Get MYSQL_PWD using an on-demand cluster query

In order to facilitate an in-place change to the name of the
Secret that is referenced by a Galera instance for the
mysql root password, rework
the approach used by pods and shell scripts to no longer
require the root secret name and/or password be passed by
environment variable, instead using a pod-level cluster
query to retrieve the current root password.  The logic
to retrieve this password is encapsulated into a single
shell script that is present as a volume mount on running containers.

This allows Job objects to be created with hashes that
do not link to a specific Secret name, as well as to
create StatefulSet objects that don't refer to this name.
When the Secret name changes on a Galera instance for
an in-place root password change, the hashes / CRs for
these objects will remain unchanged.

A subsequent change to the mariadb operator will add the ability
to change the mysql root password of a Galera cluster using a
dual-reference architecture where
the "current" root secret will be part of <CR>/Status, while
the secret referenced in <CR>/Spec will be the "new" root
secret.  When these two names differ, that will indicate an
in-place password change should take place, as well
as allowing the pre-existing root password to be available
at the same time as the new one in order to do a root password
change.   The same
architecture will be applied to a new class of "system" MariaDBAccount
objects that are for use only by the Galera instance itself
and do not have a link to any MariaDBDatabase CR.  The
Galera CR itself will no longer use osp-secret
for the mysql root password nor will the secret be directly
referenced from the Galera CR, instead referenced by a
"system" MariaDBAccount CR which the Galera operator itself
will create.

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: zzzeek

controllers/galera_controller.go

@@ -495,6 +495,16 @@ func (r *GaleraReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 			Resources: []string{"services"},
 			Verbs:     []string{"get", "list", "update", "patch"},
 		},
+		{
+			APIGroups: []string{"mariadb.openstack.org"},
+			Resources: []string{"galeras"},
+			Verbs:     []string{"get", "list"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"get"},
+		},
 	}
 	rbacResult, err := common_rbac.ReconcileRbac(ctx, helper, instance, rbacRules)
 	if err != nil {
@@ -948,19 +958,21 @@ func (r *GaleraReconciler) generateConfigMaps(
 ) error {
 	log := GetLog(ctx, "galera")
 	templateParameters := map[string]any{
-		"logToDisk": instance.Spec.LogToDisk,
+		"logToDisk":          instance.Spec.LogToDisk,
+		"galeraInstanceName": instance.Name,
 	}
 	customData := make(map[string]string)
 	customData[mariadbv1.CustomServiceConfigFile] = instance.Spec.CustomServiceConfig
 
 	cms := []util.Template{
 		// ScriptsConfigMap
 		{
-			Name:         configMapNameForScripts(instance),
-			Namespace:    instance.Namespace,
-			Type:         util.TemplateTypeScripts,
-			InstanceType: instance.Kind,
-			Labels:       map[string]string{},
+			Name:          configMapNameForScripts(instance),
+			Namespace:     instance.Namespace,
+			Type:          util.TemplateTypeScripts,
+			InstanceType:  instance.Kind,
+			Labels:        map[string]string{},
+			ConfigOptions: templateParameters,
 		},
 		// ConfigMap
 		{

controllers/mariadbaccount_controller.go

@@ -243,14 +243,13 @@ func (r *MariaDBAccountReconciler) reconcileCreate(
 		return ctrl.Result{}, err
 	}
 
-	var dbAdminSecret, dbContainerImage, serviceAccountName string
+	var dbContainerImage, serviceAccountName string
 
 	if !dbGalera.Status.Bootstrapped {
 		log.Info("DB bootstrap not complete. Requeue...")
 		return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
 	}
 
-	dbAdminSecret = dbGalera.Spec.Secret
 	dbContainerImage = dbGalera.Spec.ContainerImage
 	serviceAccountName = dbGalera.RbacResourceName()
 
@@ -289,7 +288,7 @@ func (r *MariaDBAccountReconciler) reconcileCreate(
 
 	log.Info(fmt.Sprintf("Running account create '%s' MariaDBDatabase '%s'", instance.Name, mariadbDatabaseName))
 
-	jobDef, err := mariadb.CreateDbAccountJob(instance, mariadbDatabase.Spec.Name, dbHostname, dbAdminSecret, dbContainerImage, serviceAccountName, dbGalera.Spec.NodeSelector)
+	jobDef, err := mariadb.CreateDbAccountJob(dbGalera, instance, mariadbDatabase.Spec.Name, dbHostname, dbContainerImage, serviceAccountName, dbGalera.Spec.NodeSelector)
 	if err != nil {
 		return ctrl.Result{}, err
 	}
@@ -480,7 +479,7 @@ func (r *MariaDBAccountReconciler) reconcileDelete(
 		}
 	}
 
-	var dbAdminSecret, dbContainerImage, serviceAccountName string
+	var dbContainerImage, serviceAccountName string
 
 	if !dbGalera.Status.Bootstrapped {
 		log.Info("DB bootstrap not complete. Requeue...")
@@ -495,7 +494,6 @@ func (r *MariaDBAccountReconciler) reconcileDelete(
 		return ctrl.Result{RequeueAfter: time.Second * 10}, nil
 	}
 
-	dbAdminSecret = dbGalera.Spec.Secret
 	dbContainerImage = dbGalera.Spec.ContainerImage
 	serviceAccountName = dbGalera.RbacResourceName()
 
@@ -514,7 +512,7 @@ func (r *MariaDBAccountReconciler) reconcileDelete(
 
 	log.Info(fmt.Sprintf("Running account delete '%s' MariaDBDatabase '%s'", instance.Name, mariadbDatabaseName))
 
-	jobDef, err := mariadb.DeleteDbAccountJob(instance, mariadbDatabase.Spec.Name, dbHostname, dbAdminSecret, dbContainerImage, serviceAccountName, dbGalera.Spec.NodeSelector)
+	jobDef, err := mariadb.DeleteDbAccountJob(dbGalera, instance, mariadbDatabase.Spec.Name, dbHostname, dbContainerImage, serviceAccountName, dbGalera.Spec.NodeSelector)
 	if err != nil {
 		return ctrl.Result{}, err
 	}

controllers/mariadbdatabase_controller.go

@@ -165,7 +165,7 @@ func (r *MariaDBDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	//
 	// Non-deletion (normal) flow follows
 	//
-	var dbSecret, dbContainerImage, serviceAccount string
+	var dbContainerImage, serviceAccount string
 	// NOTE(dciabrin) When configured to only allow TLS connections, all clients
 	// accessing this DB must support client connection via TLS.
 	useTLS := dbGalera.Spec.TLS.Enabled() && dbGalera.Spec.DisableNonTLSListeners
@@ -183,7 +183,6 @@ func (r *MariaDBDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		return ctrl.Result{RequeueAfter: time.Second * 10}, nil
 	}
 
-	dbSecret = dbGalera.Spec.Secret
 	dbContainerImage = dbGalera.Spec.ContainerImage
 	serviceAccount = dbGalera.RbacResourceName()
 
@@ -199,7 +198,7 @@ func (r *MariaDBDatabaseReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 	)
 
 	// Define a new Job object (hostname, password, containerImage)
-	jobDef, err := mariadb.DbDatabaseJob(instance, dbHostname, dbSecret, dbContainerImage, serviceAccount, useTLS, dbGalera.Spec.NodeSelector)
+	jobDef, err := mariadb.DbDatabaseJob(dbGalera, instance, dbHostname, dbContainerImage, serviceAccount, useTLS, dbGalera.Spec.NodeSelector)
 	if err != nil {
 		return ctrl.Result{}, err
 	}

pkg/mariadb/account.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
-	databasev1beta1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,7 +20,7 @@ type accountCreateOrDeleteOptions struct {
 }
 
 // CreateDbAccountJob creates a Kubernetes job for creating a MariaDB database account
-func CreateDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName string, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
+func CreateDbAccountJob(galera *mariadbv1.Galera, account *mariadbv1.MariaDBAccount, databaseName string, databaseHostName string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
 	var tlsStatement string
 	if account.Spec.RequireTLS {
 		tlsStatement = " REQUIRE SSL"
@@ -62,31 +62,22 @@ func CreateDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName st
 							Image:   containerImage,
 							Command: []string{"/bin/sh", "-c", dbCmd},
 							Env: []corev1.EnvVar{
-								{
-									Name: "MYSQL_PWD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: databaseSecret,
-											},
-											Key: databasev1beta1.DbRootPasswordSelector,
-										},
-									},
-								},
 								{
 									Name: "DatabasePassword",
 									ValueFrom: &corev1.EnvVarSource{
 										SecretKeyRef: &corev1.SecretKeySelector{
 											LocalObjectReference: corev1.LocalObjectReference{
 												Name: account.Spec.Secret,
 											},
-											Key: databasev1beta1.DatabasePasswordSelector,
+											Key: mariadbv1.DatabasePasswordSelector,
 										},
 									},
 								},
 							},
+							VolumeMounts: getGaleraRootOnlyVolumeMounts(),
 						},
 					},
+					Volumes: getGaleraRootOnlyVolumes(galera),
 				},
 			},
 		},
@@ -100,7 +91,7 @@ func CreateDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName st
 }
 
 // DeleteDbAccountJob creates a Kubernetes job for deleting a MariaDB database account
-func DeleteDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName string, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
+func DeleteDbAccountJob(galera *mariadbv1.Galera, account *mariadbv1.MariaDBAccount, databaseName string, databaseHostName string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
 
 	opts := accountCreateOrDeleteOptions{account.Spec.UserName, databaseName, databaseHostName, "root", ""}
 
@@ -124,24 +115,13 @@ func DeleteDbAccountJob(account *databasev1beta1.MariaDBAccount, databaseName st
 					ServiceAccountName: serviceAccountName,
 					Containers: []corev1.Container{
 						{
-							Name:    "mariadb-account-delete",
-							Image:   containerImage,
-							Command: []string{"/bin/sh", "-c", delCmd},
-							Env: []corev1.EnvVar{
-								{
-									Name: "MYSQL_PWD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: databaseSecret,
-											},
-											Key: databasev1beta1.DbRootPasswordSelector,
-										},
-									},
-								},
-							},
+							Name:         "mariadb-account-delete",
+							Image:        containerImage,
+							Command:      []string{"/bin/sh", "-c", delCmd},
+							VolumeMounts: getGaleraRootOnlyVolumeMounts(),
 						},
 					},
+					Volumes: getGaleraRootOnlyVolumes(galera),
 				},
 			},
 		},

pkg/mariadb/database.go

@@ -4,7 +4,7 @@ import (
 	"strings"
 
 	util "github.com/openstack-k8s-operators/lib-common/modules/common/util"
-	databasev1beta1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
+	mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,7 +20,7 @@ type dbCreateOptions struct {
 }
 
 // DbDatabaseJob -
-func DbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string, useTLS bool, nodeSelector *map[string]string) (*batchv1.Job, error) {
+func DbDatabaseJob(galera *mariadbv1.Galera, database *mariadbv1.MariaDBDatabase, databaseHostName string, containerImage string, serviceAccountName string, useTLS bool, nodeSelector *map[string]string) (*batchv1.Job, error) {
 	var tlsStatement string
 	if useTLS {
 		tlsStatement = " REQUIRE SSL"
@@ -48,17 +48,6 @@ func DbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName s
 
 	if database.Spec.Secret != nil {
 		scriptEnv = []corev1.EnvVar{
-			{
-				Name: "MYSQL_PWD",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: databaseSecret,
-						},
-						Key: "DbRootPassword",
-					},
-				},
-			},
 			// send deprecated Secret field but only if non-nil
 			{
 				Name: "DatabasePassword",
@@ -73,19 +62,7 @@ func DbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName s
 			},
 		}
 	} else {
-		scriptEnv = []corev1.EnvVar{
-			{
-				Name: "MYSQL_PWD",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: databaseSecret,
-						},
-						Key: "DbRootPassword",
-					},
-				},
-			},
-		}
+		scriptEnv = []corev1.EnvVar{}
 	}
 
 	job := &batchv1.Job{
@@ -104,12 +81,14 @@ func DbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName s
 					ServiceAccountName: serviceAccountName,
 					Containers: []corev1.Container{
 						{
-							Name:    "mariadb-database-create",
-							Image:   containerImage,
-							Command: []string{"/bin/sh", "-c", dbCmd},
-							Env:     scriptEnv,
+							Name:         "mariadb-database-create",
+							Image:        containerImage,
+							Command:      []string{"/bin/sh", "-c", dbCmd},
+							Env:          scriptEnv,
+							VolumeMounts: getGaleraRootOnlyVolumeMounts(),
 						},
 					},
+					Volumes: getGaleraRootOnlyVolumes(galera),
 				},
 			},
 		},
@@ -123,7 +102,7 @@ func DbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName s
 }
 
 // DeleteDbDatabaseJob -
-func DeleteDbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHostName string, databaseSecret string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
+func DeleteDbDatabaseJob(galera *mariadbv1.Galera, database *mariadbv1.MariaDBDatabase, databaseHostName string, containerImage string, serviceAccountName string, nodeSelector *map[string]string) (*batchv1.Job, error) {
 
 	opts := dbCreateOptions{
 		database.Spec.Name,
@@ -145,17 +124,6 @@ func DeleteDbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHost
 
 	if database.Spec.Secret != nil {
 		scriptEnv = []corev1.EnvVar{
-			{
-				Name: "MYSQL_PWD",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: databaseSecret,
-						},
-						Key: databasev1beta1.DbRootPasswordSelector,
-					},
-				},
-			},
 			// send deprecated Secret field but only if non-nil.  otherwise
 			// the script should not try to drop usernames from mysql.user
 			{
@@ -165,25 +133,13 @@ func DeleteDbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHost
 						LocalObjectReference: corev1.LocalObjectReference{
 							Name: *database.Spec.Secret,
 						},
-						Key: databasev1beta1.DatabasePasswordSelector,
+						Key: mariadbv1.DatabasePasswordSelector,
 					},
 				},
 			},
 		}
 	} else {
-		scriptEnv = []corev1.EnvVar{
-			{
-				Name: "MYSQL_PWD",
-				ValueFrom: &corev1.EnvVarSource{
-					SecretKeyRef: &corev1.SecretKeySelector{
-						LocalObjectReference: corev1.LocalObjectReference{
-							Name: databaseSecret,
-						},
-						Key: databasev1beta1.DbRootPasswordSelector,
-					},
-				},
-			},
-		}
+		scriptEnv = []corev1.EnvVar{}
 	}
 
 	job := &batchv1.Job{
@@ -199,12 +155,14 @@ func DeleteDbDatabaseJob(database *databasev1beta1.MariaDBDatabase, databaseHost
 					ServiceAccountName: serviceAccountName,
 					Containers: []corev1.Container{
 						{
-							Name:    "mariadb-database-create",
-							Image:   containerImage,
-							Command: []string{"/bin/sh", "-c", delCmd},
-							Env:     scriptEnv,
+							Name:         "mariadb-database-create",
+							Image:        containerImage,
+							Command:      []string{"/bin/sh", "-c", delCmd},
+							Env:          scriptEnv,
+							VolumeMounts: getGaleraRootOnlyVolumeMounts(),
 						},
 					},
+					Volumes: getGaleraRootOnlyVolumes(galera),
 				},
 			},
 		},

pkg/mariadb/statefulset.go

@@ -104,16 +104,6 @@ func getGaleraInitContainers(g *mariadbv1.Galera) []corev1.Container {
 		}, {
 			Name:  "KOLLA_CONFIG_STRATEGY",
 			Value: "COPY_ALWAYS",
-		}, {
-			Name: "DB_ROOT_PASSWORD",
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: g.Spec.Secret,
-					},
-					Key: "DbRootPassword",
-				},
-			},
 		}},
 		Resources:    g.Spec.Resources,
 		VolumeMounts: getGaleraInitVolumeMounts(g),
@@ -132,16 +122,6 @@ func getGaleraContainers(g *mariadbv1.Galera, configHash string) []corev1.Contai
 		}, {
 			Name:  "KOLLA_CONFIG_STRATEGY",
 			Value: "COPY_ALWAYS",
-		}, {
-			Name: "DB_ROOT_PASSWORD",
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: corev1.LocalObjectReference{
-						Name: g.Spec.Secret,
-					},
-					Key: "DbRootPassword",
-				},
-			},
 		}},
 		Ports: []corev1.ContainerPort{{
 			ContainerPort: 3306,