Add password secret

Author: MathieuCesbron

go.mod

@@ -46,6 +46,7 @@ require (
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/sethvargo/go-password v0.2.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect

go.sum

@@ -121,6 +121,8 @@ github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
 github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/sethvargo/go-password v0.2.0 h1:BTDl4CC/gjf/axHMaDQtw507ogrXLci6XRiLc7i/UHI=
+github.com/sethvargo/go-password v0.2.0/go.mod h1:Ym4Mr9JXLBycr02MFuVQ/0JHidNetSgbzutTr3zsYXE=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=

internal/controller/controller.go

@@ -49,6 +49,11 @@ func (r *MetabaseReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		return ctrl.Result{}, fmt.Errorf("error getting metabase cr: %w", err)
 	}
 
+	err = r.ManageSecret(ctx, metabase)
+	if err != nil {
+		return ctrl.Result{}, err
+	}
+
 	err = r.ManageDatabase(ctx, metabase)
 	if err != nil {
 		return ctrl.Result{}, err

internal/controller/database.go

@@ -71,6 +71,14 @@ func (r *MetabaseReconciler) GetStatefulSet(metabase *unagexcomv1.Metabase) *app
 								},
 							},
 						},
+						{
+							Name: metabase.Name + "-secret",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: metabase.Name + "-secret",
+								},
+							},
+						},
 					},
 					Containers: []corev1.Container{
 						{
@@ -109,8 +117,15 @@ func (r *MetabaseReconciler) GetStatefulSet(metabase *unagexcomv1.Metabase) *app
 									Value: "user",
 								},
 								{
-									Name:  "POSTGRES_PASSWORD",
-									Value: "password",
+									Name: "POSTGRES_PASSWORD",
+									ValueFrom: &corev1.EnvVarSource{
+										SecretKeyRef: &corev1.SecretKeySelector{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: metabase.Name + "-secret",
+											},
+											Key: "PASSWORD",
+										},
+									},
 								},
 								{
 									Name:  "POSTGRES_DB",
@@ -119,8 +134,8 @@ func (r *MetabaseReconciler) GetStatefulSet(metabase *unagexcomv1.Metabase) *app
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{
-									MountPath: "/var/lib/postgresql/data",
 									Name:      metabase.Name + "-storage",
+									MountPath: "/var/lib/postgresql/data",
 								},
 							},
 						},

internal/controller/metabase.go

@@ -63,6 +63,16 @@ func (r *MetabaseReconciler) GetDeployment(metabase *unagexcomv1.Metabase) *apps
 					Labels: ls,
 				},
 				Spec: corev1.PodSpec{
+					Volumes: []corev1.Volume{
+						{
+							Name: metabase.Name + "-secret",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: metabase.Name + "-secret",
+								},
+							},
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Image:           metabase.Spec.Metabase.Image,
@@ -123,8 +133,15 @@ func (r *MetabaseReconciler) GetDeployment(metabase *unagexcomv1.Metabase) *apps
 									Value: "user",
 								},
 								{
-									Name:  "MB_DB_PASS",
-									Value: "password",
+									Name: "MB_DB_PASS",
+									ValueFrom: &corev1.EnvVarSource{
+										SecretKeyRef: &corev1.SecretKeySelector{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: metabase.Name + "-secret",
+											},
+											Key: "PASSWORD",
+										},
+									},
 								},
 								{
 									Name:  "MB_DB_HOST",

internal/controller/secret.go

@@ -0,0 +1,73 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/sethvargo/go-password/password"
+	unagexcomv1 "github.com/unagex/metabase-operator/api/v1"
+	"github.com/unagex/metabase-operator/internal/controller/common"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
+	controllerruntime "sigs.k8s.io/controller-runtime"
+)
+
+func (r *MetabaseReconciler) ManageSecret(ctx context.Context, metabase *unagexcomv1.Metabase) error {
+	sec := &corev1.Secret{}
+	err := r.Get(ctx, types.NamespacedName{
+		Namespace: metabase.Namespace,
+		Name:      metabase.Name,
+	}, sec)
+
+	// create if secret does not exist
+	if k8serrors.IsNotFound(err) {
+		sec, err := r.GetSecret(metabase)
+		if err != nil {
+			return err
+		}
+
+		err = r.Create(ctx, sec)
+		if err != nil && !k8serrors.IsAlreadyExists(err) {
+			return fmt.Errorf("error creating secret: %w", err)
+		}
+		if err == nil {
+			r.Log.Info("secret created")
+		}
+		return nil
+	}
+
+	if err != nil {
+		return fmt.Errorf("error getting secret: %w", err)
+	}
+
+	return nil
+}
+
+func (r *MetabaseReconciler) GetSecret(metabase *unagexcomv1.Metabase) (*corev1.Secret, error) {
+	ls := common.GetLabels(metabase.Name, "secret")
+	password, err := password.Generate(64, 10, 10, false, false)
+	if err != nil {
+		return nil, err
+	}
+
+	sec := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      metabase.Name + "-secret",
+			Namespace: metabase.Namespace,
+			Labels:    ls,
+		},
+		Immutable: ptr.To(true),
+		Data: map[string][]byte{
+			"PASSWORD": []byte(password),
+		},
+	}
+	err = controllerruntime.SetControllerReference(metabase, sec, r.Scheme)
+	if err != nil {
+		return nil, err
+	}
+
+	return sec, nil
+}