Skip to content

Regenerate user passwords when user reconciles #896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Regenerate user passwords when user reconciles #896

wants to merge 2 commits into from

Conversation

@Martinif
Copy link

@Martinif Martinif commented Oct 31, 2024

This closes #242

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed
Note to contributors: remember to re-generate client set if there are any API changes

Summary Of Changes

This Pull Request adds an option to always regenerate a user's user-credentials secret when a reconciliation for the user is triggered. The main use case is to update a user's password when the underlying import secret has changed.

Additional Context

A user's login credential are stored in the user-credentials secrets, which are generated at the user creation from an import secret. The documentation instructs us to add a label to trigger user reconciliation when we want to update a users password: https://github.com/rabbitmq/messaging-topology-operator/blob/main/docs/examples/users/README.md

This does however currently not affect a regeneration of the user-credentials secret: s. issue #242

Therefore I added these changes to allow us to force a regeneration when the user is reconciled (e.g. when a label is added).

@vmwclabot
Copy link

vmwclabot commented Oct 31, 2024

@Martinif, you must sign our contributor license agreement before your changes are merged. Click here to sign the agreement. If you are a VMware employee, read this for further instruction.

@vmwclabot
Copy link

vmwclabot commented Oct 31, 2024

@Martinif, we have received your signed contributor license agreement. The review is usually completed within a week, but may take longer under certain circumstances. Another comment will be added to the pull request to notify you when the merge can proceed.

@Martinif Martinif marked this pull request as ready for review October 31, 2024 09:24
@vmwclabot
Copy link

vmwclabot commented Oct 31, 2024

@Martinif, VMware has approved your signed contributor license agreement.

@Zerpet Zerpet self-requested a review October 31, 2024 16:59
@Zerpet Zerpet self-assigned this Oct 31, 2024
@Zerpet Zerpet added this to the v1.16.0 milestone Oct 31, 2024
Zerpet
Zerpet requested changes Nov 4, 2024
View reviewed changes
Copy link
Member

@Zerpet Zerpet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This approach is not going to work. In 9ce8ed9 we removed the RBAC to update secrets, because the Operator was too privileged: it was able to read/list/create/update any secret in any namespace. We removed its ability to update secrets at cluster level, accepting the limitation that the Operator won't be able to update secrets it had created.

Another blocker to accept this contribution is the lack of tests. I caught the above mentioned problem by doing manual QA, which is not desirable.

The most we are willing accept is updating the password if the underlying "user-credentials" Secret changes, taking into consideration the points I raised here: #242 (comment)

@Zerpet
Copy link
Member

Zerpet commented Jan 3, 2025

This PR hasn't seen any activity since October 31st. I'm closing it as stale. Feel free to re-open if there's still interest in driving this PR.

@Zerpet Zerpet closed this Jan 3, 2025
@ktzsolt ktzsolt mentioned this pull request Feb 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Zerpet Zerpet Zerpet requested changes

Assignees

@Zerpet Zerpet

Labels

None yet

Projects

None yet

Milestone

v1.16.0

Development

Successfully merging this pull request may close these issues.

Update user info if targetsecret changes

3 participants

@Martinif @vmwclabot @Zerpet