Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regenerate user passwords when user reconciles #896

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Regenerate user passwords when user reconciles #896

wants to merge 2 commits into from

Conversation

Martinif
Copy link

This closes #242

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed
Note to contributors: remember to re-generate client set if there are any API changes

Summary Of Changes

This Pull Request adds an option to always regenerate a user's user-credentials secret when a reconciliation for the user is triggered. The main use case is to update a user's password when the underlying import secret has changed.

Additional Context

A user's login credential are stored in the user-credentials secrets, which are generated at the user creation from an import secret. The documentation instructs us to add a label to trigger user reconciliation when we want to update a users password: https://github.com/rabbitmq/messaging-topology-operator/blob/main/docs/examples/users/README.md

This does however currently not affect a regeneration of the user-credentials secret: s. issue #242

Therefore I added these changes to allow us to force a regeneration when the user is reconciled (e.g. when a label is added).

@vmwclabot
Copy link

@Martinif, you must sign our contributor license agreement before your changes are merged. Click here to sign the agreement. If you are a VMware employee, read this for further instruction.

@vmwclabot
Copy link

@Martinif, we have received your signed contributor license agreement. The review is usually completed within a week, but may take longer under certain circumstances. Another comment will be added to the pull request to notify you when the merge can proceed.

@Martinif Martinif marked this pull request as ready for review October 31, 2024 09:24
@vmwclabot
Copy link

@Martinif, VMware has approved your signed contributor license agreement.

@Zerpet Zerpet self-requested a review October 31, 2024 16:59
@Zerpet Zerpet self-assigned this Oct 31, 2024
@Zerpet Zerpet added this to the v1.16.0 milestone Oct 31, 2024
Zerpet
Zerpet requested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@Zerpet Zerpet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach is not going to work. In 9ce8ed9 we removed the RBAC to update secrets, because the Operator was too privileged: it was able to read/list/create/update any secret in any namespace. We removed its ability to update secrets at cluster level, accepting the limitation that the Operator won't be able to update secrets it had created.

Another blocker to accept this contribution is the lack of tests. I caught the above mentioned problem by doing manual QA, which is not desirable.

The most we are willing accept is updating the password if the underlying "user-credentials" Secret changes, taking into consideration the points I raised here: #242 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zerpet Zerpet Zerpet requested changes

Assignees

@Zerpet Zerpet

Labels
None yet
Projects
None yet
Milestone
v1.16.0
Development

Successfully merging this pull request may close these issues.

Update user info if targetsecret changes
3 participants
@Martinif @vmwclabot @Zerpet