Add option to add a prefix to each generated access request username

RocketChat · Aug 30, 2023 · 59103b1 · 59103b1
1 parent cefe562
commit 59103b1
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 10 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,3 +1,4 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
 # Ignore build and test binaries.
 testbin/
+*.ignore
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,4 @@ test_replicaset.txt
 mongoValues.yaml
 db-secret.yaml
 db-cluster.yaml
+*.ignore
diff --git a/api/v1alpha1/mongodbcluster_types.go b/api/v1alpha1/mongodbcluster_types.go
@@ -43,6 +43,9 @@ type MongoDBClusterSpec struct {
 	// +kubebuilder:default=mongodb
 	PrefixTemplate string `json:"prefixTemplate,omitempty"`
 
+	// Append this prefix to all default/generated usernames for this cluster. Will be overriden if "username" is specified.
+	UserNamePrefix string `json:"userNamePrefix,omitempty"`
+
 	// If this is set, Atlas API will be used instead of the regular mongo auth path.
 	UseAtlasApi bool `json:"useAtlasApi,omitempty"`
 }

diff --git a/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml b/config/crd/bases/airlock.cloud.rocket.chat_mongodbclusters.yaml
@@ -68,6 +68,10 @@ spec:
                 description: If this is set, Atlas API will be used instead of the
                   regular mongo auth path.
                 type: boolean
+              userNamePrefix:
+                description: Append this prefix to all default/generated usernames
+                  for this cluster. Will be overriden if "username" is specified.
+                type: string
             required:
             - connectionSecret
             - hostTemplate

diff --git a/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml b/config/samples/airlock_v1alpha1_mongodbaccessrequest.yaml
@@ -10,5 +10,14 @@ kind: MongoDBAccessRequest
 metadata:
   name: obrigado
 spec:
+  # In which cluster to create the user.
   clusterName: teste-atlas1
 
+  # Optional. Username to be created in the cluster. If not provided, will be the same as the access request name.
+  # userName: obrigado
+
+  # Optional. Database to be used for the user. If not provided, the user will have access to one that matches the access request name
+  # database: obrigado
+
+  # Optional. Secret name where the credentials will be stored. If not provided, will be the same as the access request name.
+  # secretName: obrigado
diff --git a/config/samples/airlock_v1alpha1_mongodbcluster.yaml b/config/samples/airlock_v1alpha1_mongodbcluster.yaml
@@ -14,12 +14,27 @@ kind: MongoDBCluster
 metadata:
   name: teste-atlas1
 spec:
-  useAtlasApi: true
+  # The host with port that clients will receive when requesting credentials.
   hostTemplate: "cluster0.vpz0mct.mongodb.net"
+
+  # Secret in which Airlock will look for a ConnectionString or Atlas credentials, that will be used to connect to the cluster. 
+  connectionSecret: airlock-atlas-connection
+
+  # Optional. If this is set, Atlas API will be used instead of the regular mongo auth path.
+  useAtlasApi: true
+
+  # Optional. Extra connection string parameters that will be added to the connection string.
   optionsTemplate: ?retryWrites=true&w=majority
+
+  # Optional. The prefix used when building the connection string. Defaults to "mongodb"
   prefixTemplate: mongodb+srv
-  connectionSecret: airlock-atlas-connection
+
+  # Optional. Namespace where the connection secret is located. Defaults to "airlock-system"
   connectionSecretNamespace: airlock-system
+
+  # Optional. Append this prefix to all default/generated usernames for this cluster. Will be ignored if "username" is already set on the access request.
+  userNamePrefix: test-use1-
+
 ---
 apiVersion: v1
 kind: Secret
@@ -28,6 +43,7 @@ metadata:
   namespace: airlock-system
 type: Opaque
 stringData:
+  # It should have enough privileges to manage users and access. This is not gonna be used by the created users.
   connectionString: "mongodb://rcadmin:[email protected]/test?replicaSet=rs0"
 
 ---

diff --git a/controllers/mongodbaccessrequest_controller.go b/controllers/mongodbaccessrequest_controller.go
@@ -98,28 +98,28 @@ func (r *MongoDBAccessRequestReconciler) Reconcile(ctx context.Context, req ctrl
 
 	mongodbClusterCR := &airlockv1alpha1.MongoDBCluster{}
 
-	err = r.generateAttributes(ctx, mongodbAccessRequestCR)
+	err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR)
 	if err != nil {
 		meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions,
 			metav1.Condition{
 				Type:               "Ready",
 				Status:             metav1.ConditionFalse,
-				Reason:             "AttributeGenerationFailed",
+				Reason:             "GetMongoDBClusterFailed",
 				LastTransitionTime: metav1.NewTime(time.Now()),
-				Message:            fmt.Sprintf("Attribute generation failed with error: %s", err.Error()),
+				Message:            fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()),
 			})
 		return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)})
 	}
 
-	err = r.Get(ctx, types.NamespacedName{Namespace: "", Name: mongodbAccessRequestCR.Spec.ClusterName}, mongodbClusterCR)
+	err = r.generateAttributes(ctx, mongodbAccessRequestCR, mongodbClusterCR)
 	if err != nil {
 		meta.SetStatusCondition(&mongodbAccessRequestCR.Status.Conditions,
 			metav1.Condition{
 				Type:               "Ready",
 				Status:             metav1.ConditionFalse,
-				Reason:             "GetMongoDBClusterFailed",
+				Reason:             "AttributeGenerationFailed",
 				LastTransitionTime: metav1.NewTime(time.Now()),
-				Message:            fmt.Sprintf("Failed to get MongoDBCluster resource for %s: %s", mongodbAccessRequestCR.Spec.ClusterName, err.Error()),
+				Message:            fmt.Sprintf("Attribute generation failed with error: %s", err.Error()),
 			})
 		return ctrl.Result{}, utilerrors.NewAggregate([]error{err, r.Status().Update(ctx, mongodbAccessRequestCR)})
 	}
@@ -374,7 +374,7 @@ func (r *MongoDBAccessRequestReconciler) reconcileSecret(ctx context.Context, re
 	return nil
 }
 
-func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest) error {
+func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context, mongodbAccessRequestCR *airlockv1alpha1.MongoDBAccessRequest, mongodbClusterCR *airlockv1alpha1.MongoDBCluster) error {
 	changed := false
 
 	if mongodbAccessRequestCR.Spec.Database == "" {
@@ -383,7 +383,7 @@ func (r *MongoDBAccessRequestReconciler) generateAttributes(ctx context.Context,
 	}
 
 	if mongodbAccessRequestCR.Spec.UserName == "" {
-		mongodbAccessRequestCR.Spec.UserName = mongodbAccessRequestCR.Name
+		mongodbAccessRequestCR.Spec.UserName = mongodbClusterCR.Spec.UserNamePrefix + mongodbAccessRequestCR.Name
 		changed = true
 	}