community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

Need a way to create a users inside RDS

Open gecube opened this issue 1 year ago • 8 comments

Good day!

We are very excited with RDS controller and its features. And we want very much to utilise it to fulfil the whole lifecycle of RDS database. We checked and many features like restoration from the snapshots works like a charm. But we are missing one feature. We are using Teleport solution extensively for a proper access to different services. And it support RDS as well. Unfortunately, we need to go to DB and create a user:

CREATE USER alice;
GRANT rds_iam TO Alice;

or

CREATE USER alice IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';
GRANT ALL ON `%`.* TO 'alice'@'%';
FLUSH PRIVILEGES;

https://goteleport.com/docs/database-access/guides/rds/

It could not be done right now with the RDS controller. So I need to workaround it with a dirty hack - create a separate Kubernetes job which would be run right after the creation of RDS itself and the job will create this users by direct SQL queries.

I'd like to ask to propose some good way how to create such a RDS with a set of users right from the RDS controller in one-go.

gecube avatar May 28 '24 11:05 gecube

Good day @gecube !

Currently ACK controllers try to focus on only interacting with AWS API (The control plane) an purposefully avoid interacting with resource such as tables/databases (Dataplane). Interacting with such layers is super tricky and exponentially increases the complexity of the controllers. + I believe we will have to do some sort of database/controller connection, which probably will raise security concerns...

My 2 cents is that, if we really want this feature implemented, it should live in a seperate "controller" that can configure the databases... Thinking a sql-controller?

a-hilaly avatar May 29 '24 05:05 a-hilaly

@a-hilaly Hi! Maybe. I want to make ACK competitive. Look. If I am using https://github.com/flux-iac/tofu-controller or https://github.com/pulumi/pulumi-kubernetes-operator I don't have such an issues as TF and pulumi have nice providers for DBs. So it means that ACK is not self-sufficient. Your argument regarding that ACK is focused only on working with Amazon API is fair enough. But it does not solve the issue. As I said, I want to get everything running in one go. Otherwise I need to glue together different solutions...

Other option is to provide a good examples how to achieve it with FluxCD + k8s jobs with the less pain...

gecube avatar May 29 '24 05:05 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Nov 25 '24 06:11 ack-bot

/remove-lifecycle stale

gecube avatar Nov 25 '24 06:11 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar May 24 '25 08:05 ack-bot

/remove-lifecycle stale

gecube avatar May 24 '25 10:05 gecube

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Nov 20 '25 11:11 ack-bot

/remove-lifecycle stale

gecube avatar Nov 20 '25 18:11 gecube