use system MariaDBAccount for the galera server's root pw

This commit ties together the previous ones to create a new
MariaDBAccount when a Galera instance is created, and then to
use the password from that account/secret in the mariadb
bootstrap/maintenance scripts.

Galera gets bootstrapped with this secret, then the mariadbaccount
controller, who is waiting for galera to be available to set up this
new "root" account, wakes up when galera is running, and changes
the root password to itself, establishing the initial job hash
for the mariadbaccount.

As we now have a mariadbaccount linked to the outermost lifecycle
of a galera instance, some hardening of the deletion process has been
added to clarify that mariadbaccount will run deletion jobs only if
Galera is not marked for deletion.  If galera is marked for deletion,
then we have to assume the service/pods are gone and no more drops can
take place, even if the Galera CR is still present (chainsaw
conveniently adds its own finalizer to Galera when running, preventing
it from being fully deleted, which exposed this issue).

Additional changes to the mysql_root_auth.sh and account.sh scripts
allow for in-place changes of root password.

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: zzzeek

api/bases/mariadb.openstack.org_galeras.yaml

@@ -137,8 +137,18 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
+              rootDatabaseAccount:
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                  this account is generated if not exists, and a name is chosen based
+                  on a naming convention if not present
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Name of the legacy secret to locate the initial galera root
+                  password
+                  this field will be removed once scripts can adjust to using root_auth.sh
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -177,7 +187,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object
@@ -296,6 +305,9 @@ spec:
                   the opentack-operator in the top-level CR (e.g. the ContainerImage)
                 format: int64
                 type: integer
+              rootDatabaseSecret:
+                description: name of the Secret that is being used for the root password
+                type: string
               safeToBootstrap:
                 description: Name of the node that can safely bootstrap a cluster
                 type: string

api/v1beta1/conditions.go

@@ -54,6 +54,9 @@ const (
 	// ReasonDBServiceNameError - error getting the DB service hostname
 	ReasonDBServiceNameError condition.Reason = "DatabaseServiceNameError"
 
+	// ReasonDBResourceDeleted - the galera resource has been marked for deletion
+	ReasonDBResourceDeleted condition.Reason = "DatabaseResourceDeleted"
+
 	// ReasonDBSync - Database sync in progress
 	ReasonDBSync condition.Reason = "DBSync"
 )
@@ -92,8 +95,12 @@ const (
 
 	MariaDBServerNotBootstrappedMessage = "MariaDB / Galera server not bootstrapped"
 
+	MariaDBServerDeletedMessage = "MariaDB / Galera server has been marked for deletion"
+
 	MariaDBAccountReadyInitMessage = "MariaDBAccount create / drop not started"
 
+	MariaDBSystemAccountReadyMessage = "MariaDBAccount System account '%s' creation complete"
+
 	MariaDBAccountReadyMessage = "MariaDBAccount creation complete"
 
 	MariaDBAccountNotReadyMessage = "MariaDBAccount is not present: %s"

api/v1beta1/galera_types.go

@@ -51,9 +51,19 @@ type GaleraSpec struct {
 
 // GaleraSpec defines the desired state of Galera
 type GaleraSpecCore struct {
-	// Name of the secret to look for password keys
-	// +kubebuilder:validation:Required
+	// Name of the legacy secret to locate the initial galera root
+	// password
+	// this field will be removed once scripts can adjust to using root_auth.sh
+	// +kubebuilder:validation:Optional
 	Secret string `json:"secret"`
+
+	// RootDatabaseAccount - name of MariaDBAccount which will be used to
+	// generate root account / password.
+	// this account is generated if not exists, and a name is chosen based
+	// on a naming convention if not present
+	// +kubebuilder:validation:Optional
+	RootDatabaseAccount string `json:"rootDatabaseAccount"`
+
 	// Storage class to host the mariadb databases
 	// +kubebuilder:validation:Required
 	StorageClass string `json:"storageClass"`
@@ -113,6 +123,9 @@ type GaleraAttributes struct {
 type GaleraStatus struct {
 	// A map of database node attributes for each pod
 	Attributes map[string]GaleraAttributes `json:"attributes,omitempty"`
+	// name of the Secret that is being used for the root password
+	// +kubebuilder:validation:Optional
+	RootDatabaseSecret string `json:"rootDatabaseSecret"`
 	// Name of the node that can safely bootstrap a cluster
 	SafeToBootstrap string `json:"safeToBootstrap,omitempty"`
 	// Is the galera cluster currently running

api/v1beta1/mariadbaccount_types.go

@@ -28,9 +28,6 @@ const (
 	// AccountDeleteHash hash
 	AccountDeleteHash = "accountdelete"
 
-	// DbRootPassword selector for galera root account
-	DbRootPasswordSelector = "DbRootPassword"
-
 	// DatabasePassword selector for MariaDBAccount->Secret
 	DatabasePasswordSelector = "DatabasePassword"
 )

api/v1beta1/mariadbdatabase_funcs.go

@@ -541,6 +541,50 @@ func DeleteDatabaseAndAccountFinalizers(
 	namespace string,
 ) error {
 
+	err := DeleteAccountFinalizers(
+		ctx,
+		h,
+		accountName,
+		namespace,
+	)
+	if err != nil {
+		return err
+	}
+
+	// also do a delete for "unused" MariaDBAccounts, associated with
+	// this MariaDBDatabase.
+	err = DeleteUnusedMariaDBAccountFinalizers(
+		ctx, h, name, accountName, namespace,
+	)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	}
+
+	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
+	if err != nil && !k8s_errors.IsNotFound(err) {
+		return err
+	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
+		err := h.GetClient().Update(ctx, mariaDBDatabase)
+		if err != nil && !k8s_errors.IsNotFound(err) {
+			return err
+		}
+		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
+	}
+
+	return nil
+}
+
+// DeleteAccountFinalizers performs just the primary account + secret finalizer
+// removal part of DeleteDatabaseAndAccountFinalizers
+func DeleteAccountFinalizers(
+	ctx context.Context,
+	h *helper.Helper,
+	accountName string,
+	namespace string,
+) error {
+	if accountName == "" {
+		return fmt.Errorf("Account name is blank")
+	}
 	databaseAccount, err := GetAccount(ctx, h, accountName, namespace)
 	if err != nil && !k8s_errors.IsNotFound(err) {
 		return err
@@ -572,26 +616,6 @@ func DeleteDatabaseAndAccountFinalizers(
 		}
 	}
 
-	// also do a delete for "unused" MariaDBAccounts, associated with
-	// this MariaDBDatabase.
-	err = DeleteUnusedMariaDBAccountFinalizers(
-		ctx, h, name, accountName, namespace,
-	)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	}
-
-	mariaDBDatabase, err := GetDatabase(ctx, h, name, namespace)
-	if err != nil && !k8s_errors.IsNotFound(err) {
-		return err
-	} else if err == nil && controllerutil.RemoveFinalizer(mariaDBDatabase, h.GetFinalizer()) {
-		err := h.GetClient().Update(ctx, mariaDBDatabase)
-		if err != nil && !k8s_errors.IsNotFound(err) {
-			return err
-		}
-		util.LogForObject(h, fmt.Sprintf("Removed finalizer %s from MariaDBDatabase %s", h.GetFinalizer(), mariaDBDatabase.Spec.Name), mariaDBDatabase)
-	}
-
 	return nil
 }
 
@@ -806,6 +830,32 @@ func EnsureMariaDBAccount(ctx context.Context,
 	userNamePrefix string,
 ) (*MariaDBAccount, *corev1.Secret, error) {
 
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		userNamePrefix, "", "", map[string]string{})
+
+}
+
+// EnsureMariaDBSystemAccount ensures a MariaDBAccount has been created for a given
+// operator calling the function, and returns the MariaDBAccount and its
+// Secret for use in consumption into a configuration.
+// Unlike EnsureMariaDBAccount, the function accepts an exact username that
+// expected to remain constant, supporting in-place password changes for the
+// account.
+func EnsureMariaDBSystemAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, galeraInstanceName string, namespace string, requireTLS bool,
+	exactUserName string, exactPassword string) (*MariaDBAccount, *corev1.Secret, error) {
+	return ensureMariaDBAccount(
+		ctx, helper, accountName, namespace, requireTLS,
+		"", exactUserName, exactPassword, map[string]string{"dbName": galeraInstanceName})
+}
+
+func ensureMariaDBAccount(ctx context.Context,
+	helper *helper.Helper,
+	accountName string, namespace string, requireTLS bool,
+	userNamePrefix string, exactUserName string, exactPassword string, labels map[string]string,
+) (*MariaDBAccount, *corev1.Secret, error) {
 	if accountName == "" {
 		return nil, nil, fmt.Errorf("accountName is empty")
 	}
@@ -817,9 +867,20 @@ func EnsureMariaDBAccount(ctx context.Context,
 			return nil, nil, err
 		}
 
-		username, err := generateUniqueUsername(userNamePrefix)
-		if err != nil {
-			return nil, nil, err
+		var username string
+		var accountType AccountType
+
+		if exactUserName == "" {
+			accountType = "User"
+			username, err = generateUniqueUsername(userNamePrefix)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else if userNamePrefix != "" {
+			return nil, nil, fmt.Errorf("userNamePrefix and exactUserName are mutually exclusive")
+		} else {
+			accountType = "System"
+			username = exactUserName
 		}
 
 		account = &MariaDBAccount{
@@ -832,9 +893,10 @@ func EnsureMariaDBAccount(ctx context.Context,
 				// MariaDBAccount once this is filled in
 			},
 			Spec: MariaDBAccountSpec{
-				UserName:   username,
-				Secret:     fmt.Sprintf("%s-db-secret", accountName),
-				RequireTLS: requireTLS,
+				UserName:    username,
+				Secret:      fmt.Sprintf("%s-db-secret", accountName),
+				RequireTLS:  requireTLS,
+				AccountType: accountType,
 			},
 		}
 
@@ -844,6 +906,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 		if account.Spec.Secret == "" {
 			account.Spec.Secret = fmt.Sprintf("%s-db-secret", accountName)
 		}
+
 	}
 
 	dbSecret, _, err := secret.GetSecret(ctx, helper, account.Spec.Secret, namespace)
@@ -853,9 +916,14 @@ func EnsureMariaDBAccount(ctx context.Context,
 			return nil, nil, err
 		}
 
-		dbPassword, err := generateDBPassword()
-		if err != nil {
-			return nil, nil, err
+		var dbPassword string
+		if exactPassword == "" {
+			dbPassword, err = generateDBPassword()
+			if err != nil {
+				return nil, nil, err
+			}
+		} else {
+			dbPassword = exactPassword
 		}
 
 		dbSecret = &corev1.Secret{
@@ -869,7 +937,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 		}
 	}
 
-	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, map[string]string{})
+	_, err = createOrPatchAccountAndSecret(ctx, helper, account, dbSecret, labels)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -885,6 +953,7 @@ func EnsureMariaDBAccount(ctx context.Context,
 	)
 
 	return account, dbSecret, nil
+
 }
 
 // generateUniqueUsername creates a MySQL-compliant database username based on

config/crd/bases/mariadb.openstack.org_galeras.yaml

@@ -137,8 +137,18 @@ spec:
                       More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                     type: object
                 type: object
+              rootDatabaseAccount:
+                description: |-
+                  RootDatabaseAccount - name of MariaDBAccount which will be used to
+                  generate root account / password.
+                  this account is generated if not exists, and a name is chosen based
+                  on a naming convention if not present
+                type: string
               secret:
-                description: Name of the secret to look for password keys
+                description: |-
+                  Name of the legacy secret to locate the initial galera root
+                  password
+                  this field will be removed once scripts can adjust to using root_auth.sh
                 type: string
               storageClass:
                 description: Storage class to host the mariadb databases
@@ -177,7 +187,6 @@ spec:
             required:
             - containerImage
             - replicas
-            - secret
             - storageClass
             - storageRequest
             type: object
@@ -296,6 +305,9 @@ spec:
                   the opentack-operator in the top-level CR (e.g. the ContainerImage)
                 format: int64
                 type: integer
+              rootDatabaseSecret:
+                description: name of the Secret that is being used for the root password
+                type: string
               safeToBootstrap:
                 description: Name of the node that can safely bootstrap a cluster
                 type: string