Closes#2047.
This changes the v1 ASO code to generate `admissionregistration.k8s.io/v1` instead of `admissionregistration.k8s.io/v1beta1`. `v1` is supported since Kubernetes 1.16, and `v1beta1` is [removed in Kubernetes 1.22](https://github.com/kubernetes/kubernetes/issues/82021).
The Kustomize patch `admissionreviewversions_in_webhook.yaml` is removed as `admissionReviewVersions` are now generated by default.
* Support granting ALL privileges in a database to a user
If ALL is specified, we don't delete any privileges.
* Add validation webhooks for MySQL[AAD]User to prevent server-ALL
Since the ASO mysql admin user doesn't have privileges to grant global
ALL privileges, prevent this from being set in the resources.
* Update the docs for mysql users and aad users
* Test the MySQL[AAD]User webhook prevents ALL at the server level
* Support user specified MySQLServer secrets
- The specified secret must be a Kubernetes secret.
- The specified secret must contain a "username" and "password" field.
- The specified secret must be in the same namespace as the MySQLServer.
- If the specified secret doesn't exist, reconciliation will be blocked
until the secret does exist. Once the secret is created, reconciliation
will continue as normal.
- The operator does not make the user specified secret owned by
the MySQLServer.
- The operator still creates a secret containing connection string details
and username/password for the server. This secret is named as it was
before. This means that the customer specified username and password
are consumed to create this secret, but other resources such as MySQLUser
still consume the generated secret file.
* Update CosmosDB SDK version
* Refactor CosmosDB folder structure
- This is in preparation for adding new CosmosDB resources.
* Rename HandleEnsureError with a clearer name
- Also add documentation.
* Add new CosmosDBSQLDatabase resource
* Add PollURLKind to status
- Use it to differentiate between Create/Delete polling.
* Add validation rules for enums
* Fix enum validation syntax
* PR feedback
Co-authored-by: Matthew Christopher <matthchr@users.noreply.github.com>
Co-authored-by: Matthew Christopher <matthchr@microsoft.com>
* Remove ignore entry for manager
The output of `make manager` goes into bin/ which is already
ignored. This entry was causing very confusing things to happen with
directories called `manager` further down the directory tree.
* Never error when converting v1alpha2 MySQLAADUser -> v1alpha1
(Unless JSON serialisation fails for some reason.) Instead we store
the changed fields in an annotation and allow roundtripping that when
converting in the other direction.
* Never error when converting v1alpha2 MySQLUser -> v1alpha1
(Unless JSON serialisation fails for some reason.) Instead we store
the changed fields in an annotation and allow roundtripping that when
converting in the other direction.
* Review feedback, thanks @matthchr
* Comment out the replica server in the MySQL happy path test
This is perpetually timing out for me at the moment, and testing
manually shows that creation can take more than an hour.
* Fix typo in readme
* Improve secrets documentation
* Return proper error if we cannot deserialize secret
* Add new AZURE_SECRET_NAMING_VERSION mode
The new mode allows us to fix inconsitencies in how secrets
were named without making a breaking change.
- AppInsights created secrets in the same namespace
as the resource but with name:
"appinsights-<resourceGroup>-<resourceName>"
- Storage created secrets in the same namespace
as the resource but with name:
"storage-<resourceGroup>-<resourceName>"
- AzureSQL resources created resources with
a different naming scheme as well.
- Other resources created a secret in the same
namespace with the secret name being the
resource name.
The new V2 mode ensures that all resources create secrets
in KeyVault and/or Kubernetes with a consistent naming pattern.
* Update Helm chart (but don't generate new package)
* Fix bug where SQLManagedUser Namespace could be empty
- This would prevent secrets from being created in Kubernetes
* Enable V2 secrets for EnvTest tests
* Use v1beta1 explicitly with controller-gen
* PR feedback
* PR feedback
* Better testing
* Add v1alpha2 MySQLUser
This removes DbName from MySQLUser and adds DatabaseRoles to store
per-database permissions. Roles will now only store server-wide
permissions.
Add conversions between v1alpha1 and v1alpha2 versions.
* Add v1alpha2 MySQLAADUser
This removes DBName from MySQLAADUser and adds DatabaseRoles to store
per-database permissions. Roles will now only store server-wide
permissions.
Add conversions between v1alpha1 and v1alpha2 versions.
* Set up conversion webhooks for MySQLUser and MySQLAADUser
* Review feedback, thanks @matthchr!
* Ensure `preserveUnknownFields: false` is set in all webhook patches
These were set for all types with version conversions but not the
others (which aren't in use since they are still commented out in
kustomization.yaml). Turning them on in the rest to remove one step in
the process of adding conversion webhooks to types in the future.
This setting is required for conversion to work - it seems like the
only reason it's not set in the patches is that they were generated by
kubebuilder before the setting was mandatory.
* Add provisioning state methods to v1alpha2 ASOStatus
* Reimplement MySQLUser and MySQLAADUser reconciliation with v1alpha2
They now check server-level (in USER_PRIVILEGES) and
database-level (SCHEMA_PRIVILEGES) permissions.
* Update controller tests to work with v1alpha2 MySQLUser
* Move system database constant to mysql.SystemDatabase
Also rename the ServerPort and DriverName constants so they don't
repeat the name of the package.
* Change EnsureUserDatabaseRoles to return just an error
And change the reconciliation code for user and aad user to just treat
that as a provisioning failure, rather than saying that it had
succeeded but there were some errors which is just confusing. We still
try to apply changes to all databases even if there is an error for
one of them.
Also other review changes, thanks @matthchr!
* Azure SQL FailoverGroup improvements
- Fix bug preventing reconciliation of updates after a FailoverGroup
was created.
- Fix bug where status of long running operation was not properly
monitored.
* Add unit tests to CI
* Kubebuilder annotation for minlength should use = not :
* Add additional validations on MySQL users
* Add validations to more Azure SQL types
* Update some dependencies
- We're primarily interested in updating controller-runtime
as the newer version supports webhooks in envtest better.
* Don't allow DB name "master" to be used for Azure SQL users
* Fixes for CI
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: #1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed #1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
* Clarify that Sid should be client ID for managed identities
* Add more detail to logging for errors connecting to MySQL
Co-authored-by: Bevan Arps <bevan.arps@microsoft.com>
* Add support for MySQL AAD Users
* Fix strangeness with "user" CRDs RBAC location
* Pass pod namespace to operator via env variable
* Change to enforce tls=true in MySQL DB connection
* Improve managed identity documentation
* Attempt to read clientID when ManagedIdentity is enabled
- This will allow us to differentiate between different
identities when we support multi-tenancy.
This also includes updates to the Managed Identity documentation to help improve clarity of the feature. As part of this I deleted the tool createMi.go as all it really did was run 3 az cli commands to create a managed identity and assign it permissions. It made assumptions about what permissions you wanted the identity to have. Additionally it suggested to install aad-pod-identity, but this guidance is not appropriate for installations via Helm because Helm already installs that dependency as part of the chart. Rather than having a script try to be one-size fits all it makes more sense to give customers the instructions they need to create the managed identity and allow them to choose what permissions they want to give it.
* Improve error when SQL server doesn't have RG specified
- This fixes#1106.
* Update all occurances of Resourcegroup to have validation
- They should be required, min length 1, and matching the specified
Regex.
* Fix some tests
* PR feedback
George Pollard
Mathis Kretz
Christian Muirhead
Matthew Christopher
Bevan Arps
Colin D Murphy
Marc Power
Erin Corson
Melanie Rush
Hong Bu
Janani Vasudevan
jpflueger
William Mortl