diff --git a/api/v1beta1/user_types.go b/api/v1beta1/user_types.go index 0a1cf3d1..185ea439 100644 --- a/api/v1beta1/user_types.go +++ b/api/v1beta1/user_types.go @@ -37,6 +37,10 @@ type UserSpec struct { // // Note that this import only occurs at creation time, and is ignored once a password has been set on a User. ImportCredentialsSecret *corev1.LocalObjectReference `json:"importCredentialsSecret,omitempty"` + // Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret. + // Defaults to false if omitted. + // +kubebuilder:validation:Optional + AutoUpdateCredentialsSecret bool `json:"autoUpdateCredentialsSecret,omitempty"` } // UserStatus defines the observed state of User. diff --git a/config/crd/bases/rabbitmq.com_users.yaml b/config/crd/bases/rabbitmq.com_users.yaml index 619c82a9..2ca959dd 100644 --- a/config/crd/bases/rabbitmq.com_users.yaml +++ b/config/crd/bases/rabbitmq.com_users.yaml @@ -41,6 +41,11 @@ spec: spec: description: Spec configures the desired state of the User object. properties: + autoUpdateCredentialsSecret: + description: |- + Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret. + Defaults to false if omitted. + type: boolean importCredentialsSecret: description: |- Defines a Secret containing the credentials for the User. If this field is omitted, random a username and diff --git a/controllers/user_controller.go b/controllers/user_controller.go index 8c7eb340..e044a9bc 100644 --- a/controllers/user_controller.go +++ b/controllers/user_controller.go @@ -98,6 +98,7 @@ func (r *UserReconciler) declareCredentials(ctx context.Context, user *topology. for i := range credentialSecret.ObjectMeta.OwnerReferences { credentialSecret.ObjectMeta.OwnerReferences[i].BlockOwnerDeletion = ptr.To(false) } + credentialSecret.Data = credentialSecretData return nil }) return apiError @@ -188,7 +189,7 @@ func (r *UserReconciler) setUserStatus(ctx context.Context, user *topology.User, func (r *UserReconciler) DeclareFunc(ctx context.Context, client rabbitmqclient.Client, obj topology.TopologyResource) error { logger := ctrl.LoggerFrom(ctx) user := obj.(*topology.User) - if user.Status.Credentials == nil || user.Status.Username == "" { + if user.Status.Credentials == nil || user.Status.Username == "" || user.Spec.AutoUpdateCredentialsSecret { var username string if user.Status.Credentials != nil && user.Status.Username == "" { // Only run once for migration to set user.Status.Username on existing resources @@ -198,7 +199,7 @@ func (r *UserReconciler) DeclareFunc(ctx context.Context, client rabbitmqclient. } username = string(credentials.Data["username"]) } else { - logger.Info("User does not yet have a Credentials Secret; generating", "user", user.Name) + logger.Info("User does not yet have a Credentials Secret or AutoUpdateCredentialsSecret is enabled; generating Credentials Secret", "user", user.Name) var err error if username, err = r.declareCredentials(ctx, user); err != nil { return err diff --git a/docs/api/rabbitmq.com.ref.asciidoc b/docs/api/rabbitmq.com.ref.asciidoc index 6957e54b..f8ac3b03 100644 --- a/docs/api/rabbitmq.com.ref.asciidoc +++ b/docs/api/rabbitmq.com.ref.asciidoc @@ -1422,6 +1422,8 @@ password will be generated. The Secret must have the following keys in its Data Note that this import only occurs at creation time, and is ignored once a password has been set on a User. +| *`autoUpdateCredentialsSecret`* __boolean__ | Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret. +Defaults to false if omitted. |===