k8ssandra · Miles-Garnsey · Jan 15, 2024 · Jan 10, 2024 · Jan 11, 2024 · Jan 11, 2024
@@ -56,7 +56,7 @@ type ReaperTemplate struct {
 
 	// Defines the secret which contains the username and password for the Reaper UI and REST API authentication.
 	// +optional
-	UiUserSecretRef corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
+	UiUserSecretRef *corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
 
 	// SecretsProvider defines whether the secrets used for credentials and certs will be backed
 	// by an external secret backend. This moves the responsibility of generating and storing

@@ -104,7 +104,8 @@ func (r *K8ssandraClusterReconciler) reconcileReaper(
 
 		logger.Info("Reaper present for DC " + actualDc.DatacenterName())
 
-		desiredReaper, err := reaper.NewReaper(reaperKey, kc, actualDc, reaperTemplate)
+		desiredReaper, err := reaper.NewReaper(reaperKey, kc, actualDc, reaperTemplate, logger)
+
 		if err != nil {
 			logger.Error(err, "failed to create Reaper API object")
 			return result.Error(err)

@@ -66,22 +66,26 @@
 			var uiUserSecretRef corev1.LocalObjectReference
 			if kc.Spec.Reaper != nil {
 				cassandraUserSecretRef = kc.Spec.Reaper.CassandraUserSecretRef
-				uiUserSecretRef = kc.Spec.Reaper.UiUserSecretRef
+				if kc.Spec.Reaper.UiUserSecretRef != nil {
+					uiUserSecretRef = *kc.Spec.Reaper.UiUserSecretRef
+				}
 			}
 			if cassandraUserSecretRef.Name == "" {
 				cassandraUserSecretRef.Name = reaper.DefaultUserSecretName(kc.SanitizedName())
 			}
-			if uiUserSecretRef.Name == "" {
+			if kc.Spec.Reaper.UiUserSecretRef == nil {
 				uiUserSecretRef.Name = reaper.DefaultUiSecretName(kc.SanitizedName())
 			}
 			kcKey := utils.GetKey(kc)
 			if err := secret.ReconcileSecret(ctx, r.Client, cassandraUserSecretRef.Name, kcKey); err != nil {
 				logger.Error(err, "Failed to reconcile Reaper CQL user secret", "ReaperCassandraUserSecretRef", cassandraUserSecretRef)
 				return result.Error(err)
 			}
-			if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
-				logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
-				return result.Error(err)
+			if kc.Spec.Reaper.UiUserSecretRef == nil || kc.Spec.Reaper.UiUserSecretRef.Name != "" {
+				if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
+					logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
+					return result.Error(err)
+				}
 			}
 			logger.Info("Reaper user secrets successfully reconciled")
 

@@ -328,7 +328,8 @@ func (r *ReaperReconciler) configureReaper(ctx context.Context, actualReaper *re
 }
 
 func (r *ReaperReconciler) getReaperUICredentials(ctx context.Context, actualReaper *reaperapi.Reaper, logger logr.Logger) (string, string, error) {
-	if actualReaper.Spec.UiUserSecretRef.Name == "" {
+
+	if actualReaper.Spec.UiUserSecretRef == nil || actualReaper.Spec.UiUserSecretRef.Name == "" {
 		// The UI user secret doesn't exist, meaning auth is disabled
 		return "", "", nil
 	}
@@ -383,11 +384,11 @@ func (r *ReaperReconciler) collectAuthVarsForType(ctx context.Context, actualRea
 		secretRef = &actualReaper.Spec.CassandraUserSecretRef
 		envVars = []*corev1.EnvVar{}
 	case "ui":
-		secretRef = &actualReaper.Spec.UiUserSecretRef
+		secretRef = actualReaper.Spec.UiUserSecretRef
 		envVars = []*corev1.EnvVar{reaper.EnableAuthVar}
 	}
 
-	if len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
+	if secretRef != nil && len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
 		secretKey := types.NamespacedName{Namespace: actualReaper.Namespace, Name: secretRef.Name}
 		if secret, err := r.getSecret(ctx, secretKey); err != nil {
 			logger.Error(err, "Failed to get Cassandra authentication secret", authType, secretKey)

@@ -380,7 +380,7 @@ func testCreateReaperWithAuthEnabled(t *testing.T, ctx context.Context, k8sClien
 	t.Log("create the Reaper object and modify it")
 	rpr := newReaper(testNamespace)
 	rpr.Spec.CassandraUserSecretRef.Name = "top-secret-cass"
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)
 
@@ -477,7 +477,7 @@ func testCreateReaperWithAuthEnabledExternalSecret(t *testing.T, ctx context.Con
 	//lint:ignore SA1019 Verify deprecated method is ineffective
 	rpr.Spec.JmxUserSecretRef.Name = "top-secret-jmx" //nolint:staticcheck
 
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)
 

@@ -1,6 +1,7 @@
 package reaper
 
 import (
+	"github.com/go-logr/logr"
 	cassdcapi "github.com/k8ssandra/cass-operator/apis/cassandra/v1beta1"
 	k8ssandraapi "github.com/k8ssandra/k8ssandra-operator/apis/k8ssandra/v1alpha1"
 	reaperapi "github.com/k8ssandra/k8ssandra-operator/apis/reaper/v1alpha1"
@@ -32,6 +33,7 @@
 	kc *k8ssandraapi.K8ssandraCluster,
 	dc *cassdcapi.CassandraDatacenter,
 	reaperTemplate *reaperapi.ReaperClusterTemplate,
+	logger logr.Logger,
 ) (*reaperapi.Reaper, error) {
 	labels := createResourceLabels(kc)
 	var anns map[string]string
@@ -58,6 +60,7 @@
 		},
 	}
 	if kc.Spec.IsAuthEnabled() && !kc.Spec.UseExternalSecrets() {
+		logger.Info("Auth is enabled, adding user secrets to Reaper spec")
 		// if auth is enabled in this cluster, the k8ssandra controller will automatically create two secrets for
 		// Reaper: one for CQL and JMX connections, one for the UI. Here we assume that these secrets exist. If the
 		// secrets were specified by the user they should be already present in desiredReaper.Spec; otherwise, we assume
@@ -67,8 +70,8 @@
 			desiredReaper.Spec.CassandraUserSecretRef.Name = DefaultUserSecretName(kc.SanitizedName())
 		}
 		// Note: deliberately skip JmxUserSecretRef, which is deprecated.
-		if desiredReaper.Spec.UiUserSecretRef.Name == "" {
-			desiredReaper.Spec.UiUserSecretRef.Name = DefaultUiSecretName(kc.SanitizedName())
+		if kc.Spec.Reaper.UiUserSecretRef == nil && kc.Spec.IsAuthEnabled() {
+			desiredReaper.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: DefaultUiSecretName(kc.SanitizedName())}
 		}
 
 		if desiredReaper.Spec.ResourceMeta == nil {
@@ -79,10 +82,14 @@
 		if err != nil {
 			return desiredReaper, err
 		}
-		err = secret.AddInjectionAnnotationReaperContainers(&desiredReaper.Spec.ResourceMeta.Pods, desiredReaper.Spec.UiUserSecretRef.Name)
-		if err != nil {
-			return desiredReaper, err
+		if desiredReaper.Spec.UiUserSecretRef != nil && desiredReaper.Spec.UiUserSecretRef.Name != "" {
+			err = secret.AddInjectionAnnotationReaperContainers(&desiredReaper.Spec.ResourceMeta.Pods, desiredReaper.Spec.UiUserSecretRef.Name)
+			if err != nil {
+				return desiredReaper, err
+			}
 		}
+	} else {
+		logger.Info("Auth not enabled, no secrets added to Reaper spec")
 	}
 	// If the cluster is already initialized and some DCs are flagged as stopped, we cannot achieve QUORUM in the
 	// cluster for Reaper's keyspace. In this case we simply skip schema migration, otherwise Reaper wouldn't be able to