feat: add feature flag for password update when user reconciles

Martinif · Martinif · commit 63ea089666d0 · 2024-10-23T15:37:34.000+02:00
diff --git a/api/v1beta1/user_types.go b/api/v1beta1/user_types.go
@@ -37,6 +37,10 @@ type UserSpec struct {
 	//
 	// Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
 	ImportCredentialsSecret *corev1.LocalObjectReference `json:"importCredentialsSecret,omitempty"`
+	// Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+	// Defaults to false if omitted.
+	// +kubebuilder:validation:Optional
+	AutoUpdateCredentialsSecret bool `json:"autoUpdateCredentialsSecret,omitempty"`
 }
 
 // UserStatus defines the observed state of User.
diff --git a/config/crd/bases/rabbitmq.com_users.yaml b/config/crd/bases/rabbitmq.com_users.yaml
@@ -41,6 +41,11 @@ spec:
           spec:
             description: Spec configures the desired state of the User object.
             properties:
+              autoUpdateCredentialsSecret:
+                description: |-
+                  Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+                  Defaults to false if omitted.
+                type: boolean
               importCredentialsSecret:
                 description: |-
                   Defines a Secret containing the credentials for the User. If this field is omitted, random a username and
diff --git a/controllers/user_controller.go b/controllers/user_controller.go
@@ -98,6 +98,7 @@ func (r *UserReconciler) declareCredentials(ctx context.Context, user *topology.
 			for i := range credentialSecret.ObjectMeta.OwnerReferences {
 				credentialSecret.ObjectMeta.OwnerReferences[i].BlockOwnerDeletion = ptr.To(false)
 			}
+			credentialSecret.Data = credentialSecretData
 			return nil
 		})
 		return apiError
@@ -190,15 +191,15 @@ func (r *UserReconciler) DeclareFunc(ctx context.Context, client rabbitmqclient.
 	user := obj.(*topology.User)
 	if user.Status.Credentials == nil || user.Status.Username == "" {
 		var username string
-		if user.Status.Credentials != nil && user.Status.Username == "" {
+		if user.Status.Credentials != nil && user.Status.Username == "" || user.Spec.AutoUpdateCredentialsSecret {
 			// Only run once for migration to set user.Status.Username on existing resources
 			credentials, err := r.getUserCredentials(ctx, user)
 			if err != nil {
 				return err
 			}
 			username = string(credentials.Data["username"])
 		} else {
-			logger.Info("User does not yet have a Credentials Secret; generating", "user", user.Name)
+			logger.Info("User does not yet have a Credentials Secret or AutoUpdateCredentialsSecret is enabled; generating Credentials Secret", "user", user.Name)
 			var err error
 			if username, err = r.declareCredentials(ctx, user); err != nil {
 				return err
diff --git a/docs/api/rabbitmq.com.ref.asciidoc b/docs/api/rabbitmq.com.ref.asciidoc
@@ -1422,6 +1422,8 @@ password will be generated. The Secret must have the following keys in its Data
 
 
 Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
+| *`autoUpdateCredentialsSecret`* __boolean__ | Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+Defaults to false if omitted.
 |===
 
 
