K8SPXC-1733 Ability to customize secrets generation

[fydrah]

Customize secrets generation:

• keep current secret generation behavior as default
• Ability to customize the special symbols to include in secret generation
• Ability to customize min/max secret length

Linked to #2222

CHANGE DESCRIPTION

Problem:
Short explanation of the problem.

By default, the operator generates his secrets for system users (root, xtrabackup, proxyadmin, replication,...etc...).
The current secrets generation is based on constants, prohibiting any customization:

const (
	passwordMaxLen = 20
	passwordMinLen = 16
	passSymbols    = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
		"abcdefghijklmnopqrstuvwxyz" +
		"0123456789" +
		"!#$%&()*+,-.<=>?@[]^_{}~"
)

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:
Short explanation of the solution we are providing with this PR.

Proposal would be to have a minimal customization, e.g.:

• Enable/disable special symbols
• Customize min/max password length

Suggested implementation would be a dedicated configuration structure for generated secrets:

[...]
spec:
  generatedSecretsOptions:
    symbols: "-_+$%" # customize symbols you need. Keep the current behavior if omitted. Use empty string to disable symbols.
    minLength: 16
    maxLength: 20
[...]

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported PXC version?
• Does the change support oldest and newest supported Kubernetes version?

[it-percona-cla]

All committers have signed the CLA.

[JNKPercona]

Test Name	Result	Time
affinity-8-0	passed	00:06:01
auto-tuning-8-0	passed	00:19:00
cross-site-8-0	passed	00:35:07
custom-users-8-0	passed	00:12:56
demand-backup-cloud-8-0	passed	00:58:47
demand-backup-encrypted-with-tls-8-0	passed	00:44:59
demand-backup-8-0	passed	00:42:00
demand-backup-flow-control-8-0	passed	00:10:36
demand-backup-parallel-8-0	passed	00:09:33
demand-backup-without-passwords-8-0	passed	00:16:12
haproxy-5-7	passed	00:14:57
haproxy-8-0	passed	00:14:44
init-deploy-5-7	passed	00:16:22
init-deploy-8-0	passed	00:17:14
limits-8-0	passed	00:12:09
monitoring-2-0-8-0	passed	00:22:19
monitoring-pmm3-8-0	passed	00:18:08
one-pod-5-7	passed	00:14:27
one-pod-8-0	passed	00:13:44
pitr-8-0	passed	00:43:10
pitr-gap-errors-8-0	passed	00:56:45
proxy-protocol-8-0	passed	00:09:36
proxysql-sidecar-res-limits-8-0	passed	00:08:25
pvc-resize-5-7	passed	00:16:08
pvc-resize-8-0	passed	00:16:08
recreate-8-0	passed	00:17:10
restore-to-encrypted-cluster-8-0	passed	00:26:09
scaling-proxysql-8-0	passed	00:08:37
scaling-8-0	passed	00:10:46
scheduled-backup-5-7	failure	00:16:15
scheduled-backup-8-0	passed	01:04:11
security-context-8-0	passed	00:25:45
smart-update1-8-0	passed	00:33:21
smart-update2-8-0	failure	00:22:51
storage-8-0	passed	00:10:57
tls-issue-cert-manager-ref-8-0	passed	00:08:54
tls-issue-cert-manager-8-0	passed	00:12:12
tls-issue-self-8-0	passed	00:15:19
upgrade-consistency-8-0	passed	00:11:02
upgrade-haproxy-5-7	failure	00:14:44
upgrade-haproxy-8-0	passed	00:24:53
upgrade-proxysql-5-7	passed	00:15:27
upgrade-proxysql-8-0	passed	00:16:17
users-5-7	failure	00:06:18
users-8-0	passed	00:27:02
validation-hook-8-0	passed	00:01:27

Summary	Value
Tests Run	46/46
Job Duration	02:26:57
Total Test Time	15:39:26

commit: 2da0e2d
image: perconalab/percona-xtradb-cluster-operator:PR-2227-2da0e2db

[gkech]

The changes to the image should be reverted to main across all the similar occurrences.

[gkech]

string(...) is not needed

[gkech]

Given that the configuration we introduce is related to the passwords that are provisioned through secrets and not for the secrets themselves, maybe we could adjust the naming of the new options accordingly. Some options:

• PasswordGenerationOptions - Most accurate and clear
• GeneratedPasswordOptions - Also clear and descriptive
• PasswordOptions - Simpler but still clear

PasswordGenerationOptions is the most suitable one IMO.

[egegunes]

I think PasswordGenerationOptions is good

[gkech]

cc @hors

[hors]

I think it would be better to reuse the naming from the “Password Validation Options” feature in MySQL. What do you think about:

spec:
  secretGenerationOptions:
    lengthMin: 16
    lengthMax: 32
    allowedSymbols: "!@#$%" # Overrides or supplements the default set

or

spec:
  passwordGenerationOptions:
    lengthMin: 16
    lengthMax: 32
    allowedSymbols: "!@#$%" # Overrides or supplements the default set

cc @egegunes @gkech

[gkech]

spec:
passwordGenerationOptions:
lengthMin: 16
lengthMax: 32
allowedSymbols: "!@#$%" # Overrides or supplements the default set

I would go with this ☝🏽

[gkech]

I believe in this test should we should focus on the following 2 scenarios:

• Default configuration of passwords with nil the new option
• The new option configured and asserting the specified symbols and lengths

[gkech]

the unit test failures for proxysql password are unrelated to this pr and will be fixed under this pr: #2124