add controller to create and delete individual usernames in mariadb

this is a first draft of a "create /drop account" controller that is
separate from the main "create/drop database" controller, for the
purpose of producing rotating username/passwords. The background for the
change is based on discussions surrounding
https://issues.redhat.com/browse/OSPRH-92 where internal control plane
services such as Galera , Rabbit, Redis etc. would provide interfaces to
add /remove arbitrary usernames, where a "password rotation" would
involve adding a new username/password and having services switch there,
retiring the old account once all finalizers have been removed.

api/bases/mariadb.openstack.org_mariadbaccounts.yaml

@@ -0,0 +1,101 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.1
+  creationTimestamp: null
+  name: mariadbaccounts.mariadb.openstack.org
+spec:
+  group: mariadb.openstack.org
+  names:
+    kind: MariaDBAccount
+    listKind: MariaDBAccountList
+    plural: mariadbaccounts
+    singular: mariadbaccount
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MariaDBAccount is the Schema for the mariadbaccounts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MariaDBAccountSpec defines the desired state of MariaDBAccount
+            properties:
+              secret:
+                description: Name of secret which contains DatabasePassword
+                type: string
+              userName:
+                description: UserName for new account
+                type: string
+            type: object
+          status:
+            description: MariaDBAccountStatus defines the observed state of MariaDBAccount
+            properties:
+              conditions:
+                description: Deployment Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: Severity provides a classification of Reason code,
+                        so the current situation is immediately understandable and
+                        could act accordingly. It is meant for situations where Status=False
+                        and it should be indicated if it is just informational, warning
+                        (next reconciliation might fix it) or an error (e.g. DB create
+                        issue and no actions to automatically resolve the issue can/should
+                        be done). For conditions where Status=Unknown or Status=True
+                        the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              hash:
+                additionalProperties:
+                  type: string
+                description: Map of hashes to track e.g. job status
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

api/v1beta1/conditions.go

@@ -23,6 +23,10 @@ import (
 const (
 	// MariaDBInitializedCondition Status=True condition which indicates if the MariaDB dbinit has completed
 	MariaDBInitializedCondition condition.Type = "MariaDBInitialized"
+
+	MariaDBDatabaseReadyCondition condition.Type = "MariaDBDatabaseReady"
+
+	MariaDBAccountReadyCondition condition.Type = "MariaDBAccountReady"
 )
 
 // MariaDB Reasons used by API objects.
@@ -60,4 +64,12 @@ const (
 
 	// MariaDBInitializedErrorMessage
 	MariaDBInitializedErrorMessage = "MariaDB dbinit error occured %s"
+
+	MariaDBDatabaseReadyInitMessage = "MariaDBDatabase not yet available"
+
+	MariaDBDatabaseReadyMessage = "MariaDBDatabase ready"
+
+	MariaDBAccountReadyInitMessage = "MariaDBAccount create / drop not started"
+
+	MariaDBAccountReadyMessage = "MariaDBAccount creation complete"
 )

api/v1beta1/mariadbaccount_types.go

@@ -17,25 +17,34 @@ limitations under the License.
 package v1beta1
 
 import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+const (
+	// AccountCreateHash hash
+	AccountCreateHash = "accountcreate"
+
+	// AccountDeleteHash hash
+	AccountDeleteHash = "accountdelete"
+)
 
 // MariaDBAccountSpec defines the desired state of MariaDBAccount
 type MariaDBAccountSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// UserName for new account
+	UserName string `json:"userName,omitempty"`
 
-	// Foo is an example field of MariaDBAccount. Edit mariadbaccount_types.go to remove/update
-	Foo string `json:"foo,omitempty"`
+	// Name of secret which contains DatabasePassword
+	Secret string `json:"secret,omitempty"`
 }
 
 // MariaDBAccountStatus defines the observed state of MariaDBAccount
 type MariaDBAccountStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// Deployment Conditions
+	Conditions condition.Conditions `json:"conditions,omitempty" optional:"true"`
+
+	// Map of hashes to track e.g. job status
+	Hash map[string]string `json:"hash,omitempty"`
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/mariadb.openstack.org_mariadbaccounts.yaml

@@ -0,0 +1,101 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.1
+  creationTimestamp: null
+  name: mariadbaccounts.mariadb.openstack.org
+spec:
+  group: mariadb.openstack.org
+  names:
+    kind: MariaDBAccount
+    listKind: MariaDBAccountList
+    plural: mariadbaccounts
+    singular: mariadbaccount
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: MariaDBAccount is the Schema for the mariadbaccounts API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MariaDBAccountSpec defines the desired state of MariaDBAccount
+            properties:
+              secret:
+                description: Name of secret which contains DatabasePassword
+                type: string
+              userName:
+                description: UserName for new account
+                type: string
+            type: object
+          status:
+            description: MariaDBAccountStatus defines the observed state of MariaDBAccount
+            properties:
+              conditions:
+                description: Deployment Conditions
+                items:
+                  description: Condition defines an observation of a API resource
+                    operational state.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another. This should be when the underlying condition changed.
+                        If that is not known, then using the time when the API field
+                        changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition
+                        in CamelCase.
+                      type: string
+                    severity:
+                      description: Severity provides a classification of Reason code,
+                        so the current situation is immediately understandable and
+                        could act accordingly. It is meant for situations where Status=False
+                        and it should be indicated if it is just informational, warning
+                        (next reconciliation might fix it) or an error (e.g. DB create
+                        issue and no actions to automatically resolve the issue can/should
+                        be done). For conditions where Status=Unknown or Status=True
+                        the Severity should be SeverityNone.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of condition in CamelCase.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              hash:
+                additionalProperties:
+                  type: string
+                description: Map of hashes to track e.g. job status
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/rbac/role.yaml

@@ -151,6 +151,32 @@ rules:
   - list
   - patch
   - update
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - mariadb.openstack.org
   resources:

config/samples/mariadb_v1beta1_mariadbaccount.yaml

@@ -7,6 +7,19 @@ metadata:
     app.kubernetes.io/part-of: mariadb-operator
     app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/created-by: mariadb-operator
-  name: mariadbaccount-sample
+    mariaDBDatabaseName: neutron
+  name: neutron1
 spec:
-  # TODO(user): Add fields here
+  userName: neutron1
+  secret: neutrondb-secret
+
+---
+
+apiVersion: v1
+data:
+  # neutron123
+  DatabasePassword: bmV1dHJvbjEyMw==
+kind: Secret
+metadata:
+  name: neutrondb-secret
+type: Opaque