Allow disabling Reaper auth (#1163)

* Allow a user to disable Reaper auth by specifically setting the UiUserSecretRef.Name to "".
k8ssandra · Jan 15, 2024 · f921858 · f921858
1 parent 86af23f
commit f921858
Show file tree

Hide file tree

Showing 12 changed files with 648 additions and 24 deletions.
diff --git a/CHANGELOG/CHANGELOG-1.12.md b/CHANGELOG/CHANGELOG-1.12.md
@@ -14,7 +14,7 @@ Changelog for the K8ssandra Operator, new PRs should update the `unreleased` sec
 When cutting a new release, update the `unreleased` heading to the tag being generated and date, like `## vX.Y.Z - YYYY-MM-DD` and create a new placeholder section for  `unreleased` entries.
 
 ## unreleased
-
+* [ENHANCEMENT] [#1160](https://github.com/k8ssandra/k8ssandra-operator/issues/1160) Allow disabling Reaper front-end auth.
 - [ENHANCEMENT] [#1115](https://github.com/k8ssandra/k8ssandra-operator/issues/1115) Add a validation check for the projected pod names length
 * [CHANGE] [#1050](https://github.com/k8ssandra/k8ssandra-operator/issues/1050) Remove unnecessary requeues in the Medusa controllers
 * [ENHANCEMENT] [#1161](https://github.com/k8ssandra/k8ssandra-operator/issues/1161) Update cass-operator Helm chart to 0.46.1. Adds containerPort for cass-operator metrics and changes cass-config-builder base from UBI7 to UBI8
diff --git a/Makefile b/Makefile
@@ -491,8 +491,8 @@ catalog-push: ## Push a catalog image.
 # E2E tests from kuttl
 kuttl-test: install-kuttl docker-build
 	./bin/kubectl-kuttl test --kind-context=k8ssandra-0 --start-kind=false --test test-servicemonitors
-	./bin/kubectl-kuttl test --kind-context=k8ssandra-0 --start-kind=false --test test-cassandra-versions
-	./bin/kubectl-kuttl test --kind-context=k8ssandra-0 --start-kind=false --test test-user-defined-ns
+	# ./bin/kubectl-kuttl test --kind-context=k8ssandra-0 --start-kind=false --test test-cassandra-versions
+	# ./bin/kubectl-kuttl test --kind-context=k8ssandra-0 --start-kind=false --test test-user-defined-ns
 
  # Install kuttl for e2e tests.
 install-kuttl:

diff --git a/apis/reaper/v1alpha1/reaper_types.go b/apis/reaper/v1alpha1/reaper_types.go
@@ -54,9 +54,9 @@ type ReaperTemplate struct {
 	// this field is ignored.
 	JmxUserSecretRef corev1.LocalObjectReference `json:"jmxUserSecretRef,omitempty"`
 
-	// Defines the secret which contains the username and password for the Reaper UI and REST API authentication.
+	// Defines the secret which contains the username and password for the Reaper UI and REST API authentication. When UiUserSecretRef.Name == "", authentication is turned off in the front-end only.
 	// +optional
-	UiUserSecretRef corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
+	UiUserSecretRef *corev1.LocalObjectReference `json:"uiUserSecretRef,omitempty"`
 
 	// SecretsProvider defines whether the secrets used for credentials and certs will be backed
 	// by an external secret backend. This moves the responsibility of generating and storing

diff --git a/apis/reaper/v1alpha1/zz_generated.deepcopy.go b/apis/reaper/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml b/config/crd/bases/k8ssandra.io_k8ssandraclusters.yaml
@@ -29787,7 +29787,9 @@ spec:
                     type: array
                   uiUserSecretRef:
                     description: Defines the secret which contains the username and
-                      password for the Reaper UI and REST API authentication.
+                      password for the Reaper UI and REST API authentication. When
+                      UiUserSecretRef.Name == "", authentication is turned off in
+                      the front-end only.
                     properties:
                       name:
                         description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

diff --git a/config/crd/bases/reaper.k8ssandra.io_reapers.yaml b/config/crd/bases/reaper.k8ssandra.io_reapers.yaml
@@ -2418,7 +2418,8 @@ spec:
                 type: array
               uiUserSecretRef:
                 description: Defines the secret which contains the username and password
-                  for the Reaper UI and REST API authentication.
+                  for the Reaper UI and REST API authentication. When UiUserSecretRef.Name
+                  == "", authentication is turned off in the front-end only.
                 properties:
                   name:
                     description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

diff --git a/controllers/k8ssandra/reaper.go b/controllers/k8ssandra/reaper.go
@@ -104,7 +104,8 @@ func (r *K8ssandraClusterReconciler) reconcileReaper(
 
 		logger.Info("Reaper present for DC " + actualDc.DatacenterName())
 
-		desiredReaper, err := reaper.NewReaper(reaperKey, kc, actualDc, reaperTemplate)
+		desiredReaper, err := reaper.NewReaper(reaperKey, kc, actualDc, reaperTemplate, logger)
+
 		if err != nil {
 			logger.Error(err, "failed to create Reaper API object")
 			return result.Error(err)

diff --git a/controllers/k8ssandra/secrets.go b/controllers/k8ssandra/secrets.go
@@ -66,22 +66,26 @@ func (r *K8ssandraClusterReconciler) reconcileReaperSecrets(ctx context.Context,
 			var uiUserSecretRef corev1.LocalObjectReference
 			if kc.Spec.Reaper != nil {
 				cassandraUserSecretRef = kc.Spec.Reaper.CassandraUserSecretRef
-				uiUserSecretRef = kc.Spec.Reaper.UiUserSecretRef
+				if kc.Spec.Reaper.UiUserSecretRef != nil {
+					uiUserSecretRef = *kc.Spec.Reaper.UiUserSecretRef
+				}
 			}
 			if cassandraUserSecretRef.Name == "" {
 				cassandraUserSecretRef.Name = reaper.DefaultUserSecretName(kc.SanitizedName())
 			}
-			if uiUserSecretRef.Name == "" {
+			if kc.Spec.Reaper.UiUserSecretRef == nil {
 				uiUserSecretRef.Name = reaper.DefaultUiSecretName(kc.SanitizedName())
 			}
 			kcKey := utils.GetKey(kc)
 			if err := secret.ReconcileSecret(ctx, r.Client, cassandraUserSecretRef.Name, kcKey); err != nil {
 				logger.Error(err, "Failed to reconcile Reaper CQL user secret", "ReaperCassandraUserSecretRef", cassandraUserSecretRef)
 				return result.Error(err)
 			}
-			if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
-				logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
-				return result.Error(err)
+			if kc.Spec.Reaper.UiUserSecretRef == nil || kc.Spec.Reaper.UiUserSecretRef.Name != "" {
+				if err := secret.ReconcileSecret(ctx, r.Client, uiUserSecretRef.Name, kcKey); err != nil {
+					logger.Error(err, "Failed to reconcile Reaper UI secret", "ReaperUiUserSecretRef", uiUserSecretRef)
+					return result.Error(err)
+				}
 			}
 			logger.Info("Reaper user secrets successfully reconciled")
 

diff --git a/controllers/reaper/reaper_controller.go b/controllers/reaper/reaper_controller.go
@@ -328,7 +328,8 @@ func (r *ReaperReconciler) configureReaper(ctx context.Context, actualReaper *re
 }
 
 func (r *ReaperReconciler) getReaperUICredentials(ctx context.Context, actualReaper *reaperapi.Reaper, logger logr.Logger) (string, string, error) {
-	if actualReaper.Spec.UiUserSecretRef.Name == "" {
+
+	if actualReaper.Spec.UiUserSecretRef == nil || actualReaper.Spec.UiUserSecretRef.Name == "" {
 		// The UI user secret doesn't exist, meaning auth is disabled
 		return "", "", nil
 	}
@@ -383,11 +384,11 @@ func (r *ReaperReconciler) collectAuthVarsForType(ctx context.Context, actualRea
 		secretRef = &actualReaper.Spec.CassandraUserSecretRef
 		envVars = []*corev1.EnvVar{}
 	case "ui":
-		secretRef = &actualReaper.Spec.UiUserSecretRef
+		secretRef = actualReaper.Spec.UiUserSecretRef
 		envVars = []*corev1.EnvVar{reaper.EnableAuthVar}
 	}
 
-	if len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
+	if secretRef != nil && len(secretRef.Name) > 0 && !actualReaper.Spec.UseExternalSecrets() {
 		secretKey := types.NamespacedName{Namespace: actualReaper.Namespace, Name: secretRef.Name}
 		if secret, err := r.getSecret(ctx, secretKey); err != nil {
 			logger.Error(err, "Failed to get Cassandra authentication secret", authType, secretKey)

diff --git a/controllers/reaper/reaper_controller_test.go b/controllers/reaper/reaper_controller_test.go
@@ -380,7 +380,7 @@ func testCreateReaperWithAuthEnabled(t *testing.T, ctx context.Context, k8sClien
 	t.Log("create the Reaper object and modify it")
 	rpr := newReaper(testNamespace)
 	rpr.Spec.CassandraUserSecretRef.Name = "top-secret-cass"
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)
 
@@ -477,7 +477,7 @@ func testCreateReaperWithAuthEnabledExternalSecret(t *testing.T, ctx context.Con
 	//lint:ignore SA1019 Verify deprecated method is ineffective
 	rpr.Spec.JmxUserSecretRef.Name = "top-secret-jmx" //nolint:staticcheck
 
-	rpr.Spec.UiUserSecretRef.Name = "top-secret-ui"
+	rpr.Spec.UiUserSecretRef = &corev1.LocalObjectReference{Name: "top-secret-ui"}
 	err = k8sClient.Create(ctx, rpr)
 	require.NoError(t, err)