Merge pull request #14 from RocketChat/username-prefix

SRE-351 - Add option to add a prefix to each generated access request username (and remove extra unneeded production-aio related stuff)

.dockerignore

@@ -1,3 +1,4 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
 # Ignore build and test binaries.
 testbin/
+*.ignore

.gitignore

@@ -32,3 +32,4 @@ test_replicaset.txt
 mongoValues.yaml
 db-secret.yaml
 db-cluster.yaml
+*.ignore

Makefile

@@ -29,7 +29,7 @@ BUNDLE_METADATA_OPTS ?= $(BUNDLE_CHANNELS) $(BUNDLE_DEFAULT_CHANNEL)
 #
 # For example, running 'make bundle-build bundle-push catalog-build catalog-push' will build and push both
 # rocket.chat/airlock-bundle:$VERSION and rocket.chat/airlock-catalog:$VERSION.
-IMAGE_TAG_BASE ?= dockerhub.com/airlock
+IMAGE_TAG_BASE ?= rocketchat/airlock
 
 # BUNDLE_IMG defines the image:tag used for the bundle.
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
@@ -171,12 +171,6 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
 	$(KUSTOMIZE) build config/default | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
 
-.PHONY: production
-production: generate manifests kustomize ## Generate everything including the final manifests for installation in production.
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	mkdir -p production
-	$(KUSTOMIZE) build config/production > production/airlock-aio.yaml
-
 ##@ Build Dependencies
 
 ## Location to install dependencies to

api/v1alpha1/mongodbcluster_types.go

@@ -43,6 +43,9 @@ type MongoDBClusterSpec struct {
 	// +kubebuilder:default=mongodb
 	PrefixTemplate string `json:"prefixTemplate,omitempty"`
 
+	// Append this prefix to all default/generated usernames for this cluster. Will be overriden if "username" is specified.
+	UserNamePrefix string `json:"userNamePrefix,omitempty"`
+
 	// If this is set, Atlas API will be used instead of the regular mongo auth path.
 	UseAtlasApi bool `json:"useAtlasApi,omitempty"`
 }

config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml

@@ -68,6 +68,10 @@ spec:
                 description: If this is set, Atlas API will be used instead of the
                   regular mongo auth path.
                 type: boolean
+              userNamePrefix:
+                description: Append this prefix to all default/generated usernames
+                  for this cluster. Will be overriden if "username" is specified.
+                type: string
             required:
             - connectionSecret
             - hostTemplate

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: dockerhub.com/airlock
+  newName: rocketchat/airlock
   newTag: 0.1.0

config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml

@@ -10,5 +10,14 @@ kind: MongoDBAccessRequest
 metadata:
   name: obrigado
 spec:
+  # In which cluster to create the user.
   clusterName: teste-atlas1
 
+  # Optional. Username to be created in the cluster. If not provided, will be the same as the access request name.
+  # userName: obrigado
+
+  # Optional. Database to be used for the user. If not provided, the user will have access to one that matches the access request name
+  # database: obrigado
+
+  # Optional. Secret name where the credentials will be stored. If not provided, will be the same as the access request name.
+  # secretName: obrigado

config/samples/airlock_v1alpha1_mongodbcluster.yaml

@@ -14,12 +14,27 @@ kind: MongoDBCluster
 metadata:
   name: teste-atlas1
 spec:
-  useAtlasApi: true
+  # The host with port that clients will receive when requesting credentials.
   hostTemplate: "cluster0.vpz0mct.mongodb.net"
+
+  # Secret in which Airlock will look for a ConnectionString or Atlas credentials, that will be used to connect to the cluster. 
+  connectionSecret: airlock-atlas-connection
+
+  # Optional. If this is set, Atlas API will be used instead of the regular mongo auth path.
+  useAtlasApi: true
+
+  # Optional. Extra connection string parameters that will be added to the connection string.
   optionsTemplate: ?retryWrites=true&w=majority
+
+  # Optional. The prefix used when building the connection string. Defaults to "mongodb"
   prefixTemplate: mongodb+srv
-  connectionSecret: airlock-atlas-connection
+
+  # Optional. Namespace where the connection secret is located. Defaults to "airlock-system"
   connectionSecretNamespace: airlock-system
+
+  # Optional. Append this prefix to all default/generated usernames for this cluster. Will be ignored if "username" is already set on the access request.
+  userNamePrefix: test-use1-
+
 ---
 apiVersion: v1
 kind: Secret
@@ -28,6 +43,7 @@ metadata:
   namespace: airlock-system
 type: Opaque
 stringData:
+  # It should have enough privileges to manage users and access. This is not gonna be used by the created users.
   connectionString: "mongodb://rcadmin:[email protected]/test?replicaSet=rs0"
 
 ---

controllers/mongodbaccessrequest_controller.go

@@ -98,28 +98,28 @@ func (r *MongoDBAccessRequestReconciler) Reconcile(ctx context.Context, req ctrl
 
 	mongodbClusterCR := &airlockv1alpha1.MongoDBCluster{}
 
-	err = r.generateAttributes(ctx, mongodbAccessRequestCR)
+	err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR)
 	if err != nil {
 		meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions,
 			metav1.Condition{
 				Type:               "Ready",
 				Status:             metav1.ConditionFalse,
-				Reason:             "AttributeGenerationFailed",
+				Reason:             "GetMongoDBClusterFailed",
 				LastTransitionTime: metav1.NewTime(time.Now()),
-				Message:            fmt.Sprintf("Attribute generation failed with error: %s", err.Error()),
+				Message:            fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()),
 			})
 		return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)})
 	}
 
-	err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR)
+	err = r.generateAttributes(ctx, mongodbAccessRequestCR, mongodbClusterCR)
 	if err != nil {
 		meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions,
 			metav1.Condition{
 				Type:               "Ready",
 				Status:             metav1.ConditionFalse,
-				Reason:             "GetMongoDBClusterFailed",
+				Reason:             "AttributeGenerationFailed",
 				LastTransitionTime: metav1.NewTime(time.Now()),
-				Message:            fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()),
+				Message:            fmt.Sprintf("Attribute generation failed with error: %s", err.Error()),
 			})
 		return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)})
 	}
@@ -374,7 +374,7 @@ func (r *MongoDBAccessRequestReconciler) reconcileSecret(ctx context.Context, re
 	return nil
 }
 
-func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest) error {
+func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest, mongodbClusterCR *airlockv1alpha1.MongoDBCluster) error {
 	changed := false
 
 	if mongodbAccessRequestCR.Spec.Database == "" {
@@ -383,7 +383,7 @@ func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context,
 	}
 
 	if mongodbAccessRequestCR.Spec.UserName == "" {
-		mongodbAccessRequestCR.Spec.UserName = mongodbAccessRequestCR.Name
+		mongodbAccessRequestCR.Spec.UserName = mongodbClusterCR.Spec.UserNamePrefix + mongodbAccessRequestCR.Name
 		changed = true
 	}