Merge remote-tracking branch 'origin/main' into K8SPXC-1214

pooknull · pooknull · commit f1ce7b60a113 · 2025-11-24T13:54:03.000+02:00
diff --git a/config/crd/bases/pxc.percona.com_perconaxtradbclusters.yaml b/config/crd/bases/pxc.percona.com_perconaxtradbclusters.yaml
@@ -4417,6 +4417,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:
diff --git a/deploy/backup/restore.yaml b/deploy/backup/restore.yaml
@@ -33,6 +33,9 @@ spec:
 #      credentialsSecret: my-cluster-name-backup-s3
 #      endpointUrl: https://s3.us-west-2.amazonaws.com/
 #      region: us-west-2
+#      caBundle:
+#        name: minio-ca-bundle
+#        key: tls.crt
 #    azure:
 #      container: <your-container-name>
 #      credentialsSecret: my-cluster-name-backup-azure
@@ -48,3 +51,6 @@ spec:
 #        credentialsSecret: my-cluster-name-backup-s3
 #        endpointUrl: https://s3.us-west-2.amazonaws.com/
 #        region: us-west-2
+#        caBundle:
+#          name: minio-ca-bundle
+#          key: tls.crt
diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -5457,6 +5457,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:
diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -761,3 +761,7 @@ spec:
           count: 5
           deleteFromStorage: true
         storageName: fs-pvc
+#  passwordGenerationOptions:
+#    symbols: "!#$%&()*+,-.<=>?@[]^_{}~"
+#    maxLength: 20
+#    minLength: 16
diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -5457,6 +5457,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:
diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -5457,6 +5457,29 @@ spec:
                   runtimeClassName:
                     type: string
                 type: object
+              passwordGenerationOptions:
+                properties:
+                  maxLength:
+                    default: 20
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  minLength:
+                    default: 16
+                    maximum: 32
+                    minimum: 8
+                    type: integer
+                  symbols:
+                    default: '!#$%&()*+,-.<=>?@[]^_{}~'
+                    maxLength: 32
+                    type: string
+                required:
+                - maxLength
+                - minLength
+                - symbols
+                type: object
+                x-kubernetes-validations:
+                - rule: self.maxLength > self.minLength
               pause:
                 type: boolean
               platform:
diff --git a/pkg/apis/pxc/v1/pxc_types.go b/pkg/apis/pxc/v1/pxc_types.go
@@ -30,26 +30,27 @@ import (
 
 // PerconaXtraDBClusterSpec defines the desired state of PerconaXtraDBCluster
 type PerconaXtraDBClusterSpec struct {
-	Platform               version.Platform                     `json:"platform,omitempty"`
-	CRVersion              string                               `json:"crVersion,omitempty"`
-	Pause                  bool                                 `json:"pause,omitempty"`
-	SecretsName            string                               `json:"secretsName,omitempty"`
-	VaultSecretName        string                               `json:"vaultSecretName,omitempty"`
-	SSLSecretName          string                               `json:"sslSecretName,omitempty"`
-	SSLInternalSecretName  string                               `json:"sslInternalSecretName,omitempty"`
-	LogCollectorSecretName string                               `json:"logCollectorSecretName,omitempty"`
-	TLS                    *TLSSpec                             `json:"tls,omitempty"`
-	PXC                    *PXCSpec                             `json:"pxc,omitempty"`
-	ProxySQL               *ProxySQLSpec                        `json:"proxysql,omitempty"`
-	HAProxy                *HAProxySpec                         `json:"haproxy,omitempty"`
-	PMM                    *PMMSpec                             `json:"pmm,omitempty"`
-	LogCollector           *LogCollectorSpec                    `json:"logcollector,omitempty"`
-	Backup                 *BackupSpec                          `json:"backup,omitempty"`
-	UpdateStrategy         appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
-	UpgradeOptions         UpgradeOptions                       `json:"upgradeOptions,omitempty"`
-	AllowUnsafeConfig      bool                                 `json:"allowUnsafeConfigurations,omitempty"`
-	Unsafe                 UnsafeFlags                          `json:"unsafeFlags,omitempty"`
-	VolumeExpansionEnabled bool                                 `json:"enableVolumeExpansion,omitempty"`
+	Platform                  version.Platform                     `json:"platform,omitempty"`
+	CRVersion                 string                               `json:"crVersion,omitempty"`
+	Pause                     bool                                 `json:"pause,omitempty"`
+	SecretsName               string                               `json:"secretsName,omitempty"`
+	PasswordGenerationOptions *PasswordGenerationOptions           `json:"passwordGenerationOptions,omitempty"`
+	VaultSecretName           string                               `json:"vaultSecretName,omitempty"`
+	SSLSecretName             string                               `json:"sslSecretName,omitempty"`
+	SSLInternalSecretName     string                               `json:"sslInternalSecretName,omitempty"`
+	LogCollectorSecretName    string                               `json:"logCollectorSecretName,omitempty"`
+	TLS                       *TLSSpec                             `json:"tls,omitempty"`
+	PXC                       *PXCSpec                             `json:"pxc,omitempty"`
+	ProxySQL                  *ProxySQLSpec                        `json:"proxysql,omitempty"`
+	HAProxy                   *HAProxySpec                         `json:"haproxy,omitempty"`
+	PMM                       *PMMSpec                             `json:"pmm,omitempty"`
+	LogCollector              *LogCollectorSpec                    `json:"logcollector,omitempty"`
+	Backup                    *BackupSpec                          `json:"backup,omitempty"`
+	UpdateStrategy            appsv1.StatefulSetUpdateStrategyType `json:"updateStrategy,omitempty"`
+	UpgradeOptions            UpgradeOptions                       `json:"upgradeOptions,omitempty"`
+	AllowUnsafeConfig         bool                                 `json:"allowUnsafeConfigurations,omitempty"`
+	Unsafe                    UnsafeFlags                          `json:"unsafeFlags,omitempty"`
+	VolumeExpansionEnabled    bool                                 `json:"enableVolumeExpansion,omitempty"`
 
 	// Deprecated, should be removed in the future. Use InitContainer.Image instead
 	InitImage string `json:"initImage,omitempty"`
@@ -62,6 +63,37 @@ type PerconaXtraDBClusterSpec struct {
 	Users []User `json:"users,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self.maxLength > self.minLength"
+type PasswordGenerationOptions struct {
+	// Special symbols to include in password generation
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MaxLength=32
+	// +kubebuilder:default="!#$%&()*+,-.<=>?@[]^_{}~"
+	Symbols string `json:"symbols"`
+	// Max password length
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum=32
+	// +kubebuilder:validation:Minimum=8
+	// +kubebuilder:default=20
+	MaxLength int `json:"maxLength"`
+	// Min password length
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Maximum=32
+	// +kubebuilder:validation:Minimum=8
+	// +kubebuilder:default=16
+	MinLength int `json:"minLength"`
+}
+
+func (cr *PerconaXtraDBCluster) setPasswordGenerationOptionsDefaults() {
+	if cr.Spec.PasswordGenerationOptions == nil {
+		cr.Spec.PasswordGenerationOptions = &PasswordGenerationOptions{
+			Symbols:   "!#$%&()*+,-.<=>?@[]^_{}~",
+			MaxLength: 20,
+			MinLength: 16,
+		}
+	}
+}
+
 type SecretKeySelector struct {
 	Name string `json:"name"`
 	Key  string `json:"key,omitempty"`
@@ -1194,6 +1226,7 @@ func (cr *PerconaXtraDBCluster) CheckNSetDefaults(serverVersion *version.ServerV
 
 	cr.setProbesDefaults()
 	cr.setPodSecurityContext()
+	cr.setPasswordGenerationOptionsDefaults()
 
 	if cr.Spec.EnableCRValidationWebhook == nil {
 		falseVal := false
diff --git a/pkg/apis/pxc/v1/zz_generated.deepcopy.go b/pkg/apis/pxc/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/pxc/secrets.go b/pkg/controller/pxc/secrets.go
@@ -39,7 +39,7 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 		if err := validatePasswords(secretObj); err != nil {
 			return nil, errors.Wrap(err, "validate passwords")
 		}
-		isChanged, err := setUserSecretDefaults(secretObj)
+		isChanged, err := setUserSecretDefaults(secretObj, cr.Spec.PasswordGenerationOptions)
 		if err != nil {
 			return nil, errors.Wrap(err, "set user secret defaults")
 		}
@@ -64,7 +64,7 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 		Type: corev1.SecretTypeOpaque,
 	}
 
-	if _, err = setUserSecretDefaults(secretObj); err != nil {
+	if _, err = setUserSecretDefaults(secretObj, cr.Spec.PasswordGenerationOptions); err != nil {
 		return nil, errors.Wrap(err, "set user secret defaults")
 	}
 
@@ -77,14 +77,14 @@ func (r *ReconcilePerconaXtraDBCluster) reconcileUsersSecret(ctx context.Context
 	return secretObj, nil
 }
 
-func setUserSecretDefaults(secret *corev1.Secret) (isChanged bool, err error) {
+func setUserSecretDefaults(secret *corev1.Secret, secretsOptions *api.PasswordGenerationOptions) (isChanged bool, err error) {
 	if secret.Data == nil {
 		secret.Data = make(map[string][]byte)
 	}
 	users := []string{users.Root, users.Xtrabackup, users.Monitor, users.ProxyAdmin, users.Operator, users.Replication}
 	for _, user := range users {
 		if pass, ok := secret.Data[user]; !ok || len(pass) == 0 {
-			secret.Data[user], err = generatePass()
+			secret.Data[user], err = generatePass(secretsOptions)
 			if err != nil {
 				return false, errors.Wrapf(err, "create %s users password", user)
 			}
@@ -96,20 +96,18 @@ func setUserSecretDefaults(secret *corev1.Secret) (isChanged bool, err error) {
 }
 
 const (
-	passwordMaxLen = 20
-	passwordMinLen = 16
-	passSymbols    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
+	passBaseSymbols = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
 		"abcdefghijklmnopqrstuvwxyz" +
-		"0123456789" +
-		"!#$%&()*+,-.<=>?@[]^_{}~"
+		"0123456789"
 )
 
-// generatePass generates a random password
-func generatePass() ([]byte, error) {
+// generatePass generates a random password with or without special symbols
+func generatePass(secretsOptions *api.PasswordGenerationOptions) ([]byte, error) {
 	mrand.Seed(time.Now().UnixNano())
-	ln := mrand.Intn(passwordMaxLen-passwordMinLen) + passwordMinLen
+	ln := mrand.Intn(secretsOptions.MaxLength-secretsOptions.MinLength) + secretsOptions.MinLength
 	b := make([]byte, ln)
 	for i := 0; i < ln; i++ {
+		passSymbols := passBaseSymbols + secretsOptions.Symbols
 		randInt, err := rand.Int(rand.Reader, big.NewInt(int64(len(passSymbols))))
 		if err != nil {
 			return nil, errors.Wrap(err, "get rand int")
diff --git a/pkg/controller/pxc/secrets_test.go b/pkg/controller/pxc/secrets_test.go
diff --git a/pkg/controller/pxc/users.go b/pkg/controller/pxc/users.go
diff --git a/pkg/controller/pxc/users_custom.go b/pkg/controller/pxc/users_custom.go
