K8SPS-265: Fix escaping passwords

egegunes · egegunes · commit b7ffb32a3ba2 · 2025-08-14T09:03:48.000+03:00
diff --git a/build/ps-pre-stop.sh b/build/ps-pre-stop.sh
@@ -8,9 +8,13 @@ fi
 
 LOG_FILE=/var/lib/mysql/pre-stop.log
 NAMESPACE=$(</var/run/secrets/kubernetes.io/serviceaccount/namespace)
-OPERATOR_PASSWORD=$(</etc/mysql/mysql-users-secret/operator)
+OPERATOR_PASSWORD=$(jq -rn --arg x "$(</etc/mysql/mysql-users-secret/operator)" '$x|@uri')
 FQDN="${HOSTNAME}.${SERVICE_NAME}.${NAMESPACE}"
 POD_IP=$(hostname -I | awk '{print $1}')
 
 echo "$(date +%Y-%m-%dT%H:%M:%S%Z): Removing ${FQDN} from cluster" >>${LOG_FILE}
-mysqlsh --js -i -h "${POD_IP}" -P 33062 -u operator -p"${OPERATOR_PASSWORD}" -e "dba.getCluster().removeInstance('${FQDN}:3306')" >>${LOG_FILE} 2>&1
+
+mysqlsh --js -i \
+  -h "${POD_IP}" -P 33062 \
+  -u operator -p"${OPERATOR_PASSWORD}" \
+  -e "dba.getCluster().removeInstance('${FQDN}:3306')" >>${LOG_FILE} 2>&1
diff --git a/cmd/bootstrap/group_replication.go b/cmd/bootstrap/group_replication.go
@@ -55,9 +55,8 @@ func (m *mysqlsh) getURI() string {
 	if err != nil {
 		return ""
 	}
-	escapedPass := url.QueryEscape(operatorPass)
 
-	return fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, escapedPass, m.host)
+	return fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, url.QueryEscape(operatorPass), m.host)
 }
 
 func (m *mysqlsh) run(ctx context.Context, cmd string) (bytes.Buffer, bytes.Buffer, error) {
diff --git a/pkg/controller/ps/controller.go b/pkg/controller/ps/controller.go
@@ -21,7 +21,6 @@ import (
 	"crypto/md5"
 	"encoding/json"
 	"fmt"
-	"net/url"
 	"reflect"
 	"slices"
 	"strconv"
@@ -221,7 +220,7 @@ func (r *PerconaServerMySQLReconciler) deleteMySQLPods(ctx context.Context, cr *
 			return errors.Wrap(err, "get operator password")
 		}
 
-		firstPodUri := fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, url.QueryEscape(operatorPass), mysql.PodFQDN(cr, &firstPod))
+		firstPodUri := getMySQLURI(apiv1alpha1.UserOperator, operatorPass, mysql.PodFQDN(cr, &firstPod))
 
 		um := database.NewReplicationManager(&firstPod, r.ClientCmd, apiv1alpha1.UserOperator, operatorPass, mysql.PodFQDN(cr, &firstPod))
 
@@ -268,7 +267,7 @@ func (r *PerconaServerMySQLReconciler) deleteMySQLPods(ctx context.Context, cr *
 				continue
 			}
 
-			podUri := fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, operatorPass, podFQDN)
+			podUri := getMySQLURI(apiv1alpha1.UserOperator, operatorPass, podFQDN)
 
 			log.Info("Removing member from GR", "member", pod.Name, "memberState", state)
 			err = mysh.RemoveInstanceWithExec(ctx, cr.InnoDBClusterName(), podUri)
@@ -579,7 +578,6 @@ func (r *PerconaServerMySQLReconciler) reconcileDatabase(ctx context.Context, cr
 	}
 
 	if cr.Spec.UpdateStrategy == apiv1alpha1.SmartUpdateStatefulSetStrategyType {
-		log.Info("Performing smart update for StatefulSet")
 		return r.smartUpdate(ctx, sts, cr)
 	}
 
@@ -1102,7 +1100,7 @@ func (r *PerconaServerMySQLReconciler) rescanClusterIfNeeded(ctx context.Context
 		return errors.Wrap(err, "get operator password")
 	}
 
-	uri := fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, operatorPass, mysql.PodFQDN(cr, pod))
+	uri := getMySQLURI(apiv1alpha1.UserOperator, operatorPass, mysql.PodFQDN(cr, pod))
 
 	msh, err := mysqlsh.NewWithExec(r.ClientCmd, pod, uri)
 	if err != nil {
diff --git a/pkg/controller/ps/crash_recovery.go b/pkg/controller/ps/crash_recovery.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"net/url"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -74,8 +73,8 @@ func (r *PerconaServerMySQLReconciler) reconcileFullClusterCrash(ctx context.Con
 			return errors.Wrap(err, "get operator password")
 		}
 
-		podFQDN := fmt.Sprintf("%s.%s.%s", pod.Name, mysql.ServiceName(cr), cr.Namespace)
-		podUri := fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, url.QueryEscape(operatorPass), podFQDN)
+		podFQDN := mysql.PodFQDN(cr, &pod)
+		podUri := getMySQLURI(apiv1alpha1.UserOperator, operatorPass, podFQDN)
 
 		mysh, err := mysqlsh.NewWithExec(r.ClientCmd, &pod, podUri)
 		if err != nil {
diff --git a/pkg/controller/ps/status.go b/pkg/controller/ps/status.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"net/url"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -252,7 +251,7 @@ func (r *PerconaServerMySQLReconciler) isGRReady(ctx context.Context, cr *apiv1a
 		return false, nil
 	}
 
-	uri := fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, url.QueryEscape(operatorPass), mysql.PodFQDN(cr, pod))
+	uri := getMySQLURI(apiv1alpha1.UserOperator, operatorPass, mysql.PodFQDN(cr, pod))
 
 	msh, err := mysqlsh.NewWithExec(r.ClientCmd, pod, uri)
 	if err != nil {
diff --git a/pkg/controller/ps/user.go b/pkg/controller/ps/user.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"net/url"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -448,3 +449,7 @@ func (r *PerconaServerMySQLReconciler) passwordsPropagated(ctx context.Context,
 	log.Info("Updated password propagated")
 	return nil
 }
+
+func getMySQLURI(user apiv1alpha1.SystemUser, password, host string) string {
+	return fmt.Sprintf("%s:%s@%s", user, url.QueryEscape(password), host)
+}

Original file line number	Diff line number	Diff line change
`@@ -55,9 +55,8 @@ func (m *mysqlsh) getURI() string {`
`55`	`55`	`if err != nil {`
`56`	`56`	`return ""`
`57`	`57`	`}`
`58`		`- escapedPass := url.QueryEscape(operatorPass)`
`59`	`58`
`60`		`- return fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, escapedPass, m.host)`
	`59`	`+ return fmt.Sprintf("%s:%s@%s", apiv1alpha1.UserOperator, url.QueryEscape(operatorPass), m.host)`
`61`	`60`	`}`
`62`	`61`
`63`	`62`	`func (m *mysqlsh) run(ctx context.Context, cmd string) (bytes.Buffer, bytes.Buffer, error) {`