use secret refs for database user passwords (#3005)

Author: s-urbaniak

config/openapi2crd.yaml

@@ -210,3 +210,5 @@ spec:
             schema: 'CloudDatabaseUser'
             filters:
               readWriteOnly: true
+              sensitiveProperties:
+                - $.password

internal/generated/controller/databaseuser/handler.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 
+	v1 "k8s.io/api/core/v1"
 	controllerruntime "sigs.k8s.io/controller-runtime"
 	builder "sigs.k8s.io/controller-runtime/pkg/builder"
 	client "sigs.k8s.io/controller-runtime/pkg/client"
@@ -152,7 +153,7 @@ func (h *Handler) For() (client.Object, builder.Predicates) {
 }
 func (h *Handler) SetupWithManager(mgr controllerruntime.Manager, rec reconcile.Reconciler, defaultOptions controller.Options) error {
 	h.Client = mgr.GetClient()
-	return controllerruntime.NewControllerManagedBy(mgr).Named("DatabaseUser").For(h.For()).Watches(&akov2generated.Group{}, handler.EnqueueRequestsFromMapFunc(indexers.NewDatabaseUserByGroupMapFunc(h.Client)), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).WithOptions(defaultOptions).Complete(rec)
+	return controllerruntime.NewControllerManagedBy(mgr).Named("DatabaseUser").For(h.For()).Watches(&v1.Secret{}, handler.EnqueueRequestsFromMapFunc(indexers.NewDatabaseUserBySecretMapFunc(h.Client)), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).Watches(&akov2generated.Group{}, handler.EnqueueRequestsFromMapFunc(indexers.NewDatabaseUserByGroupMapFunc(h.Client)), builder.WithPredicates(predicate.ResourceVersionChangedPredicate{})).WithOptions(defaultOptions).Complete(rec)
 }
 
 // getSDKClientSet creates an Atlas SDK client set using credentials from the resource's connection secret

internal/generated/crds/crds.yaml

@@ -1838,6 +1838,20 @@ metadata:
           properties:
             v20250312:
               properties:
+                entry:
+                  properties:
+                    passwordSecretRef:
+                      x-kubernetes-mapping:
+                        nameSelector: .name
+                        propertySelectors:
+                        - $.data.#
+                        type:
+                          kind: Secret
+                          resource: secrets
+                          version: v1
+                      x-openapi-mapping:
+                        property: .password
+                        type: string
                 groupRef:
                   x-kubernetes-mapping:
                     nameSelector: .name
@@ -1956,12 +1970,26 @@ spec:
                           authentication group, specify the value of IDP_GROUP in
                           this field.
                         type: string
-                      password:
-                        description: Alphanumeric string that authenticates this database
-                          user against the database specified in `databaseName`. To
-                          authenticate with SCRAM-SHA, you must specify this parameter.
-                          This parameter doesn't appear in this response.
-                        type: string
+                      passwordSecretRef:
+                        description: |-
+                          SENSITIVE FIELD
+
+                          Reference to a secret containing data for the "password" field:
+
+                          Alphanumeric string that authenticates this database user against the database specified in `databaseName`. To authenticate with SCRAM-SHA, you must specify this parameter. This parameter doesn't appear in this response.
+                        properties:
+                          key:
+                            default: .data.password
+                            description: Key of the secret data containing the sensitive
+                              field value, defaults to "password".
+                            type: string
+                          name:
+                            description: Name of the secret containing the sensitive
+                              field value.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       roles:
                         description: List that provides the pairings of one role with
                           one applicable database.

internal/generated/indexers/clusterbygroup.go

@@ -53,7 +53,7 @@ func (i *ClusterByGroupIndexer) Keys(object client.Object) []string {
 		return nil
 	}
 	var keys []string
-	if resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
+	if resource.Spec.V20250312 != nil && resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
 		keys = append(keys, types.NamespacedName{
 			Name:      resource.Spec.V20250312.GroupRef.Name,
 			Namespace: resource.Namespace,

internal/generated/indexers/databaseuserbygroup.go

@@ -53,7 +53,7 @@ func (i *DatabaseUserByGroupIndexer) Keys(object client.Object) []string {
 		return nil
 	}
 	var keys []string
-	if resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
+	if resource.Spec.V20250312 != nil && resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
 		keys = append(keys, types.NamespacedName{
 			Name:      resource.Spec.V20250312.GroupRef.Name,
 			Namespace: resource.Namespace,

internal/generated/indexers/databaseuserbysecret.go

@@ -0,0 +1,91 @@
+// Copyright 2025 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// 	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package indexer
+
+import (
+	"context"
+
+	zap "go.uber.org/zap"
+	fields "k8s.io/apimachinery/pkg/fields"
+	types "k8s.io/apimachinery/pkg/types"
+	client "sigs.k8s.io/controller-runtime/pkg/client"
+	handler "sigs.k8s.io/controller-runtime/pkg/handler"
+	log "sigs.k8s.io/controller-runtime/pkg/log"
+	reconcile "sigs.k8s.io/controller-runtime/pkg/reconcile"
+
+	v1 "github.com/mongodb/mongodb-atlas-kubernetes/v2/internal/nextapi/generated/v1"
+)
+
+// nolint:dupl
+const DatabaseUserBySecretIndex = "databaseuser.passwordSecretRef"
+
+type DatabaseUserBySecretIndexer struct {
+	logger *zap.SugaredLogger
+}
+
+func NewDatabaseUserBySecretIndexer(logger *zap.Logger) *DatabaseUserBySecretIndexer {
+	return &DatabaseUserBySecretIndexer{logger: logger.Named(DatabaseUserBySecretIndex).Sugar()}
+}
+func (*DatabaseUserBySecretIndexer) Object() client.Object {
+	return &v1.DatabaseUser{}
+}
+func (*DatabaseUserBySecretIndexer) Name() string {
+	return DatabaseUserBySecretIndex
+}
+
+// Keys extracts the index key(s) from the given object
+func (i *DatabaseUserBySecretIndexer) Keys(object client.Object) []string {
+	resource, ok := object.(*v1.DatabaseUser)
+	if !ok {
+		i.logger.Errorf("expected *v1.DatabaseUser but got %T", object)
+		return nil
+	}
+	var keys []string
+	if resource.Spec.V20250312 != nil && resource.Spec.V20250312.Entry != nil && resource.Spec.V20250312.Entry.PasswordSecretRef != nil && resource.Spec.V20250312.Entry.PasswordSecretRef.Name != "" {
+		keys = append(keys, types.NamespacedName{
+			Name:      resource.Spec.V20250312.Entry.PasswordSecretRef.Name,
+			Namespace: resource.Namespace,
+		}.String())
+	}
+	return keys
+}
+
+func NewDatabaseUserBySecretMapFunc(kubeClient client.Client) handler.MapFunc {
+	return func(ctx context.Context, obj client.Object) []reconcile.Request {
+		logger := log.FromContext(ctx)
+
+		listOpts := &client.ListOptions{FieldSelector: fields.OneTermEqualSelector(DatabaseUserBySecretIndex, types.NamespacedName{
+			Name:      obj.GetName(),
+			Namespace: obj.GetNamespace(),
+		}.String())}
+
+		list := &v1.DatabaseUserList{}
+		err := kubeClient.List(ctx, list, listOpts)
+		if err != nil {
+			logger.Error(err, "failed to list DatabaseUser objects")
+			return nil
+		}
+
+		requests := make([]reconcile.Request, 0, len(list.Items))
+		for _, item := range list.Items {
+			requests = append(requests, reconcile.Request{NamespacedName: types.NamespacedName{
+				Name:      item.Name,
+				Namespace: item.Namespace,
+			}})
+		}
+
+		return requests
+	}
+}

internal/generated/indexers/flexclusterbygroup.go

@@ -53,7 +53,7 @@ func (i *FlexClusterByGroupIndexer) Keys(object client.Object) []string {
 		return nil
 	}
 	var keys []string
-	if resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
+	if resource.Spec.V20250312 != nil && resource.Spec.V20250312.GroupRef != nil && resource.Spec.V20250312.GroupRef.Name != "" {
 		keys = append(keys, types.NamespacedName{
 			Name:      resource.Spec.V20250312.GroupRef.Name,
 			Namespace: resource.Namespace,