CLOUDP-266544: Support local resource credentials #1782

josvazg · 2024-08-22T17:13:33Z

Add common infrastructure for adding local per CRD credentials at pkg/api/credentials.go.
Use the new infra from AtlasDatabaseUser's CRD and Controller.
Solve whether the credentials are taken from the current resource, the project or render nil.

Testing:

Unit tests on new ComputeSecret.
Conversion test fix: credentials must be ignored on comparisons between the Atlas and Kubernetes Spec.
Users e2e test: Second user takes locally defined credentials. Also if local credentials do not exist, reconciliation fails as expected.

All Submissions:

Have you signed our CLA?

github-actions · 2024-08-23T06:37:12Z

https://app.codecov.io/github/mongodb/mongodb-atlas-kubernetes/commit/6450dea0900bd5a11877c997411047623a581882

config/crd/bases/atlas.mongodb.com_atlasdatabaseusers.yaml

pkg/controller/customresource/customresource.go

internal/translation/dbuser/conversion_test.go

Signed-off-by: jose.vazquez <[email protected]>

josvazg · 2024-08-28T07:39:54Z

One nit about the global secret fallback handling. The logic is quite confusing to the reader. Why not make it explicit, where:
type Provider interface {
...
	GlobalSecret() client.ObjectKey
}
and then just invoke:
credentialsSecret, err := customresource.ComputeSecret(r.AtlasProvider.GlobalSecret(), project, databaseUser)
...
where the fallback logic is explicit in ComputeSecret:
func ComputeSecret(globalSecret client.ObjectKey, project *akov2.AtlasProject, resource api.ResourceWithCredentials) (*client.ObjectKey, error) {
	if globalSecret.Name != "" {
		return &globalSecret, nil
	}
	return resolveConnectionSecret(project, resource)
}
There is less indirection and makes the fallback explicit.

In the end I removed the global fallback from this part of the resolution. That will still work as before.

The only loss is we do not have precise errors when there is no global fallback, but that scenario was problematic to open up so soon anyway. We should decide if the global fallback will be optional separately.

igor-karpukhin · 2024-08-30T08:48:04Z

.github/workflows/test-e2e.yml

+          ATLAS_LOCAL_PUBLIC_KEY: ${{ secrets.ATLAS_LOCAL_PUBLIC_KEY }}
+          ATLAS_LOCAL_PRIVATE_KEY: ${{ secrets.ATLAS_LOCAL_PRIVATE_KEY }}


@josvazg Why do we need to duplicate API credentials?

You are right, we do not need this credentials.

I can simplify, but then the gov test issues will get me, so I won't be able to merge today.

s-urbaniak · 2024-09-02T06:41:54Z

rerunning e2e gov, let's evaluate if this is still a blocker.

josvazg · 2024-09-02T06:56:59Z

Our nightly test suite saw recovery today at midnight on the gov tests:
✅ cloud-tests / test-e2e-gov / E2E Gov tests

josvazg · 2024-09-02T07:30:22Z

@s-urbaniak all green again, I closed CLOUDP-270948

This reverts commit 8dbdcbf.

* Revert "CLOUDP-266544: Support local resource credentials (#1782)" This reverts commit 8dbdcbf. * Use project creds again

josvazg marked this pull request as draft August 22, 2024 17:13

josvazg added the cloud-tests Run expensive Cloud Tests: Integration & E2E label Aug 23, 2024

josvazg temporarily deployed to test August 23, 2024 06:37 — with GitHub Actions Inactive

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch from 2bda370 to 3db3cde Compare August 23, 2024 07:44

josvazg temporarily deployed to test August 23, 2024 07:49 — with GitHub Actions Inactive

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch from 3db3cde to 15ec9d1 Compare August 23, 2024 10:07

josvazg temporarily deployed to test August 23, 2024 10:12 — with GitHub Actions Inactive

josvazg changed the base branch from CLOUDP-266544/refactor-internal-deployments to main August 23, 2024 11:28

josvazg marked this pull request as ready for review August 23, 2024 11:28

josvazg temporarily deployed to test August 23, 2024 11:33 — with GitHub Actions Inactive

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch from 15ec9d1 to 8b8d117 Compare August 23, 2024 11:50

josvazg temporarily deployed to test August 23, 2024 11:56 — with GitHub Actions Inactive

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch from 8b8d117 to 2d1bd44 Compare August 23, 2024 12:04

josvazg temporarily deployed to test August 23, 2024 12:09 — with GitHub Actions Inactive

igor-karpukhin reviewed Aug 23, 2024

View reviewed changes

config/crd/bases/atlas.mongodb.com_atlasdatabaseusers.yaml Outdated Show resolved Hide resolved

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch from 2d1bd44 to 514af19 Compare August 23, 2024 12:33

josvazg temporarily deployed to test August 23, 2024 12:39 — with GitHub Actions Inactive

josvazg force-pushed the CLOUDP-266544/per-resource-creds branch 2 times, most recently from 9f35b5a to 7f66bed Compare August 26, 2024 13:57

josvazg temporarily deployed to test August 26, 2024 14:03 — with GitHub Actions Inactive

josvazg temporarily deployed to test August 26, 2024 14:27 — with GitHub Actions Inactive

josvazg temporarily deployed to test August 26, 2024 16:28 — with GitHub Actions Inactive

josvazg requested review from s-urbaniak and roothorp August 27, 2024 06:52