and exponentially increases the complexity of the controllers. + I believe we will have to do some sort of database/controller connection, which probably will raise security concerns...

My 2 cents is that, if we really want this feature implemented, it should live in a seperate "controller" that can configure the databases... Thinking a sql-controller?

@gecube
Copy link
Author

gecube commented May 29, 2024

@a-hilaly Hi! Maybe. I want to make ACK competitive. Look. If I am using https://github.com/flux-iac/tofu-controller or https://github.com/pulumi/pulumi-kubernetes-operator I don't have such an issues as TF and pulumi have nice providers for DBs. So it means that ACK is not self-sufficient. Your argument regarding that ACK is focused only on working with Amazon API is fair enough. But it does not solve the issue. As I said, I want to get everything running in one go. Otherwise I need to glue together different solutions...

Other option is to provide a good examples how to achieve it with FluxCD + k8s jobs with the less pain...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question. service/rds Indicates issues or PRs that are related to rds-controller.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gecube @a-hilaly