Skip to content

K8SPXC-1568: prevent having * prefix in proxyadmin password #2124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hors merged 14 commits into from
Nov 25, 2025
Merged

K8SPXC-1568: prevent having * prefix in proxyadmin password #2124

hors merged 14 commits into from
Nov 25, 2025

Conversation

@pooknull
Copy link
Contributor

@pooknull pooknull commented Jul 23, 2025
edited
Loading

K8SPXC-1568 Powered by Pull Request Badge

https://perconadev.atlassian.net/browse/K8SPXC-1568

DESCRIPTION

It's not possible to use a proxyadmin password, which starts with * char.

This PR ensures the operator generates proxyadmin password that do not begin with *.

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PXC version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/L 100-499 lines label Jul 23, 2025
@hors hors added this to the v1.19.0 milestone Jul 29, 2025
egegunes
egegunes reviewed Nov 4, 2025
View reviewed changes
pkg/controller/pxc/secrets.go Outdated
// generatePass generates a random password of length passwordLen.
// The optional rules parameter expects usernames and adjusts the
// password generation logic based on them.
func generatePass(rules ...string) ([]byte, error) {
Copy link
Contributor

@egegunes egegunes Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't rules ...string a bit confusing if we just passing usernames?

Copy link
Contributor Author

@pooknull pooknull Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7dd7f45

@gkech gkech mentioned this pull request Nov 4, 2025
Merged
12 tasks
@pooknull pooknull marked this pull request as ready for review November 10, 2025 14:47
egegunes
egegunes previously approved these changes Nov 11, 2025
View reviewed changes
nmarukovich
nmarukovich reviewed Nov 12, 2025
View reviewed changes
pkg/controller/pxc/secrets.go
return nil, errors.Wrap(err, "get rand int")
}
b[i] = passSymbols[randInt.Int64()]
}
Copy link
Contributor

@nmarukovich nmarukovich Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we use passSymbols here? Should we use symbols instead?

Copy link
Contributor Author

@pooknull pooknull Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e39a7b6

nmarukovich
nmarukovich previously approved these changes Nov 13, 2025
View reviewed changes
gkech
gkech reviewed Nov 13, 2025
View reviewed changes
pkg/controller/pxc/secrets_test.go Outdated
t.Fatal(err)
}
if !strings.HasPrefix(string(p), "*") {
t.Fatal("expected '*' prefix when no rules are applied to the password")
Copy link
Contributor

@gkech gkech Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why dont we use assert and require for ensuring that we have the expected results?

Copy link
Contributor Author

@pooknull pooknull Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e9ffa96

pkg/controller/pxc/secrets.go Outdated
// generatePass generates a random password of length passwordLen.
// The optional rules parameter expects usernames and adjusts the
// password generation logic based on them.
func generatePass(usernames ...string) ([]byte, error) {
Copy link
Contributor

@gkech gkech Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why usernames is not username? We are passing a single user.

Copy link
Contributor Author

@pooknull pooknull Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

253b6d3

pkg/controller/pxc/secrets.go Outdated

for i := range passwordLen {
symbols := passSymbols
if slices.Contains(usernames, users.ProxyAdmin) {
Copy link
Contributor

@gkech gkech Nov 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can determine if we are proxyadmin by running simply something like this, correct?

 len(username) > 0 && username[0] == users.ProxyAdmin

Copy link
Contributor

@gkech gkech Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also this can be pre calculated insteda of resolving it for every len(passwordLen) iteration

Copy link
Contributor Author

@pooknull pooknull Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

253b6d3

pkg/controller/pxc/secrets.go Outdated
Comment on lines 117 to 120
symbols = strings.ReplaceAll(symbols, "*", "")
}
symbols = strings.ReplaceAll(symbols, ":", "")
symbols = strings.ReplaceAll(symbols, ";", "")
Copy link
Contributor

@gkech gkech Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think these can be precalculated in general

e.g.

      firstCharSymbols = excludeChars(passSymbols, "*:;")
      otherSymbols = excludeChars(passSymbols, ":;")

Copy link
Contributor Author

@pooknull pooknull Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fc935b3

egegunes
egegunes previously approved these changes Nov 17, 2025
View reviewed changes
gkech
gkech previously approved these changes Nov 19, 2025
View reviewed changes
@pooknull pooknull dismissed stale reviews from egegunes and gkech via 9038100 November 24, 2025 12:33
@pooknull pooknull requested review from egegunes and gkech November 24, 2025 12:33
@JNKPercona
Copy link
Collaborator

JNKPercona commented Nov 24, 2025

Test Name Result Time
auto-tuning-8-0 passed 00:18:08
backup-storage-tls-8-0 passed 00:22:39
cross-site-8-0 passed 00:35:44
custom-users-8-0 passed 00:12:46
demand-backup-cloud-8-0 passed 00:56:23
demand-backup-encrypted-with-tls-8-0 passed 00:45:16
demand-backup-8-0 passed 00:41:32
demand-backup-flow-control-8-0 passed 00:10:26
demand-backup-parallel-8-0 passed 00:09:10
demand-backup-without-passwords-8-0 passed 00:15:12
haproxy-5-7 passed 00:14:18
haproxy-8-0 passed 00:14:04
init-deploy-5-7 passed 00:16:27
init-deploy-8-0 passed 00:16:38
limits-8-0 passed 00:12:06
monitoring-2-0-8-0 passed 00:22:32
monitoring-pmm3-8-0 passed 00:17:57
one-pod-5-7 passed 00:13:46
one-pod-8-0 passed 00:13:02
pitr-8-0 passed 00:43:50
pitr-gap-errors-8-0 passed 00:54:26
proxy-protocol-8-0 passed 00:09:36
proxysql-sidecar-res-limits-8-0 passed 00:08:13
proxysql-scheduler-8-0 passed 00:15:39
pvc-resize-5-7 passed 00:15:27
pvc-resize-8-0 passed 00:15:35
recreate-8-0 passed 00:16:53
restore-to-encrypted-cluster-8-0 passed 00:24:49
scaling-proxysql-8-0 passed 00:08:03
scaling-8-0 passed 00:10:41
scheduled-backup-5-7 passed 01:04:56
scheduled-backup-8-0 passed 01:01:43
security-context-8-0 passed 00:25:35
smart-update1-8-0 passed 00:36:03
smart-update2-8-0 passed 00:37:39
storage-8-0 passed 00:10:35
tls-issue-cert-manager-ref-8-0 passed 00:08:39
tls-issue-cert-manager-8-0 passed 00:11:22
tls-issue-self-8-0 passed 00:12:57
upgrade-consistency-8-0 passed 00:10:52
upgrade-haproxy-5-7 passed 00:23:53
upgrade-haproxy-8-0 passed 00:26:15
upgrade-proxysql-5-7 passed 00:15:40
upgrade-proxysql-8-0 passed 00:16:40
users-5-7 passed 00:25:46
users-8-0 passed 00:24:34
validation-hook-8-0 passed 00:01:35
Summary Value
Tests Run 47/47
Job Duration 02:49:25
Total Test Time 17:26:22

commit: f48cc30
image: perconalab/percona-xtradb-cluster-operator:PR-2124-f48cc30b

@hors hors merged commit 9fa50e2 into main Nov 25, 2025
13 checks passed
@hors hors deleted the K8SPXC-1568 branch November 25, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hors hors hors approved these changes

@egegunes egegunes egegunes approved these changes

@gkech gkech gkech approved these changes

@nmarukovich nmarukovich Awaiting requested review from nmarukovich nmarukovich is a code owner

Assignees

No one assigned

Labels

size/L 100-499 lines

Projects

None yet

Milestone

v1.19.0

Development

Successfully merging this pull request may close these issues.

7 participants

@pooknull @JNKPercona @hors @egegunes @gkech @nmarukovich