migrate from databaseUsername to databaseAccount and fully use MariaD…

…BAccount

This will move neutron to fully use MariaDBAccount based on the dev work
being done for mariadb-operator:

openstack-k8s-operators/mariadb-operator#184

Depends-On: openstack-k8s-operators/openstack-operator#656

api/bases/neutron.openstack.org_neutronapis.yaml

@@ -59,17 +59,16 @@ spec:
                   added to to /etc/<service>/<service>.conf.d directory as custom.conf
                   file.
                 type: string
+              databaseAccount:
+                default: neutron
+                description: DatabaseAccount - optional username used for neutron
+                  DB, defaults to neutron
+                type: string
               databaseInstance:
                 description: MariaDB instance name Right now required by the maridb-operator
                   to get the credentials from the instance to create the DB Might
                   not be required in future
                 type: string
-              databaseUser:
-                default: neutron
-                description: 'DatabaseUser - optional username used for neutron DB,
-                  defaults to neutron TODO: -> implement needs work in mariadb-operator,
-                  right now only neutron'
-                type: string
               defaultConfigOverwrite:
                 additionalProperties:
                   type: string
@@ -2129,17 +2128,10 @@ spec:
                 type: object
               passwordSelectors:
                 default:
-                  database: NeutronDatabasePassword
                   service: NeutronPassword
-                description: PasswordSelectors - Selectors to identify the DB and
-                  ServiceUser password from the Secret
+                description: PasswordSelectors - Selectors to identify the ServiceUser
+                  password from the Secret
                 properties:
-                  database:
-                    default: NeutronDatabasePassword
-                    description: 'Database - Selector to get the neutron database
-                      user password from the Secret TODO: not used, need change in
-                      mariadb-operator'
-                    type: string
                   service:
                     default: NeutronPassword
                     description: Database - Selector to get the neutron service password
@@ -2214,7 +2206,7 @@ spec:
                 type: object
               secret:
                 description: Secret containing OpenStack password information for
-                  NeutronDatabasePassword, NeutronPassword
+                  NeutronPassword
                 type: string
               serviceUser:
                 default: neutron

api/v1beta1/neutronapi_types.go

@@ -55,9 +55,8 @@ type NeutronAPISpec struct {
 
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default=neutron
-	// DatabaseUser - optional username used for neutron DB, defaults to neutron
-	// TODO: -> implement needs work in mariadb-operator, right now only neutron
-	DatabaseUser string `json:"databaseUser"`
+	// DatabaseAccount - optional username used for neutron DB, defaults to neutron
+	DatabaseAccount string `json:"databaseAccount"`
 
 	// +kubebuilder:validation:Required
 	// +kubebuilder:default=rabbitmq
@@ -82,12 +81,12 @@ type NeutronAPISpec struct {
 	Replicas *int32 `json:"replicas"`
 
 	// +kubebuilder:validation:Required
-	// Secret containing OpenStack password information for NeutronDatabasePassword, NeutronPassword
+	// Secret containing OpenStack password information for NeutronPassword
 	Secret string `json:"secret"`
 
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={database: NeutronDatabasePassword, service: NeutronPassword}
-	// PasswordSelectors - Selectors to identify the DB and ServiceUser password from the Secret
+	// +kubebuilder:default={service: NeutronPassword}
+	// PasswordSelectors - Selectors to identify the ServiceUser password from the Secret
 	PasswordSelectors PasswordSelector `json:"passwordSelectors"`
 
 	// +kubebuilder:validation:Optional
@@ -143,11 +142,6 @@ type APIOverrideSpec struct {
 
 // PasswordSelector to identify the DB and AdminUser password from the Secret
 type PasswordSelector struct {
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:default="NeutronDatabasePassword"
-	// Database - Selector to get the neutron database user password from the Secret
-	// TODO: not used, need change in mariadb-operator
-	Database string `json:"database"`
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default="NeutronPassword"
 	// Database - Selector to get the neutron service password from the Secret

config/crd/bases/neutron.openstack.org_neutronapis.yaml

@@ -59,17 +59,16 @@ spec:
                   added to to /etc/<service>/<service>.conf.d directory as custom.conf
                   file.
                 type: string
+              databaseAccount:
+                default: neutron
+                description: DatabaseAccount - optional username used for neutron
+                  DB, defaults to neutron
+                type: string
               databaseInstance:
                 description: MariaDB instance name Right now required by the maridb-operator
                   to get the credentials from the instance to create the DB Might
                   not be required in future
                 type: string
-              databaseUser:
-                default: neutron
-                description: 'DatabaseUser - optional username used for neutron DB,
-                  defaults to neutron TODO: -> implement needs work in mariadb-operator,
-                  right now only neutron'
-                type: string
               defaultConfigOverwrite:
                 additionalProperties:
                   type: string
@@ -2129,17 +2128,10 @@ spec:
                 type: object
               passwordSelectors:
                 default:
-                  database: NeutronDatabasePassword
                   service: NeutronPassword
-                description: PasswordSelectors - Selectors to identify the DB and
-                  ServiceUser password from the Secret
+                description: PasswordSelectors - Selectors to identify the ServiceUser
+                  password from the Secret
                 properties:
-                  database:
-                    default: NeutronDatabasePassword
-                    description: 'Database - Selector to get the neutron database
-                      user password from the Secret TODO: not used, need change in
-                      mariadb-operator'
-                    type: string
                   service:
                     default: NeutronPassword
                     description: Database - Selector to get the neutron service password
@@ -2214,7 +2206,7 @@ spec:
                 type: object
               secret:
                 description: Secret containing OpenStack password information for
-                  NeutronDatabasePassword, NeutronPassword
+                  NeutronPassword
                 type: string
               serviceUser:
                 default: neutron

config/samples/neutron_v1beta1_neutronapi.yaml

@@ -9,7 +9,7 @@ spec:
     [DEFAULT]
     debug = true
   databaseInstance: openstack
-  databaseUser: neutron
+  databaseAccount: neutron
   rabbitMqClusterName: rabbitmq
   memcachedInstance: memcached
   preserveJobs: false

config/samples/neutron_v1beta1_neutronapi_tls.yaml

@@ -9,7 +9,7 @@ spec:
     [DEFAULT]
     debug = true
   databaseInstance: openstack
-  databaseUser: neutron
+  databaseAccount: neutron
   rabbitMqClusterName: rabbitmq
   memcachedInstance: memcached
   preserveJobs: false

controllers/neutronapi_controller.go

@@ -399,16 +399,14 @@ func (r *NeutronAPIReconciler) reconcileInit(
 
 	// create neutron DB instance
 	//
-	db := mariadbv1.NewDatabaseWithNamespace(
-		neutronapi.Database,
-		instance.Spec.DatabaseUser,
-		instance.Spec.Secret,
-		map[string]string{
-			"dbName": instance.Spec.DatabaseInstance,
-		},
-		neutronapi.Database,
-		instance.Namespace,
+	db := mariadbv1.NewDatabaseForAccount(
+		instance.Spec.DatabaseInstance, // mariadb/galera service to target
+		neutronapi.Database,            // name used in CREATE DATABASE in mariadb
+		neutronapi.Database,            // CR name for MariaDBDatabase
+		instance.Spec.DatabaseAccount,  // CR name for MariaDBAccount
+		instance.Namespace,             // namespace
 	)
+
 	// create or patch the DB
 	ctrlResult, err := db.CreateOrPatchDBByName(
 		ctx,
@@ -683,6 +681,12 @@ func (r *NeutronAPIReconciler) reconcileInit(
 	instance.Status.Conditions.MarkTrue(condition.ExposeServiceReadyCondition, condition.ExposeServiceReadyMessage)
 	// expose service - end
 
+	// remove finalizers from unused MariaDBAccount records
+	err = mariadbv1.DeleteUnusedMariaDBAccountFinalizers(ctx, helper, neutronapi.Database, instance.Spec.DatabaseAccount, instance.Namespace)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
 	// update status with endpoint information
 	Log.Info("Reconciling neutron KeystoneService")
 
@@ -913,6 +917,28 @@ func (r *NeutronAPIReconciler) reconcileNormal(ctx context.Context, instance *ne
 	instance.Status.Conditions.MarkTrue(condition.MemcachedReadyCondition, condition.MemcachedReadyMessage)
 	// run check memcached - end
 
+	// ensure MariaDBAccount exists.  This account record may be created by
+	// openstack-operator or the cloud operator up front without a specific
+	// MariaDBDatabase configured yet.   Otherwise, a MariaDBAccount CR is
+	// created here with a generated username as well as a secret with
+	// generated password.   The MariaDBAccount is created without being
+	// yet associated with any MariaDBDatabase.
+	_, _, err = mariadbv1.EnsureMariaDBAccount(
+		ctx, helper, instance.Spec.DatabaseAccount,
+		instance.Namespace, false,
+	)
+
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			mariadbv1.MariaDBAccountReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			mariadbv1.MariaDBAccountNotReadyMessage,
+			err.Error()))
+
+		return ctrl.Result{}, err
+	}
+
 	err = r.reconcileExternalSecrets(ctx, helper, instance, &secretVars)
 	if err != nil {
 		Log.Error(err, "Failed to reconcile external Secrets")
@@ -1469,13 +1495,17 @@ func (r *NeutronAPIReconciler) generateServiceSecrets(
 
 	// Other OpenStack services
 	servicePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Service])
-	databasePassword := string(ospSecret.Data[instance.Spec.PasswordSelectors.Database])
 	templateParameters["ServicePassword"] = servicePassword
 
 	// Database
+	databaseAccount, dbSecret, err := mariadbv1.GetAccountAndSecret(ctx, h, instance.Spec.DatabaseAccount, instance.Namespace)
+	if err != nil {
+		return err
+	}
+
 	templateParameters["DbHost"] = instance.Status.DatabaseHostname
-	templateParameters["DbUser"] = instance.Spec.DatabaseUser
-	templateParameters["DbPassword"] = databasePassword
+	templateParameters["DbUser"] = databaseAccount.Spec.UserName
+	templateParameters["DbPassword"] = dbSecret.Data[mariadbv1.DatabasePasswordSelector]
 	templateParameters["Db"] = neutronapi.Database
 
 	// OVN

test/functional/neutronapi_controller_test.go

@@ -94,7 +94,7 @@ var _ = Describe("NeutronAPI controller", func() {
 		It("should have the Spec fields initialized", func() {
 			NeutronAPI := GetNeutronAPI(neutronAPIName)
 			Expect(NeutronAPI.Spec.DatabaseInstance).Should(Equal("test-neutron-db-instance"))
-			Expect(NeutronAPI.Spec.DatabaseUser).Should(Equal("neutron"))
+			Expect(NeutronAPI.Spec.DatabaseAccount).Should(Equal("neutron"))
 			Expect(NeutronAPI.Spec.RabbitMqClusterName).Should(Equal("rabbitmq"))
 			Expect(NeutronAPI.Spec.MemcachedInstance).Should(Equal("memcached"))
 			Expect(*(NeutronAPI.Spec.Replicas)).Should(Equal(int32(1)))

test/kuttl/common/assert_sample_deployment.yaml

@@ -17,9 +17,8 @@ spec:
     [DEFAULT]
     debug = true
   databaseInstance: openstack
-  databaseUser: neutron
+  databaseAccount: neutron
   passwordSelectors:
-    database: NeutronDatabasePassword
     service: NeutronPassword
   preserveJobs: false
   rabbitMqClusterName: rabbitmq