refactor(operator): use Secret for database passwords

jsenko · jsenko · commit 4b994b003ee4 · 2025-04-23T19:15:40.000+02:00
diff --git a/operator/controller/src/main/deploy/rbac/cluster/cluster-role.yaml b/operator/controller/src/main/deploy/rbac/cluster/cluster-role.yaml
@@ -57,3 +57,12 @@ rules:
       - poddisruptionbudgets
     verbs:
       - '*'
+
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/ApicurioRegistry3Reconciler.java b/operator/controller/src/main/java/io/apicurio/registry/operator/ApicurioRegistry3Reconciler.java
@@ -1,20 +1,49 @@
 package io.apicurio.registry.operator;
 
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
-import io.apicurio.registry.operator.resource.app.*;
-import io.apicurio.registry.operator.resource.ui.*;
+import io.apicurio.registry.operator.resource.app.AppDeploymentResource;
+import io.apicurio.registry.operator.resource.app.AppIngressResource;
+import io.apicurio.registry.operator.resource.app.AppNetworkPolicyResource;
+import io.apicurio.registry.operator.resource.app.AppPodDisruptionBudgetResource;
+import io.apicurio.registry.operator.resource.app.AppServiceResource;
+import io.apicurio.registry.operator.resource.ui.UIDeploymentResource;
+import io.apicurio.registry.operator.resource.ui.UIIngressResource;
+import io.apicurio.registry.operator.resource.ui.UINetworkPolicyResource;
+import io.apicurio.registry.operator.resource.ui.UIPodDisruptionBudgetResource;
+import io.apicurio.registry.operator.resource.ui.UIServiceResource;
 import io.apicurio.registry.operator.status.OperatorErrorConditionManager;
 import io.apicurio.registry.operator.status.StatusManager;
 import io.apicurio.registry.operator.updater.IngressCRUpdater;
 import io.apicurio.registry.operator.updater.KafkaSqlCRUpdater;
 import io.apicurio.registry.operator.updater.SqlCRUpdater;
-import io.javaoperatorsdk.operator.api.reconciler.*;
+import io.javaoperatorsdk.operator.api.reconciler.Cleaner;
+import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.ControllerConfiguration;
+import io.javaoperatorsdk.operator.api.reconciler.DeleteControl;
+import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusHandler;
+import io.javaoperatorsdk.operator.api.reconciler.ErrorStatusUpdateControl;
+import io.javaoperatorsdk.operator.api.reconciler.Reconciler;
+import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
 import io.javaoperatorsdk.operator.api.reconciler.dependent.Dependent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static io.apicurio.registry.operator.resource.ActivationConditions.*;
-import static io.apicurio.registry.operator.resource.ResourceKey.*;
+import static io.apicurio.registry.operator.resource.ActivationConditions.AppIngressActivationCondition;
+import static io.apicurio.registry.operator.resource.ActivationConditions.AppNetworkPolicyActivationCondition;
+import static io.apicurio.registry.operator.resource.ActivationConditions.AppPodDisruptionBudgetActivationCondition;
+import static io.apicurio.registry.operator.resource.ActivationConditions.UIIngressActivationCondition;
+import static io.apicurio.registry.operator.resource.ActivationConditions.UINetworkPolicyActivationCondition;
+import static io.apicurio.registry.operator.resource.ActivationConditions.UIPodDisruptionBudgetActivationCondition;
+import static io.apicurio.registry.operator.resource.ResourceKey.APP_DEPLOYMENT_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.APP_INGRESS_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.APP_NETWORK_POLICY_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.APP_POD_DISRUPTION_BUDGET_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.APP_SERVICE_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.UI_DEPLOYMENT_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.UI_INGRESS_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.UI_NETWORK_POLICY_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.UI_POD_DISRUPTION_BUDGET_ID;
+import static io.apicurio.registry.operator.resource.ResourceKey.UI_SERVICE_ID;
 
 @ControllerConfiguration(
         dependents = {
@@ -91,7 +120,7 @@ public UpdateControl<ApicurioRegistry3> reconcile(ApicurioRegistry3 primary,
         // Operator will attempt to update the CR to use the newer fields if possible.
         // This has to be done first, so subsequent functionality can deal with new fields only.
         var update = IngressCRUpdater.update(primary);
-        update = SqlCRUpdater.update(primary) || update;
+        update = SqlCRUpdater.update(primary, context) || update;
         update = KafkaSqlCRUpdater.update(primary) || update;
         if (update) {
             return UpdateControl.updateResource(primary);
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/PostgresSql.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/PostgresSql.java
@@ -5,6 +5,7 @@
 import io.apicurio.registry.operator.api.v1.spec.AppSpec;
 import io.apicurio.registry.operator.api.v1.spec.SqlSpec;
 import io.apicurio.registry.operator.api.v1.spec.StorageSpec;
+import io.apicurio.registry.operator.utils.SecretKeyRefTool;
 import io.fabric8.kubernetes.api.model.EnvVar;
 import io.fabric8.kubernetes.api.model.EnvVarBuilder;
 
@@ -35,8 +36,11 @@ public static void configureDatasource(ApicurioRegistry3 primary, Map<String, En
                             .withValue(dataSource.getUrl()).build());
                     addEnvVar(env, new EnvVarBuilder().withName(ENV_APICURIO_DATASOURCE_USERNAME)
                             .withValue(dataSource.getUsername()).build());
-                    addEnvVar(env, new EnvVarBuilder().withName(ENV_APICURIO_DATASOURCE_PASSWORD)
-                            .withValue(dataSource.getPassword()).build());
+
+                    var password = new SecretKeyRefTool(dataSource.getPassword(), "password");
+                    if (password.isValid()) {
+                        password.applySecretEnvVar(env, ENV_APICURIO_DATASOURCE_PASSWORD);
+                    }
                 });
     }
 }
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/updater/SqlCRUpdater.java b/operator/controller/src/main/java/io/apicurio/registry/operator/updater/SqlCRUpdater.java
@@ -2,10 +2,21 @@
 
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3Spec;
-import io.apicurio.registry.operator.api.v1.spec.*;
+import io.apicurio.registry.operator.api.v1.spec.AppSpec;
+import io.apicurio.registry.operator.api.v1.spec.DataSourceSpec;
+import io.apicurio.registry.operator.api.v1.spec.DeprecatedDataSource;
+import io.apicurio.registry.operator.api.v1.spec.DeprecatedSqlSpec;
+import io.apicurio.registry.operator.api.v1.spec.SecretKeyRef;
+import io.apicurio.registry.operator.api.v1.spec.SqlSpec;
+import io.apicurio.registry.operator.api.v1.spec.StorageSpec;
+import io.apicurio.registry.operator.api.v1.spec.StorageType;
+import io.fabric8.kubernetes.api.model.SecretBuilder;
+import io.javaoperatorsdk.operator.api.reconciler.Context;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.UUID;
+
 import static io.apicurio.registry.operator.utils.Utils.isBlank;
 import static java.util.Optional.ofNullable;
 
@@ -16,7 +27,7 @@ public class SqlCRUpdater {
     /**
      * @return true if the CR has been updated
      */
-    public static boolean update(ApicurioRegistry3 primary) {
+    public static boolean update(ApicurioRegistry3 primary, Context context) {
         var updated = false;
         var prevDataSource = ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getApp)
                 .map(AppSpec::getSql).map(DeprecatedSqlSpec::getDataSource);
@@ -44,7 +55,7 @@ public static boolean update(ApicurioRegistry3 primary) {
                 } else {
                     log.warn(
                             "Automatic update cannot be performed, "
-                                    + "because the field `app.storage.type` is already set and is not '{}'.",
+                            + "because the field `app.storage.type` is already set and is not '{}'.",
                             StorageType.POSTGRESQL.getValue());
                 }
             } else {
@@ -67,7 +78,7 @@ public static boolean update(ApicurioRegistry3 primary) {
                 } else {
                     log.warn(
                             "Automatic update cannot be performed, "
-                                    + "because the field `app.storage.type` is already set and is not '{}'.",
+                            + "because the field `app.storage.type` is already set and is not '{}'.",
                             StorageType.POSTGRESQL.getValue());
                 }
             } else {
@@ -82,15 +93,27 @@ public static boolean update(ApicurioRegistry3 primary) {
                 if (storageType.isEmpty() || StorageType.POSTGRESQL.equals(storageType.orElse(null))) {
                     log.info(
                             "Performing automatic CR update from `app.sql.dataSource.password` to `app.storage.sql.dataSource.password`.");
+                    // Create the Secret
+                    var secretName = primary.getMetadata().getName() + "-datasource-password-" + UUID.randomUUID().toString().substring(0, 7);
+                    // @formatter:off
+                    var secret = new SecretBuilder()
+                            .withNewMetadata()
+                                .withNamespace(primary.getMetadata().getNamespace())
+                                .withName(secretName)
+                            .endMetadata()
+                            .addToData("password", prevPassword.get())
+                            .build();
+                    // @formatter:on
+                    context.getClient().resource(secret).create();
                     primary.getSpec().withApp().withStorage().setType(StorageType.POSTGRESQL);
                     primary.getSpec().getApp().getSql().getDataSource().setPassword(null);
                     primary.getSpec().getApp().getStorage().withSql().withDataSource()
-                            .setPassword(prevPassword.get());
+                            .setPassword(SecretKeyRef.builder().name(secretName).build());
                     updated = true;
                 } else {
                     log.warn(
                             "Automatic update cannot be performed, "
-                                    + "because the field `app.storage.type` is already set and is not '{}'.",
+                            + "because the field `app.storage.type` is already set and is not '{}'.",
                             StorageType.POSTGRESQL.getValue());
                 }
             } else {
diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/CRUpdateITTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/CRUpdateITTest.java
@@ -11,6 +11,7 @@
 import java.time.Duration;
 import java.util.List;
 
+import static io.apicurio.registry.operator.utils.Utils.isBlank;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.awaitility.Awaitility.await;
 
@@ -53,6 +54,10 @@ void testCRUpdate() {
                         assertThat(updated).hasSize(1);
                         // We do not care about the operand here, just about the CR structure
                         assertThat(updated.get(0).getSpec()).usingRecursiveComparison()
+                                // We have to specially handle generated Secret name, since we do not know it in advance.
+                                // It should be enough to just make sure it's not blank.
+                                .withEqualsForFields((l, r) -> !isBlank((String) l) && !isBlank((String) r),
+                                        "app.storage.sql.dataSource.password.name")
                                 .isEqualTo(updatedExpected.getSpec());
                     });
         });
diff --git a/operator/controller/src/test/resources/k8s/examples/postgresql/example-postgresql-database.yaml b/operator/controller/src/test/resources/k8s/examples/postgresql/example-postgresql-database.yaml
@@ -30,7 +30,7 @@ spec:
               value: apicurio
       volumes:
         - name: cache-volume
-          emptyDir: {}
+          emptyDir: { }
 ---
 # PostgreSQL StatefulSet Service
 apiVersion: v1
@@ -43,3 +43,12 @@ spec:
   ports:
     - port: 5432
       targetPort: 5432
+---
+# PostgreSQL Password Secret
+apiVersion: v1
+kind: Secret
+metadata:
+  name: example-postgresql-database-password
+type: Opaque
+data:
+  password: cGFzc3dvcmQ=
diff --git a/operator/controller/src/test/resources/k8s/examples/postgresql/example-postgresql.apicurioregistry3.yaml b/operator/controller/src/test/resources/k8s/examples/postgresql/example-postgresql.apicurioregistry3.yaml
@@ -10,7 +10,8 @@ spec:
         dataSource:
           url: jdbc:postgresql://example-postgresql-database:5432/apicurio
           username: username
-          password: password
+          password:
+            name: example-postgresql-database-password
     ingress:
       host: example-postgresql-app.apps.cluster.example
   ui:
diff --git a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/DataSourceSpec.java b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/DataSourceSpec.java
@@ -1,9 +1,18 @@
 package io.apicurio.registry.operator.api.v1.spec;
 
-import com.fasterxml.jackson.annotation.*;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyDescription;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+import com.fasterxml.jackson.annotation.JsonSetter;
 import com.fasterxml.jackson.databind.JsonDeserializer.None;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import lombok.ToString;
 import lombok.experimental.SuperBuilder;
 
 import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_NULL;
@@ -12,7 +21,7 @@
 
 @JsonDeserialize(using = None.class)
 @JsonInclude(NON_NULL)
-@JsonPropertyOrder({ "url", "username", "password" })
+@JsonPropertyOrder({"url", "username", "password"})
 @NoArgsConstructor
 @AllArgsConstructor(access = PRIVATE)
 @SuperBuilder(toBuilder = true)
@@ -47,15 +56,13 @@ public class DataSourceSpec {
     /**
      * Configure SQL data source password.
      * <p>
-     * If you want to reference a Secret, you can set the <code>APICURIO_DATASOURCE_PASSWORD</code>
-     * environment variable directly using the <code>app.env</code> field.
+     * References name of a Secret that contains the password. Key <code>password</code> is assumed by default.
      */
     @JsonProperty("password")
     @JsonPropertyDescription("""
             Configure SQL data source password.
-
-            If you want to reference a Secret, you can set the `APICURIO_DATASOURCE_PASSWORD` environment variable \
-            directly using the `app.env` field.""")
+                      
+            References name of a Secret that contains the password. Key `password` is assumed by default.""")
     @JsonSetter(nulls = SKIP)
-    private String password;
+    private SecretKeyRef password;
 }
