[KO-326] Added support for default-password-file (#289)

* Add 7.1 schema * Add support for default-password-file * Update server version(7.1) in tests and samples
aerospike · May 20, 2024 · 89b72d1 · 89b72d1
1 parent 5c0af06
commit 89b72d1
Show file tree

Hide file tree

Showing 40 changed files with 317 additions and 80 deletions.
diff --git a/api/v1/aerospikecluster_validating_webhook.go b/api/v1/aerospikecluster_validating_webhook.go
@@ -223,7 +223,7 @@ func (c *AerospikeCluster) validate(aslog logr.Logger) error {
 			return err
 		}
 
-		if err := validateRequiredFileStorageForFeatureConf(
+		if err := validateRequiredFileStorageForAerospikeConfig(
 			rack.AerospikeConfig, &rack.Storage,
 		); err != nil {
 			return err
@@ -1797,12 +1797,15 @@ func validateRequiredFileStorageForMetadata(
 	return nil
 }
 
-func validateRequiredFileStorageForFeatureConf(
+func validateRequiredFileStorageForAerospikeConfig(
 	configSpec AerospikeConfigSpec, storage *AerospikeStorageSpec,
 ) error {
-	// TODO Add validation for feature key file.
 	featureKeyFilePaths := getFeatureKeyFilePaths(configSpec)
 	nonCAPaths, caPaths := getTLSFilePaths(configSpec)
+	defaultPassFilePath := GetDefaultPasswordFilePath(&configSpec)
+
+	// TODO: What if default password file is given via Secret Manager?
+	// How operator will access that file? Should we allow that?
 
 	var allPaths []string
 
@@ -1818,16 +1821,34 @@ func validateRequiredFileStorageForFeatureConf(
 		}
 	}
 
+	if defaultPassFilePath != nil {
+		if !isSecretManagerPath(*defaultPassFilePath) {
+			allPaths = append(allPaths, *defaultPassFilePath)
+		} else {
+			return fmt.Errorf("default-password-file path doesn't support Secret Manager, path %s", *defaultPassFilePath)
+		}
+	}
+
 	// CA cert related fields are not supported with Secret Manager, so check their mount volume
 	allPaths = append(allPaths, caPaths...)
 
 	for _, path := range allPaths {
-		if !storage.isVolumePresentForAerospikePath(filepath.Dir(path)) {
+		volume := storage.GetVolumeForAerospikePath(filepath.Dir(path))
+		if volume == nil {
 			return fmt.Errorf(
-				"feature-key-file paths or tls paths are not mounted - create an entry for '%v' in 'storage.volumes'",
+				"feature-key-file paths or tls paths or default-password-file path "+
+					"are not mounted - create an entry for '%s' in 'storage.volumes'",
 				path,
 			)
 		}
+
+		if defaultPassFilePath != nil &&
+			(path == *defaultPassFilePath && volume.Source.Secret == nil) {
+			return fmt.Errorf(
+				"default-password-file path %s volume source should be secret in storage config, volume %v",
+				path, volume,
+			)
+		}
 	}
 
 	return nil

diff --git a/api/v1/storage.go b/api/v1/storage.go
@@ -203,12 +203,6 @@ func (s *AerospikeStorageSpec) getAerospikeStorageList(onlyPV bool) (
 	return blockStorageDeviceList, fileStorageList, nil
 }
 
-// isVolumePresentForAerospikePath checks if configuration has a volume defined for given path for Aerospike server
-// container.
-func (s *AerospikeStorageSpec) isVolumePresentForAerospikePath(path string) bool {
-	return s.GetVolumeForAerospikePath(path) != nil
-}
-
 // GetVolumeForAerospikePath returns volume defined for given path for Aerospike server container.
 func (s *AerospikeStorageSpec) GetVolumeForAerospikePath(path string) *VolumeSpec {
 	var matchedVolume *VolumeSpec

diff --git a/api/v1/utils.go b/api/v1/utils.go
@@ -53,6 +53,10 @@ const (
 	confKeyXdr         = "xdr"
 	confKeyXdrDlogPath = "xdr-digestlog-path"
 
+	// Security keys.
+	confKeySecurity                    = "security"
+	confKeySecurityDefaultPasswordFile = "default-password-file"
+
 	// Service section keys.
 	confKeyService       = "service"
 	confKeyWorkDirectory = "work-directory"
@@ -505,3 +509,30 @@ func getContainerNames(containers []v1.Container) []string {
 func GetBool(boolPtr *bool) bool {
 	return ptr.Deref(boolPtr, false)
 }
+
+// GetDefaultPasswordFilePath returns the default-password-fille path if configured.
+func GetDefaultPasswordFilePath(aerospikeConfigSpec *AerospikeConfigSpec) *string {
+	aerospikeConfig := aerospikeConfigSpec.Value
+
+	// Get security config.
+	securityConfTmp, ok := aerospikeConfig[confKeySecurity]
+	if !ok {
+		return nil
+	}
+
+	securityConf, ok := securityConfTmp.(map[string]interface{})
+	if !ok {
+		// Should never happen.
+		return nil
+	}
+
+	// Get password file.
+	passFileTmp, ok := securityConf[confKeySecurityDefaultPasswordFile]
+	if !ok {
+		return nil
+	}
+
+	passFile := passFileTmp.(string)
+
+	return &passFile
+}
diff --git a/config/samples/all_flash_cluster_cr.yaml b/config/samples/all_flash_cluster_cr.yaml
@@ -12,7 +12,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/dim_nostorage_cluster_cr.yaml b/config/samples/dim_nostorage_cluster_cr.yaml
@@ -5,7 +5,7 @@ metadata:
   namespace: aerospike
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   podSpec:
     multiPodPerHost: true

diff --git a/config/samples/dim_nostorage_cluster_skip_validation_cr.yaml b/config/samples/dim_nostorage_cluster_skip_validation_cr.yaml
@@ -20,7 +20,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
   podSpec:
     multiPodPerHost: true
 

diff --git a/config/samples/hdd_dim_storage_cluster_cr.yaml b/config/samples/hdd_dim_storage_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/host_network_cluster_cr.yaml b/config/samples/host_network_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/ldap_cluster_cr.yaml b/config/samples/ldap_cluster_cr.yaml
@@ -14,7 +14,7 @@ metadata:
   namespace: aerospike
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   podSpec:
     multiPodPerHost: true

diff --git a/config/samples/pmem_cluster_cr.yaml b/config/samples/pmem_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/podspec_cr.yaml b/config/samples/podspec_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/rack_enabled_cluster_cr.yaml b/config/samples/rack_enabled_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
   rackConfig:
     namespaces:
       - test

diff --git a/config/samples/sc_mode_cluster_cr.yaml b/config/samples/sc_mode_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 4
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   rosterNodeBlockList:
     - 1A0

diff --git a/config/samples/secrets/password.conf b/config/samples/secrets/password.conf
@@ -0,0 +1 @@
+admin12345
diff --git a/config/samples/shadow_device_cluster_cr.yaml b/config/samples/shadow_device_cluster_cr.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   # Add fields here
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/shadow_file_cluster_cr.yaml b/config/samples/shadow_file_cluster_cr.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   # Add fields here
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/ssd_storage_cluster_cr.yaml b/config/samples/ssd_storage_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/tls_cluster_cr.yaml b/config/samples/tls_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 4
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/xdr_dst_cluster_cr.yaml b/config/samples/xdr_dst_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/config/samples/xdr_src_cluster_cr.yaml b/config/samples/xdr_src_cluster_cr.yaml
@@ -6,7 +6,7 @@ metadata:
 
 spec:
   size: 2
-  image: aerospike/aerospike-server-enterprise:7.0.0.0
+  image: aerospike/aerospike-server-enterprise:7.1.0.0
 
   storage:
     filesystemVolumePolicy:

diff --git a/controllers/access_control.go b/controllers/access_control.go
@@ -75,7 +75,7 @@ func AerospikeAdminCredentials(
 
 	if currentState.AerospikeAccessControl == nil {
 		// We haven't yet set up access control. Use default password.
-		return asdbv1.AdminUsername, asdbv1.DefaultAdminPassword, nil
+		return asdbv1.AdminUsername, passwordProvider.GetDefaultPassword(desiredState), nil
 	}
 
 	adminUserSpec, ok := asdbv1.GetUsersFromSpec(currentState)[asdbv1.AdminUsername]
@@ -396,6 +396,9 @@ type AerospikeUserPasswordProvider interface {
 	Get(username string, userSpec *asdbv1.AerospikeUserSpec) (
 		string, error,
 	)
+
+	// GetDefaultPassword returns the default password for cluster using AerospikeClusterSpec.
+	GetDefaultPassword(spec *asdbv1.AerospikeClusterSpec) string
 }
 
 // aerospikeAccessControlReconcileCmd commands needed to Reconcile a single access control entry,

diff --git a/controllers/client_policy.go b/controllers/client_policy.go
@@ -53,6 +53,55 @@ func (pp fromSecretPasswordProvider) Get(
 	return string(passBytes), nil
 }
 
+// GetDefaultPassword returns the default password for cluster using AerospikeClusterSpec.
+func (pp fromSecretPasswordProvider) GetDefaultPassword(spec *asdbv1.AerospikeClusterSpec) string {
+	defaultPasswordFilePath := asdbv1.GetDefaultPasswordFilePath(spec.AerospikeConfig)
+
+	// No default password file specified. Give default password.
+	if defaultPasswordFilePath == nil {
+		return asdbv1.DefaultAdminPassword
+	}
+
+	// Default password file specified. Get the secret name from the volume
+	volume := spec.Storage.GetVolumeForAerospikePath(*defaultPasswordFilePath)
+	secretName := volume.Source.Secret.SecretName
+
+	// Get the password from the secret.
+	passwordFileName := filepath.Base(*defaultPasswordFilePath)
+
+	password, err := pp.getPasswordFromSecret(secretName, passwordFileName)
+	if err != nil {
+		pkgLog.Error(err, "Failed to get password from secret")
+
+		return asdbv1.DefaultAdminPassword
+	}
+
+	return password
+}
+
+// GetPasswordFromSecret returns the password from the secret.
+func (pp fromSecretPasswordProvider) getPasswordFromSecret(
+	secretName string, passFileName string,
+) (string, error) {
+	secretNamespcedName := types.NamespacedName{Name: secretName, Namespace: pp.namespace}
+	secret := &corev1.Secret{}
+
+	err := (*pp.k8sClient).Get(context.TODO(), secretNamespcedName, secret)
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret %s: %v", secretNamespcedName, err)
+	}
+
+	passBytes, ok := secret.Data[passFileName]
+	if !ok {
+		return "", fmt.Errorf(
+			"failed to get password file in secret %s, fileName %s",
+			secretNamespcedName, passFileName,
+		)
+	}
+
+	return string(passBytes), nil
+}
+
 func (r *SingleClusterReconciler) getPasswordProvider() fromSecretPasswordProvider {
 	return fromSecretPasswordProvider{
 		k8sClient: &r.Client, namespace: r.aeroCluster.Namespace,

diff --git a/helm-charts/aerospike-cluster/README.md b/helm-charts/aerospike-cluster/README.md
@@ -48,7 +48,7 @@ helm install aerospike ./aerospike-cluster/ \
 | ---------- | ----------- | --------- |
 | `replicas` | Aerospike cluster size | `3` |
 | `image.repository` | Aerospike server container image repository | `aerospike/aerospike-server-enterprise` |
-| `image.tag` | Aerospike server container image tag | `7.0.0.0` |
+| `image.tag` | Aerospike server container image tag | `7.1.0.0` |
 | `imagePullSecrets` | Secrets containing credentials to pull Aerospike container image from a private registry | `{}` (nil) |
 | `customLabels` | Custom labels to add on the aerospikecluster resource | `{}` (nil) |
 | `aerospikeAccessControl` | Aerospike access control configuration. Define users and roles to be created on the cluster. | `{}` (nil) |

diff --git a/helm-charts/aerospike-cluster/templates/aerospike-cluster-cr.yaml b/helm-charts/aerospike-cluster/templates/aerospike-cluster-cr.yaml
@@ -16,7 +16,7 @@ spec:
   size: {{ .Values.replicas | default 3 }}
 
   # Aerospike server docker image
-  image: {{ .Values.image.repository | default "aerospike/aerospike-server-enterprise" }}:{{ .Values.image.tag | default "7.0.0.0" }}
+  image: {{ .Values.image.repository | default "aerospike/aerospike-server-enterprise" }}:{{ .Values.image.tag | default "7.1.0.0" }}
 
   # Aerospike access control configuration
   {{- with .Values.aerospikeAccessControl }}

diff --git a/helm-charts/aerospike-cluster/values.yaml b/helm-charts/aerospike-cluster/values.yaml
@@ -8,7 +8,7 @@ replicas: 3
 ## Aerospike server docker image
 image:
   repository: aerospike/aerospike-server-enterprise
-  tag: 7.0.0.0
+  tag: 7.1.0.0
 
 ## In case the above image is pulled from a registry that requires
 ## authentication, a secret containining credentials can be added

diff --git a/pkg/configschema/schemas b/pkg/configschema/schemas
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ metadata: @@
     spec:
       size: 4
-      image: aerospike/aerospike-server-enterprise:7.0.0.0
+      image: aerospike/aerospike-server-enterprise:7.1.0.0
       rosterNodeBlockList:
         - 1A0
@@ Expand Down @@
+2 −2		json/aerospike/4.0.0.json
+2 −2		json/aerospike/4.1.0.json
+3 −3		json/aerospike/4.2.0.json
+3 −3		json/aerospike/4.3.0.json
+3 −3		json/aerospike/4.3.1.json
+3 −3		json/aerospike/4.4.0.json
+3 −3		json/aerospike/4.5.0.json
+3 −3		json/aerospike/4.5.1.json
+3 −3		json/aerospike/4.5.2.json
+3 −3		json/aerospike/4.5.3.json
+3 −3		json/aerospike/4.6.0.json
+4 −4		json/aerospike/4.7.0.json
+4 −4		json/aerospike/4.8.0.json
+66 −66		json/aerospike/4.9.0.json
+65 −65		json/aerospike/5.0.0.json
+66 −66		json/aerospike/5.1.0.json
+66 −66		json/aerospike/5.2.0.json
+66 −66		json/aerospike/5.3.0.json
+66 −66		json/aerospike/5.4.0.json
+66 −66		json/aerospike/5.5.0.json
+66 −66		json/aerospike/5.6.0.json
+68 −68		json/aerospike/5.7.0.json
+67 −67		json/aerospike/6.0.0.json
+67 −67		json/aerospike/6.1.0.json
+67 −67		json/aerospike/6.2.0.json
+68 −68		json/aerospike/6.3.0.json
+66 −66		json/aerospike/6.4.0.json
+779 −348		json/aerospike/7.0.0.json
+3,575 −0		json/aerospike/7.1.0.json