From bad78f022aacf632cb543d32b133d89f0845bac8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 30 Dec 2024 09:32:33 +0000
Subject: [PATCH 1/2] CLOUD-727: Bump google.golang.org/grpc from 1.69.0 to
 1.69.2

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.69.0 to 1.69.2.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.69.0...v1.69.2)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 3ce64a5cf..2e2326469 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	go.mongodb.org/mongo-driver v1.17.1
 	go.uber.org/zap v1.27.0
 	golang.org/x/sync v0.10.0
-	google.golang.org/grpc v1.69.0
+	google.golang.org/grpc v1.69.2
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.32.0
 	k8s.io/apimachinery v0.32.0
diff --git a/go.sum b/go.sum
index 4ddf5b0f9..2de3999f7 100644
--- a/go.sum
+++ b/go.sum
@@ -723,8 +723,8 @@ google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ij
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
-google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
+google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
+google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=

From 1de97d17c657e1e927ee3b33ae705f4abd12b723 Mon Sep 17 00:00:00 2001
From: Inel Pandzic <inel.pandzic@percona.com>
Date: Wed, 1 Jan 2025 10:26:28 +0100
Subject: [PATCH 2/2] Prevent $external DB user from dealing with passwords.

---
 pkg/apis/psmdb/v1/psmdb_types.go              |  4 +++
 .../perconaservermongodb/custom_users.go      | 35 +++++++++++--------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go
index 5401639c8..fb87dea62 100644
--- a/pkg/apis/psmdb/v1/psmdb_types.go
+++ b/pkg/apis/psmdb/v1/psmdb_types.go
@@ -119,6 +119,10 @@ func (u *User) UserID() string {
 	return u.DB + "." + u.Name
 }
 
+func (u *User) IsExternalDB() bool {
+	return u.DB == "$external"
+}
+
 type RoleAuthenticationRestriction struct {
 	ClientSource  []string `json:"clientSource,omitempty"`
 	ServerAddress []string `json:"serverAddress,omitempty"`
diff --git a/pkg/controller/perconaservermongodb/custom_users.go b/pkg/controller/perconaservermongodb/custom_users.go
index 80b26515b..5b419b388 100644
--- a/pkg/controller/perconaservermongodb/custom_users.go
+++ b/pkg/controller/perconaservermongodb/custom_users.go
@@ -105,7 +105,7 @@ func handleUsers(ctx context.Context, cr *api.PerconaServerMongoDB, mongoCli mon
 			continue
 		}
 
-		if user.DB == "$external" && userInfo == nil {
+		if user.IsExternalDB() && userInfo == nil {
 			err = createExternalUser(ctx, mongoCli, &user)
 			if err != nil {
 				return errors.Wrapf(err, "create user %s", user.Name)
@@ -113,16 +113,12 @@ func handleUsers(ctx context.Context, cr *api.PerconaServerMongoDB, mongoCli mon
 			continue
 		}
 
-		defaultUserSecretName := fmt.Sprintf("%s-custom-user-secret", cr.Name)
-
-		userSecretName := defaultUserSecretName
 		userSecretPassKey := user.Name
 		if user.PasswordSecretRef != nil {
-			userSecretName = user.PasswordSecretRef.Name
 			userSecretPassKey = user.PasswordSecretRef.Key
 		}
 
-		sec, err := getCustomUserSecret(ctx, client, cr, userSecretName, defaultUserSecretName, userSecretPassKey)
+		sec, err := getCustomUserSecret(ctx, client, cr, &user, userSecretPassKey)
 		if err != nil {
 			log.Error(err, "failed to get user secret", "user", user)
 			continue
@@ -130,7 +126,7 @@ func handleUsers(ctx context.Context, cr *api.PerconaServerMongoDB, mongoCli mon
 
 		annotationKey := fmt.Sprintf("percona.com/%s-%s-hash", cr.Name, user.Name)
 
-		if userInfo == nil {
+		if userInfo == nil && !user.IsExternalDB() {
 			err = createUser(ctx, client, mongoCli, &user, sec, annotationKey, userSecretPassKey)
 			if err != nil {
 				return errors.Wrapf(err, "create user %s", user.Name)
@@ -293,7 +289,7 @@ func updatePass(
 	annotationKey, passKey string) error {
 	log := logf.FromContext(ctx)
 
-	if userInfo == nil {
+	if userInfo == nil || user.IsExternalDB() {
 		return nil
 	}
 
@@ -417,24 +413,35 @@ func createUser(
 
 // getCustomUserSecret gets secret by name defined by `user.PasswordSecretRef.Name` or returns a secret
 // with newly generated password if name matches defaultName
-func getCustomUserSecret(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, name, defaultName, passKey string) (*corev1.Secret, error) {
+func getCustomUserSecret(ctx context.Context, cl client.Client, cr *api.PerconaServerMongoDB, user *api.User, passKey string) (*corev1.Secret, error) {
 	log := logf.FromContext(ctx)
 
+	if user.IsExternalDB() {
+		return nil, nil
+	}
+
+	defaultSecretName := fmt.Sprintf("%s-custom-user-secret", cr.Name)
+
+	secretName := defaultSecretName
+	if user.PasswordSecretRef != nil {
+		secretName = user.PasswordSecretRef.Name
+	}
+
 	secret := &corev1.Secret{}
-	err := cl.Get(ctx, types.NamespacedName{Name: name, Namespace: cr.Namespace}, secret)
+	err := cl.Get(ctx, types.NamespacedName{Name: secretName, Namespace: cr.Namespace}, secret)
 
-	if err != nil && name != defaultName {
+	if err != nil && secretName != defaultSecretName {
 		return nil, errors.Wrap(err, "failed to get user secret")
 	}
 
-	if err != nil && !k8serrors.IsNotFound(err) && name == defaultName {
+	if err != nil && !k8serrors.IsNotFound(err) && secretName == defaultSecretName {
 		return nil, errors.Wrap(err, "failed to get user secret")
 	}
 
 	if err != nil && k8serrors.IsNotFound(err) {
 		secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
+				Name:      secretName,
 				Namespace: cr.Namespace,
 			},
 		}
@@ -458,7 +465,7 @@ func getCustomUserSecret(ctx context.Context, cl client.Client, cr *api.PerconaS
 	}
 
 	_, hasPass := secret.Data[passKey]
-	if !hasPass && name == defaultName {
+	if !hasPass && secretName == defaultSecretName {
 		pass, err := s.GeneratePassword()
 		if err != nil {
 			return nil, errors.Wrap(err, "generate custom user password")