Mongodb garbage collector

Author: Tyrion85

api/v1beta1/mongodb_types.go

@@ -17,9 +17,16 @@ limitations under the License.
 package v1beta1
 
 import (
+	"errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// defaults
+const (
+	DEFAULT_MONGODB_ROOT_USER                    = "root"
+	DEFAULT_MONGODB_ROOT_AUTHENTICATION_DATABASE = "admin"
+)
+
 type MongoDBRootSecretLookup struct {
 	Name      string `json:"name"`
 	Namespace string `json:"namespace"`
@@ -74,6 +81,56 @@ type MongoDBList struct {
 	Items           []MongoDB `json:"items"`
 }
 
+/*
+	Alignes credentials status with spec by removing unneeded statuses. Mutates the original.
+	Returns removed statuses.
+*/
+func (mongodb *MongoDB) RemoveUnneededCredentialsStatus() *CredentialsStatus {
+	removedStatuses := make(CredentialsStatus, 0)
+	statuses := &mongodb.Status.CredentialsStatus
+	for i := 0; i < len(*statuses); i++ {
+		status := (*statuses)[i]
+		found := false
+		if status != nil {
+			for _, credential := range mongodb.Spec.Credentials {
+				if credential.UserName == status.Username {
+					found = true
+				}
+			}
+		}
+		if !found {
+			removedStatuses = append(removedStatuses, status)
+			s := append((*statuses)[:i], (*statuses)[i+1:]...)
+			statuses = &s
+			i--
+		}
+	}
+	mongodb.Status.CredentialsStatus = *statuses
+	return &removedStatuses
+}
+
+func (this *MongoDB) SetDefaults() error {
+	if this.Spec.RootUsername == "" {
+		this.Spec.RootUsername = DEFAULT_MONGODB_ROOT_USER
+	}
+	if this.Spec.RootAuthenticationDatabase == "" {
+		this.Spec.RootAuthenticationDatabase = DEFAULT_MONGODB_ROOT_AUTHENTICATION_DATABASE
+	}
+	if this.Spec.RootSecretLookup.Name == "" {
+		return errors.New("must specify root secret")
+	}
+	if this.Spec.RootSecretLookup.Field == "" {
+		return errors.New("must specify root secret field")
+	}
+	if this.Spec.RootSecretLookup.Namespace == "" {
+		this.Spec.RootSecretLookup.Namespace = this.ObjectMeta.Namespace
+	}
+	if this.Status.CredentialsStatus == nil || len(this.Status.CredentialsStatus) == 0 {
+		this.Status.CredentialsStatus = make([]*CredentialStatus, 0)
+	}
+	return nil
+}
+
 func init() {
 	SchemeBuilder.Register(&MongoDB{}, &MongoDBList{})
 }

api/v1beta1/postgresql_types.go

@@ -23,8 +23,8 @@ import (
 
 // defaults
 const (
-	DEFAULT_POSTGRESQL_ROOT_USER         = "postgres"
-	DEFAULT_ROOT_AUTHENTICATION_DATABASE = "postgres"
+	DEFAULT_POSTGRESQL_ROOT_USER                    = "postgres"
+	DEFAULT_POSTGRESQL_ROOT_AUTHENTICATION_DATABASE = "postgres"
 )
 
 type PostgreSQLRootSecretLookup struct {
@@ -114,7 +114,7 @@ func (this *PostgreSQL) SetDefaults() error {
 		this.Spec.RootUsername = DEFAULT_POSTGRESQL_ROOT_USER
 	}
 	if this.Spec.RootAuthenticationDatabase == "" {
-		this.Spec.RootAuthenticationDatabase = DEFAULT_ROOT_AUTHENTICATION_DATABASE
+		this.Spec.RootAuthenticationDatabase = DEFAULT_POSTGRESQL_ROOT_AUTHENTICATION_DATABASE
 	}
 	if this.Spec.RootSecretLookup.Name == "" {
 		return errors.New("must specify root secret")

api/v1beta1/zz_generated.deepcopy.go

@@ -132,6 +132,15 @@ func (m *MongoDBServer) updateUserPasswordAndRoles(database string, username str
 	return nil
 }
 
+func (m *MongoDBServer) DropUser(database string, username string) error {
+	command := &bson.D{primitive.E{Key: "dropUser", Value: username}}
+	r := m.runCommand(database, command)
+	if _, err := r.DecodeBytes(); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (m *MongoDBServer) runCommand(database string, command *bson.D) *mongo.SingleResult {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()

common/db/mongodb/repository.go

@@ -63,21 +63,21 @@ func (s *PostgreSQLServer) CreateDatabaseIfNotExists(database string) error {
 	}
 }
 
-func (s *PostgreSQLServer) SetupUser(user string, password string, database string) error {
+func (s *PostgreSQLServer) SetupUser(database string, user string, password string) error {
 	if err := s.createUserIfNotExists(user); err != nil {
 		return err
 	}
 	if err := s.setPasswordForUser(user, password); err != nil {
 		return err
 	}
-	if err := s.grantAllPrivileges(user, database); err != nil {
+	if err := s.grantAllPrivileges(database, user); err != nil {
 		return err
 	}
 	return nil
 }
 
-func (s *PostgreSQLServer) DropUser(user string, database string) error {
-	if err := s.revokeAllPrivileges(user, database); err != nil {
+func (s *PostgreSQLServer) DropUser(database string, user string) error {
+	if err := s.revokeAllPrivileges(database, user); err != nil {
 		return err
 	}
 	if err := s.dropUserIfNotExist(user); err != nil {
@@ -139,14 +139,14 @@ func (s *PostgreSQLServer) setPasswordForUser(user string, password string) erro
 	return nil
 }
 
-func (s *PostgreSQLServer) grantAllPrivileges(user string, database string) error {
+func (s *PostgreSQLServer) grantAllPrivileges(database string, user string) error {
 	if _, err := s.dbpool.Exec(context.Background(), fmt.Sprintf("GRANT ALL PRIVILEGES ON DATABASE \"%s\" TO \"%s\";", database, user)); err != nil {
 		return err
 	}
 	return nil
 }
 
-func (s *PostgreSQLServer) revokeAllPrivileges(user string, database string) error {
+func (s *PostgreSQLServer) revokeAllPrivileges(database string, user string) error {
 	if _, err := s.dbpool.Exec(context.Background(), fmt.Sprintf("REVOKE ALL PRIVILEGES ON DATABASE \"%s\" FROM \"%s\";", database, user)); err != nil {
 		return err
 	}

common/db/postgresql/repository.go

@@ -18,18 +18,15 @@ package controllers
 
 import (
 	"context"
+	infrav1beta1 "github.com/doodlescheduling/kubedb/api/v1beta1"
+	mongodbAPI "github.com/doodlescheduling/kubedb/common/db/mongodb"
 	vaultAPI "github.com/doodlescheduling/kubedb/common/vault"
-	"github.com/pkg/errors"
+	"github.com/go-logr/logr"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/go-logr/logr"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	infrav1beta1 "github.com/doodlescheduling/kubedb/api/v1beta1"
-	mongodbAPI "github.com/doodlescheduling/kubedb/common/db/mongodb"
 )
 
 // MongoDBReconciler reconciles a MongoDB object
@@ -43,50 +40,71 @@ type MongoDBReconciler struct {
 
 // +kubebuilder:rbac:groups=infra.doodle.com,resources=mongodbs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=infra.doodle.com,resources=mongodbs/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
 
 func (r *MongoDBReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	ctx := context.Background()
 	log := r.Log.WithValues("mongodb", req.NamespacedName)
 
 	// common controller functions
 	cw := NewControllerWrapper(*r, &ctx)
+	// garbage collector
+	gc := NewMongoDBGarbageCollector(r, cw, &log)
 
+	// get mongodb resource by namespaced name
 	var mongodb infrav1beta1.MongoDB
 	if err := r.Get(ctx, req.NamespacedName, &mongodb); err != nil {
 		if apierrors.IsNotFound(err) {
+			// resource no longer present. Consider dropping a database? What about data, it will be lost.. Probably acceptable for devboxes
+			// How to do it, though? Resource doesn't exist anymore, so we need to list all databases and all manifests and compare?
 			return ctrl.Result{}, nil
 		}
-		return ctrl.Result{}, errors.Wrap(err, "unable to fetch Mongodb")
+		return ctrl.Result{}, err
 	}
 
-	s := make(infrav1beta1.CredentialsStatus, 0)
-	mongodb.Status.CredentialsStatus = s
+	// set spec defaults. Does not mutate the spec, since we are not updating resource
+	if err := mongodb.SetDefaults(); err != nil {
+		mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Unavailable, err.Error(), "", "")
+		mongodb.Status.CredentialsStatus = make(infrav1beta1.CredentialsStatus, 0)
+		return r.updateAndReturn(&ctx, &mongodb, &log)
+	}
 
-	// root password
+	// Garbage Collection. If errors occur, log and proceed with reconciliation.
+	if err := gc.Clean(&mongodb); err != nil {
+		log.Info("Error while cleaning garbage", "error", err)
+	}
+
+	// get root database password from k8s secret
 	rootPassword, err := cw.GetRootPassword(mongodb.Spec.RootSecretLookup.Name, mongodb.Spec.RootSecretLookup.Namespace, mongodb.Spec.RootSecretLookup.Field)
 	if err != nil {
 		mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Unavailable, err.Error(), "", "")
 		mongodb.Status.CredentialsStatus = make(infrav1beta1.CredentialsStatus, 0)
 		return r.updateAndReturn(&ctx, &mongodb, &log)
 	}
 
-	// mongoDB server
+	// mongoDB connection to spec host, cached
 	mongoDBServer, err := r.ServerCache.Get(mongodb.Spec.HostName, mongodb.Spec.RootUsername, rootPassword, mongodb.Spec.RootAuthenticationDatabase)
 	if err != nil {
-		log.Error(err, "Error while connecting to mongodb")
-		mongodb.Status.DatabaseStatus.Status = infrav1beta1.Unavailable
-		mongodb.Status.DatabaseStatus.Message = err.Error()
+		mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Unavailable, err.Error(), "", mongodb.Spec.HostName).
+			WithUsername(mongodb.Spec.RootUsername).
+			WithAuthDatabase(mongodb.Spec.RootAuthenticationDatabase).
+			WithRootSecretLookup(mongodb.Spec.RootSecretLookup.Name, mongodb.Spec.RootSecretLookup.Namespace, mongodb.Spec.RootSecretLookup.Field)
+		mongodb.Status.CredentialsStatus = make(infrav1beta1.CredentialsStatus, 0)
 		return r.updateAndReturn(&ctx, &mongodb, &log)
 	}
 
 	// vault connection, cached
 	vault, err := r.VaultCache.Get(mongodb.Spec.RootSecretLookup.Name)
 	if err != nil {
-		mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Unavailable, err.Error(), "", mongodb.Spec.HostName)
+		mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Unavailable, err.Error(), "", mongodb.Spec.HostName).
+			WithUsername(mongodb.Spec.RootUsername).
+			WithAuthDatabase(mongodb.Spec.RootAuthenticationDatabase).
+			WithRootSecretLookup(mongodb.Spec.RootSecretLookup.Name, mongodb.Spec.RootSecretLookup.Namespace, mongodb.Spec.RootSecretLookup.Field)
 		mongodb.Status.CredentialsStatus = make(infrav1beta1.CredentialsStatus, 0)
 		return r.updateAndReturn(&ctx, &mongodb, &log)
 	}
 
+	// setup credentials as per spec
 	for _, credential := range mongodb.Spec.Credentials {
 		username := credential.UserName
 		mongodbCredentialStatus := mongodb.Status.CredentialsStatus.FindOrCreate(username, func(status *infrav1beta1.CredentialStatus) bool {
@@ -105,8 +123,12 @@ func (r *MongoDBReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			mongodbCredentialStatus.SetCredentialsStatus(infrav1beta1.Available, "Credentials up.")
 		}
 	}
-	mongodb.Status.DatabaseStatus.Status = infrav1beta1.Available
-	mongodb.Status.DatabaseStatus.Message = "Database up."
+
+	// setup database status - database is automatically set up with credentials
+	mongodb.Status.DatabaseStatus.SetDatabaseStatus(infrav1beta1.Available, "Database up.", mongodb.Spec.DatabaseName, mongodb.Spec.HostName).
+		WithUsername(mongodb.Spec.RootUsername).
+		WithAuthDatabase(mongodb.Spec.RootAuthenticationDatabase).
+		WithRootSecretLookup(mongodb.Spec.RootSecretLookup.Name, mongodb.Spec.RootSecretLookup.Namespace, mongodb.Spec.RootSecretLookup.Field)
 
 	return r.updateAndReturn(&ctx, &mongodb, &log)
 }

controllers/mongodb_controller.go

@@ -0,0 +1,71 @@
+package controllers
+
+import (
+	infrav1beta1 "github.com/doodlescheduling/kubedb/api/v1beta1"
+	"github.com/doodlescheduling/kubedb/common/db/mongodb"
+	"github.com/go-logr/logr"
+)
+
+type MongoDBGarbageCollector struct {
+	r   *MongoDBReconciler
+	cw  *ControllerWrapper
+	log *logr.Logger
+}
+
+func NewMongoDBGarbageCollector(r *MongoDBReconciler, cw *ControllerWrapper, log *logr.Logger) *MongoDBGarbageCollector {
+	return &MongoDBGarbageCollector{
+		r:   r,
+		cw:  cw,
+		log: log,
+	}
+}
+
+/*	For now, Garbage Collector does not drop databases, because we haven't decided if we want to delete all data.
+	Possible avenue to proceed is to have a separate option flag/struct (to be set in Spec), that will force deletion of all garbage, including data.
+*/
+func (g *MongoDBGarbageCollector) Clean(mongodb *infrav1beta1.MongoDB) error {
+	rootPassword, err := g.cw.GetRootPassword(mongodb.Status.DatabaseStatus.RootSecretLookup.Name, mongodb.Status.DatabaseStatus.RootSecretLookup.Namespace,
+		mongodb.Status.DatabaseStatus.RootSecretLookup.Field)
+	if err != nil {
+		// no point in proceeding. In future could also try with Spec credential
+		return err
+	}
+	mongoDBServer, err := g.r.ServerCache.Get(mongodb.Status.DatabaseStatus.Host, mongodb.Status.DatabaseStatus.RootUsername, rootPassword,
+		mongodb.Status.DatabaseStatus.RootAuthenticationDatabase)
+	if err != nil {
+		// no point in proceeding. In future could also try with Spec credential
+		return err
+	}
+	// if an error happens, just collect it and try to clean as much as possible. Return it at the end. This is a pattern in for most of this Garbage Collector.
+	var errToReturn error
+	errToReturn = g.HandleHostOrDatabaseChange(mongoDBServer, mongodb)
+	errToReturn = g.HandleUnneededCredentials(mongoDBServer, mongodb)
+	return errToReturn
+}
+
+// if host or database changed in spec, try to clean on old host/database
+func (g *MongoDBGarbageCollector) HandleHostOrDatabaseChange(mongoDBServer *mongodb.MongoDBServer, mongodb *infrav1beta1.MongoDB) error {
+	var errToReturn error
+	if (mongodb.Status.DatabaseStatus.Host != "" && mongodb.Spec.HostName != mongodb.Status.DatabaseStatus.Host) ||
+		(mongodb.Status.DatabaseStatus.Name != "" && mongodb.Spec.DatabaseName != mongodb.Status.DatabaseStatus.Name) {
+		mongodb.Status.CredentialsStatus.ForEach(func(status *infrav1beta1.CredentialStatus) {
+			err := mongoDBServer.DropUser(mongodb.Status.DatabaseStatus.Name, status.Username)
+			if err != nil {
+				errToReturn = err
+			} else {
+				(*g.log).Info("Deleted user on database", "user", status.Username, "database", mongodb.Status.DatabaseStatus.Name)
+			}
+		})
+	}
+	return errToReturn
+}
+
+func (g *MongoDBGarbageCollector) HandleUnneededCredentials(mongoDBServer *mongodb.MongoDBServer, mongodb *infrav1beta1.MongoDB) error {
+	var errToReturn error
+	// - garbage collection
+	// remove all statuses for credentials that are no longer required by spec, and delete users in database
+	mongodb.RemoveUnneededCredentialsStatus().ForEach(func(status *infrav1beta1.CredentialStatus) {
+		errToReturn = mongoDBServer.DropUser(mongodb.Status.DatabaseStatus.Name, status.Username)
+	})
+	return errToReturn
+}

controllers/mongodb_garbage_collector.go

@@ -92,6 +92,7 @@ func (r *PostgreSQLReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
 		postgresql.Status.CredentialsStatus = make(infrav1beta1.CredentialsStatus, 0)
 		return r.updateAndReturn(&ctx, &postgresql, &log)
 	}
+
 	// vault connection, cached
 	vault, err := r.VaultCache.Get(postgresql.Spec.RootSecretLookup.Name)
 	if err != nil {
@@ -133,7 +134,7 @@ func (r *PostgreSQLReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error)
 		password := vaultResponse.Secret
 
 		// setup user credentials and privileges
-		if err := postgreSQLServer.SetupUser(username, password, postgresql.Spec.DatabaseName); err != nil {
+		if err := postgreSQLServer.SetupUser(postgresql.Spec.DatabaseName, username, password); err != nil {
 			postgreSQLCredentialStatus.SetCredentialsStatus(infrav1beta1.Unavailable, err.Error())
 		} else {
 			postgreSQLCredentialStatus.SetCredentialsStatus(infrav1beta1.Available, "Credentials up.")