mariadb-operator icon indicating copy to clipboard operation
mariadb-operator copied to clipboard

Published 20 hours ago • verified publisher icon mariadb-operator

Propagate updates to secrets. Rotate root password

Open lukasmu opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe. When I update a secret, e.g. the password of a database user, this does not seem to be propagated to the database. Hence, I cannot login to the database using the new password.

Describe the solution you'd like I would like that updates to secrets are propagated to the database. Hence, I would like to login to the database using the new password. This would allow to easily rotate database user passwords and can be used to improve security.

Describe alternatives you've considered n/a

Environment details:

  • Kubernetes version: v1.28.5+k3s1
  • Kubernetes distribution: k3s
  • mariadb-operator version: 0.24.0
  • Install method: helm & static manifests
  • Install flavor: minimal

Additional context n/a

lukasmu avatar Jan 28 '24 15:01 lukasmu

Hey there @lukasmu ! Thanks for reporting

We are mounting the passwords Secrets as environment variables of the MariaDB official image, which unfortunately only takes them into account when bootstrapping the database for the first time.

In order to achieve this, we will need to do something extra in the operator side.

Thanks!

mmontes11 avatar Jan 28 '24 19:01 mmontes11

is it also applicable to the root password? i.e rootPasswordSecretKeyRef what all steps are required to rotate the root password?

pratik705 avatar Mar 21 '24 17:03 pratik705

@mmontes11 looks like we cant simply update the secret to update the root password(rootPasswordSecretKeyRef). Is there any documented procedure to update the root password in existing mariadb cluster deployed using operator?

pratik705 avatar Mar 25 '24 00:03 pratik705

@pratik705 the only way you can achieve is as of today is:

  • Update the Secret manually
  • Run the following statement in all the Pods:
SET PASSWORD FOR root@localhost PASSWORD('some password');

In order to automate this with the operator I suggest the following:

  • The Secret that contains the root password will need to be labeled so the operator can effectively watch it:
apiVersion: v1
kind: Secret
metadata:
  name: mariadb
  labels:
     k8s.mariadb.com/watch: ""
stringData:
  root-password: MariaDB11!
  • The operator will detect changes in the Secret
  • The operator will perform the SET PASSWORD FOR root@localhost PASSWORD('some password'); automatically in all Pods .

Contributions are welcome!

mmontes11 avatar Mar 25 '24 15:03 mmontes11