Add support for default-password-file

api/v1/aerospikecluster_validating_webhook.go

@@ -1792,9 +1792,12 @@ func validateRequiredFileStorageForMetadata(
 func validateRequiredFileStorageForFeatureConf(
 	configSpec AerospikeConfigSpec, storage *AerospikeStorageSpec,
 ) error {
-	// TODO Add validation for feature key file.
 	featureKeyFilePaths := getFeatureKeyFilePaths(configSpec)
 	nonCAPaths, caPaths := getTLSFilePaths(configSpec)
+	defaultPassFilePath := GetDefaultPasswordFilePath(&configSpec)
+
+	// TODO: What if default password file is given via Secret Manager?
+	// How operator will access that file? Should we allow that?
 
 	var allPaths []string
 
@@ -1813,10 +1816,14 @@ func validateRequiredFileStorageForFeatureConf(
 	// CA cert related fields are not supported with Secret Manager, so check their mount volume
 	allPaths = append(allPaths, caPaths...)
 
+	if defaultPassFilePath != nil {
+		allPaths = append(allPaths, *defaultPassFilePath)
+	}
+
 	for _, path := range allPaths {
 		if !storage.isVolumePresentForAerospikePath(filepath.Dir(path)) {
 			return fmt.Errorf(
-				"feature-key-file paths or tls paths are not mounted - create an entry for '%v' in 'storage.volumes'",
+				"feature-key-file paths or tls paths or default-password-file path are not mounted - create an entry for '%v' in 'storage.volumes'",
 				path,
 			)
 		}

api/v1/utils.go

@@ -49,6 +49,10 @@ const (
 	confKeyXdr         = "xdr"
 	confKeyXdrDlogPath = "xdr-digestlog-path"
 
+	// Security keys.
+	confKeySecurity                    = "security"
+	confKeySecurityDefaultPasswordFile = "default-password-file"
+
 	// Service section keys.
 	confKeyService       = "service"
 	confKeyWorkDirectory = "work-directory"
@@ -501,3 +505,30 @@ func getContainerNames(containers []v1.Container) []string {
 func GetBool(boolPtr *bool) bool {
 	return ptr.Deref(boolPtr, false)
 }
+
+// GetDefaultPasswordFilePath returns the default-password-fille path if configured.
+func GetDefaultPasswordFilePath(aerospikeConfigSpec *AerospikeConfigSpec) *string {
+	aerospikeConfig := aerospikeConfigSpec.Value
+
+	// Get security config.
+	securityConfTmp, ok := aerospikeConfig[confKeySecurity]
+	if !ok {
+		return nil
+	}
+
+	securityConf, ok := securityConfTmp.(map[string]interface{})
+	if !ok {
+		// Should never happen.
+		return nil
+	}
+
+	// Get password file.
+	passFileTmp, ok := securityConf[confKeySecurityDefaultPasswordFile]
+	if !ok {
+		return nil
+	}
+
+	passFile := passFileTmp.(string)
+
+	return &passFile
+}

config/samples/secrets/password.conf

@@ -0,0 +1 @@
+admin12345

controllers/access_control.go

@@ -75,7 +75,7 @@ func AerospikeAdminCredentials(
 
 	if currentState.AerospikeAccessControl == nil {
 		// We haven't yet set up access control. Use default password.
-		return asdbv1.AdminUsername, asdbv1.DefaultAdminPassword, nil
+		return asdbv1.AdminUsername, passwordProvider.GetDefaultPassword(desiredState), nil
 	}
 
 	adminUserSpec, ok := asdbv1.GetUsersFromSpec(currentState)[asdbv1.AdminUsername]
@@ -396,6 +396,9 @@ type AerospikeUserPasswordProvider interface {
 	Get(username string, userSpec *asdbv1.AerospikeUserSpec) (
 		string, error,
 	)
+
+	// GetDefaultPassword returns the default password for cluster using AerospikeClusterSpec.
+	GetDefaultPassword(spec *asdbv1.AerospikeClusterSpec) string
 }
 
 // aerospikeAccessControlReconcileCmd commands needed to Reconcile a single access control entry,

controllers/client_policy.go

@@ -53,6 +53,55 @@ func (pp fromSecretPasswordProvider) Get(
 	return string(passBytes), nil
 }
 
+// GetDefaultPassword returns the default password for cluster using AerospikeClusterSpec.
+func (pp fromSecretPasswordProvider) GetDefaultPassword(spec *asdbv1.AerospikeClusterSpec) string {
+	defaultPasswordFilePath := asdbv1.GetDefaultPasswordFilePath(spec.AerospikeConfig)
+
+	// No default password file specified. Give default password.
+	if defaultPasswordFilePath == nil {
+		return asdbv1.DefaultAdminPassword
+	}
+
+	// Default password file specified. Get the secret name from the volume
+	volume := spec.Storage.GetVolumeForAerospikePath(*defaultPasswordFilePath)
+	secretName := volume.Source.Secret.SecretName
+
+	// Get the password from the secret.
+	passwordFileName := filepath.Base(*defaultPasswordFilePath)
+
+	password, err := pp.getPasswordFromSecret(secretName, passwordFileName)
+	if err != nil {
+		pkgLog.Error(err, "Failed to get password from secret")
+
+		return asdbv1.DefaultAdminPassword
+	}
+
+	return password
+}
+
+// GetPasswordFromSecret returns the password from the secret.
+func (pp fromSecretPasswordProvider) getPasswordFromSecret(
+	secretName string, passFileName string,
+) (string, error) {
+	secretNamespcedName := types.NamespacedName{Name: secretName, Namespace: pp.namespace}
+	secret := &corev1.Secret{}
+
+	err := (*pp.k8sClient).Get(context.TODO(), secretNamespcedName, secret)
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret %s: %v", secretNamespcedName, err)
+	}
+
+	passBytes, ok := secret.Data[passFileName]
+	if !ok {
+		return "", fmt.Errorf(
+			"failed to get password file in secret %s, fileName %s",
+			secretNamespcedName, passFileName,
+		)
+	}
+
+	return string(passBytes), nil
+}
+
 func (r *SingleClusterReconciler) getPasswordProvider() fromSecretPasswordProvider {
 	return fromSecretPasswordProvider{
 		k8sClient: &r.Client, namespace: r.aeroCluster.Namespace,

test/access_control_test.go

@@ -8,6 +8,7 @@ import (
 	"math/rand"
 	"reflect"
 	"strings"
+	"time"
 
 	"github.com/go-logr/logr"
 	. "github.com/onsi/ginkgo/v2"
@@ -57,6 +58,7 @@ var aerospikeConfigWithSecurityWithQuota = &asdbv1.AerospikeConfigSpec{
 
 var _ = Describe(
 	"AccessControl", func() {
+		ctx := goctx.TODO()
 
 		Context(
 			"AccessControl", func() {
@@ -2144,6 +2146,50 @@ var _ = Describe(
 				)
 			},
 		)
+
+		Context("Using default-password-file", func() {
+			It("Should use default-password-file when configured", func() {
+				By("Creating cluster")
+
+				aeroCluster := createDummyAerospikeCluster(clusterNamespacedName, 4)
+				racks := getDummyRackConf(1, 2)
+				aeroCluster.Spec.RackConfig.Racks = racks
+				aeroCluster.Spec.RackConfig.Namespaces = []string{"test"}
+
+				err := k8sClient.Create(ctx, aeroCluster)
+				Expect(err).ToNot(HaveOccurred())
+
+				By("Cluster is not ready, connect with cluster using default password")
+
+				// Get default password from secret.
+				secretNamespcedName := types.NamespacedName{
+					Name:      aerospikeConfigSecret,
+					Namespace: aeroCluster.Namespace,
+				}
+				passFileName := "password.conf"
+				pass, err := getPasswordFromSecret(k8sClient, secretNamespcedName, passFileName)
+				Expect(err).ToNot(HaveOccurred())
+
+				// Cluster is not yet ready. Therefore, it should be using default password
+				Eventually(func() error {
+					clientPolicy := getClientPolicy(aeroCluster, k8sClient)
+					clientPolicy.Password = pass
+
+					client, cerr := getClientWithPolicy(
+						pkgLog, aeroCluster, k8sClient, clientPolicy)
+					if cerr != nil {
+						return cerr
+					}
+
+					nodes := client.GetNodeNames()
+					Expect(nodes).ToNot(BeNil())
+
+					pkgLog.Info("Connected to cluster", "nodes", nodes)
+
+					return nil
+				}, 2*time.Minute).ShouldNot(HaveOccurred())
+			})
+		})
 	},
 )
 

test/cluster_helper.go

@@ -34,7 +34,7 @@ const (
 	prevServerVersion   = "6.4.0.0"
 	pre6Version         = "5.7.0.17"
 	version6            = "6.0.0.5"
-	latestServerVersion = "7.0.0.0"
+	latestServerVersion = "7.1.0.0"
 	invalidVersion      = "3.0.0.4"
 )
 
@@ -1123,8 +1123,10 @@ func createDummyAerospikeCluster(
 						"proto-fd-max":     defaultProtofdmax,
 						"auto-pin":         "none",
 					},
-					"security": map[string]interface{}{},
-					"network":  getNetworkConfig(),
+					"security": map[string]interface{}{
+						"default-password-file": "/etc/aerospike/secret/password.conf",
+					},
+					"network": getNetworkConfig(),
 					"namespaces": []interface{}{
 						getSCNamespaceConfig("test", "/test/dev/xvdf"),
 					},

test/test_client.go

@@ -60,6 +60,13 @@ func (pp FromSecretPasswordProvider) Get(
 	return string(passbyte), nil
 }
 
+// This function is not used in the test code. This is just a dummy implementation.
+// Tests do not make client call till cluster is up and reconciled.
+// DefaultPassword only comes into play when the cluster is being created.
+func (pp FromSecretPasswordProvider) GetDefaultPassword(_ *asdbv1.AerospikeClusterSpec) string {
+	return asdbv1.DefaultAdminPassword
+}
+
 func getPasswordProvider(
 	aeroCluster *asdbv1.AerospikeCluster, k8sClient client.Client,
 ) FromSecretPasswordProvider {
@@ -71,6 +78,18 @@ func getPasswordProvider(
 func getClient(
 	log logr.Logger, aeroCluster *asdbv1.AerospikeCluster,
 	k8sClient client.Client,
+) (*as.Client, error) {
+	// Create policy using status, status has current connection info
+	policy := getClientPolicy(
+		aeroCluster, k8sClient,
+	)
+
+	return getClientWithPolicy(log, aeroCluster, k8sClient, policy)
+}
+
+func getClientWithPolicy(
+	log logr.Logger, aeroCluster *asdbv1.AerospikeCluster,
+	k8sClient client.Client, policy *as.ClientPolicy,
 ) (*as.Client, error) {
 	conns, err := newAllHostConn(log, aeroCluster, k8sClient)
 	if err != nil {
@@ -87,10 +106,7 @@ func getClient(
 			},
 		)
 	}
-	// Create policy using status, status has current connection info
-	policy := getClientPolicy(
-		aeroCluster, k8sClient,
-	)
+
 	aeroClient, err := as.NewClientWithPolicyAndHost(
 		policy, hosts...,
 	)
@@ -299,13 +315,17 @@ func appendCACertFromFileOrPath(
 			if err != nil {
 				return err
 			}
+
 			if !d.IsDir() {
 				var caData []byte
+
 				if caData, err = os.ReadFile(path); err != nil {
 					return err
 				}
+
 				serverPool.AppendCertsFromPEM(caData)
 			}
+
 			return nil
 		},
 	)

test/utils.go

@@ -2,6 +2,7 @@ package test
 
 import (
 	"bytes"
+	"context"
 	goctx "context"
 	"encoding/json"
 	"fmt"
@@ -795,3 +796,24 @@ func getAerospikeConfigFromNode(log logr.Logger, k8sClient client.Client, ctx go
 
 	return confs[configContext].(lib.Stats), nil
 }
+
+func getPasswordFromSecret(k8sClient client.Client,
+	secretNamespcedName types.NamespacedName, passFileName string,
+) (string, error) {
+	secret := &corev1.Secret{}
+
+	err := k8sClient.Get(context.TODO(), secretNamespcedName, secret)
+	if err != nil {
+		return "", fmt.Errorf("failed to get secret %s: %v", secretNamespcedName, err)
+	}
+
+	passBytes, ok := secret.Data[passFileName]
+	if !ok {
+		return "", fmt.Errorf(
+			"failed to get password file in secret %s, fileName %s",
+			secretNamespcedName, passFileName,
+		)
+	}
+
+	return string(passBytes), nil
+}