Drift correction for SQLUser spec.password? #292
Comments
|
Just writing down my thoughts as it was me opening #284. I have come across a similar situation in a k8s operator of my own. Obviously I could not retrieve the plain password from the target system, but I could retrieve the hashed password. I solved the problem by hashing the password inside the operator code using the salt from the retrieved password hash and the same hashing algorithm as the target system. I would then compare the hashes in order to know if the password needs to be updated or not. I don't know if this is applicable to your case, but might be an approach. |
|
@jcanseco Yes, that is correct. Thank you for raising a separate issue for this! I guess the related general question is: Does drift correction detect deltas in referenced resources? Although, that isn't what was happening before 1.19.0 either from my understanding. I don't think "not constantly updating SQLUser" broke our implementation, because the password (regardless of the loop frequency) used to get drift-corrected and now doesn't at all (even after the now-less-frequent |
|
I read through #153 and I do understand that this is a problem without an easy, obvious, perfect solution for all users. The change that was made as a result of #153 has the following costs and benefits:
Therefore, there are essentially no benefits for a user running with conflict prevention enabled (the default, I believe), but a substantial cost in loss of functionality. |
|
@tonybenchsci Referenced resources don't really have anything to do with the issue. Basically, KCC sends an update to GCP whenever it detects a diff between the resource's desired state and its actual state. However, the problem with The previous approach was to just update the password on every reconciliation to ensure that drift is always corrected even if there wasn't actually any drift. However, customers have complained about this since they noted that their SQL users on GCP were having their passwords updated even though they didn't change anything. @ryanbenchsci Yes, we do see your point about this seeming like a breaking change. Originally, we considered the previous behavior a bug, but we recognize that we should revisit this behavior since we can see that it has caused problems, and we will make sure to be careful with making similar changes in the future. We will need to sink time thinking about how best to address the issue. For now, can you see if the following workaround works for you? While KCC no longer corrects drift if the password is changed from outside KCC (since it's not possible to read what the current password is), KCC will still send an update if it detects that the password may have been changed on KCC-side (e.g. if Therefore, you could trigger an update for Could you please see if that works for you? |
|
Thanks @jcanseco for getting back. Wouldn't it be a more complete approach for you guys to work with the CloudSQL team and fix their logging API so that unchanged passwords are not logged as changed? (I'm sure there might be complications depending on how the passwords are hashed/protected). I think those customers just didn't like the logs, where as we actually had functionality dependent on full resource drift correction. So the workaround to add an annotation to the secret would require manual intervention every time the SQL instance is restored (which runs on a cronjob). I guess we could run Is it possible/advisable to mix native k8s resources like cronjobs in the same namespace where everything else is using cnrm CRDs? |
|
Thanks @tonybenchsci, yes that is something we can consider, thanks for the suggestion. We will definitely see if we can work with the CloudSQL team in some way.
Yes this is the workaround we had in mind as well.
Yes I don't see the problem with doing so. In fact, I would assume you're already doing that, given that KCC resources that can reference |
|
@jcanseco Has there been any updates to reconcile logic on Nov 19, 2020? |
|
Hi @tonybenchsci, none that I know of.
Can you clarify what you mean by "no longer works"? Do you mean that modifying an annotation on the referenced
And can you specify what kind of errors you observed? |
Opening a new issue for this comment.
Background: KCC before v1.19.0 would constantly update
SQLUserif aspec.passwordis specified since the only way to correct drift forspec.passwordis to send updates constantly. This is because, unlike most GCP resource fields, there is no way actually to detect drift forspec.passwordgiven that its current value cannot be read using the API (and understandably so).Customers have identified this "constantly updating" behavior for
SQLUserspec.passwordas problematic (Issue #153) since it spams the SQL operations logging with "Password changed" messages, which not only looks like a security concern but also renders the SQL operations logs difficult to use.Other customers, however, actually prefer the "constantly updating" behavior (see the linked comment that motivated this GitHub issue).
@tonybenchsci, can you please confirm if my understanding of your use-case is accurate: you're restoring SQL instances from backups (like described here) which also reset user passwords, and you had been relying on the
SQLUserspec.password's "constantly updating" behavior to set back the user passwords to their desired values as specified by theSQLUserresources?The text was updated successfully, but these errors were encountered: