search

ydb-platform / ydb-kubernetes-operator

YDB Operator allows you to deploy your own YDB cluster in Kubernetes
Other
46 stars 16 forks source link

feat: support static credentials #90

Closed Jorres closed 1 month ago

Jorres commented 1 year ago

Feature Request

Describe the Feature Request

At this point, operator is unable to connect to the database if enforce_static_user_credentials in Storage config is set to true

Relevant error:

2022-12-23T11:00:29.252Z    ERROR   controller.storage  GetSelfCheckResult error    {"reconciler group": "ydb.tech", "reconciler kind": "Storage", "name": "main", "namespace": "ydb", "error": "rpc error: code = Unauthenticated desc = unauthenticated,  Access denied without user token"}
github.com/ydb-platform/ydb-kubernetes-operator/internal/controllers/storage.(*Reconciler).Reconcile
    /workspace/internal/controllers/storage/controller.go:63

Additional Context

Internal ticket YDBOPS-6056

kobzonega commented 1 month ago

implemented at PRs #158 and #159

It is now possible to use field enable enforce_static_user_credentials: true in configuration YAML. YDB operator support 3 types of auth: anonymous (by default), access_token (oauth) and static credentials (username/password). Default password are using at init new cluster storage process if other not specified (just do not specify password field).

In general ydb-operator obtain a token from secretKeyRef from Storage spec.operatorConnection section and use that in following communication with YDB

operatorConnection:
  accessToken:
    secretKeyRef:
      name: "mystorage-token"
      key: "token"
  staticCredentials:
    username: "root"
    password:
      secretKeyRef:
        name: "mystorage-root-password"
        key: "password"