fix(rds)!: Rework handling of masterPasswordSecretRef

[schroeder-paul]

Description of your changes

Problems

1. In the current state, the masterPasswordSecretRef is absolutely necessary for both resources (dbcluster, dbinstance) to be claimed. This is since the referenced secret is used as a cache for autogenerated secrets (or for the actual secret). So an input parameter (the secret) is used for internal purposes and might be rewritten.
2. In the current state it is not possible to change the password of either of the resources once they are created.

Remedy (proposal)

1. the logic gets, hopefully clear, in the preCreate source (sample from instance):

  var pw string
  switch {
  case clusterIdentifier != nil:
  	break
  case masterUserPasswordSecretRef == nil && restoreFrom == nil && !autogenerate:
  	return errors.New(dbinstance.ErrNoMasterUserPasswordSecretRefNorAutogenerateNoRestore)
  case masterUserPasswordSecretRef == nil && autogenerate:
  	pw, err = password.Generate()
  case masterUserPasswordSecretRef != nil && autogenerate:
  	fallthrough
  case masterUserPasswordSecretRef != nil && !autogenerate:
  	pw, err = dbinstance.GetSecretValue(ctx, e.kube, masterUserPasswordSecretRef)
  }
  if err != nil {
  	return errors.Wrap(err, dbinstance.ErrNoRetrievePasswordOrGenerate)
  }

  obj.MasterUserPassword = aws.String(pw)

2. The abuse of the input secret as a cache gets rediemed by the introduction dedicated cache secret in the crossplane-namespace. With the name combined from the resource kind and its UID: <resource kind | tolower>.<uid>. It holds the cached secret and info about the restore state.
3. To reduce code duplication for both resources the rds/common.go got more functions and an interface RDSClusterOrInstance was introduced to make it possible for these functions to handle both resource types (instance and cluster).

The changes are quite a mouth full, but I am sure they will improve the workflow and add value. Please have a close review.

Fixes: #1571

I have:

• Read and followed Crossplane's contribution process.
• Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

dbinstance - autogeneratePassword: true - masterUserPasswordSecretRef: null - writeConnectionSecretToRef: null

---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata:   name: example-dbinstance
spec:   forProvider:     allocatedStorage: 20
    autogeneratePassword: true
    dbInstanceClass: db.t3.micro
    dbSubnetGroupName: shared-primary
    engine: postgres
    masterUsername: masterUser
    region: eu-central-1
    skipFinalSnapshot: true
#    masterUserPasswordSecretRef: #      name: example-dbinstance #      namespace: crossplane-system #      key: password
    applyImmediately: true
#  writeConnectionSecretToRef: #    name: example-dbinstance #    namespace: crossplane-system
  providerConfigRef:     name: provider-aws-provider-config 

$ make run ...

$ kg dbinstance.rds.aws example-dbinstance
NAME                 READY   SYNCED   EXTERNAL-NAME        AGE
example-dbinstance   True    True     example-dbinstance   9d 

$ k view-secret -n crossplane-system dbinstance.$(kg dbinstance.rds.aws example-dbinstance -oyaml | yq .metadata.uid)
Choosing key: dbMasterUserPassword
Lp9goLGeTT21eKvUeKhutGHNxWA 

(default@minikube)[~/repos/crossplane/local-test/dbs]$ kubectl --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine devops -- bash
If you don't see a command prompt, try pressing enter.
devops:/# psql -h example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com -U masterUser postgres
Password for user masterUser: Lp9goLGeTT21eKvUeKhutGHNxWA 
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=>

dbinstance - autogeneratePassword: true - masterUserPasswordSecretRef: null - writeConnectionSecretToRef: set

apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata:   name: example-dbinstance
spec:   forProvider:     allocatedStorage: 20
    autogeneratePassword: true
    dbInstanceClass: db.t3.micro
    dbSubnetGroupName: shared-primary
    engine: postgres
    masterUsername: masterUser
    region: eu-central-1
    skipFinalSnapshot: true
#    masterUserPasswordSecretRef: #      name: example-dbinstance #      namespace: crossplane-system #      key: password
    applyImmediately: true
  writeConnectionSecretToRef:     name: example-dbinstance
    namespace: default
  providerConfigRef:     name: provider-aws-provider-config

$ kg secret
NAME                 TYPE                                DATA   AGE
example-dbinstance   connection.crossplane.io/v1alpha1   4      114s

$ k view-secret example-dbinstance --all
endpoint=example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=Lp9goLGeTT21eKvUeKhutGHNxWA
port=5432
username=masterUser

$ k view-secret -n crossplane-system dbinstance.$(kg dbinstance.rds.aws example-dbinstance -oyaml | yq .metadata.uid)
Choosing key: dbMasterUserPassword
Lp9goLGeTT21eKvUeKhutGHNxWA

NOTE: The two passwords do match!

dbinstance - autogeneratePassword: true - masterUserPasswordSecretRef: set/changed - writeConnectionSecretToRef: set

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:   name: example-dbinstance
  namespace: crossplane-system
stringData:   password: foobar123 # must be longer than 8 chars ---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata:   name: example-dbinstance
spec:   forProvider:     allocatedStorage: 20
    autogeneratePassword: true
    dbInstanceClass: db.t3.micro
    dbSubnetGroupName: shared-primary
    engine: postgres
    masterUsername: masterUser
    region: eu-central-1
    skipFinalSnapshot: true
    masterUserPasswordSecretRef:       name: example-dbinstance
      namespace: crossplane-system
      key: password
    applyImmediately: true
  writeConnectionSecretToRef:     name: example-dbinstance
    namespace: default
  providerConfigRef:     name: provider-aws-provider-config

$ k view-secret -n crossplane-system example-dbinstance
Choosing key: password
foobar123

$ k view-secret example-dbinstance --all
endpoint=example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=foobar123
port=5432
username=masterUser

$ k view-secret -n crossplane-system dbinstance.$(kg dbinstance.rds.aws example-dbinstance -oyaml | yq .metadata.uid)
Choosing key: dbMasterUserPassword
foobar123 

$ kubectl --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -h example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com -U masterUser postgres
Password for user masterUser: # foobar123
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=> 

NOTE: Passwords coincide and are not autogenerated

---
apiVersion: v1
kind: Secret
type: Opaque
metadata: name: example-dbinstance
namespace: crossplane-system
stringData: password: 123barfoo # foobar123 # must be longer than 8 chars 

$ k view-secret -n crossplane-system example-dbinstance
Choosing key: password
123barfoo

$ k view-secret example-dbinstance --all
endpoint=example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=123barfoo
port=5432
username=masterUser

$ k view-secret -n crossplane-system dbinstance.$(kg dbinstance.rds.aws example-dbinstance -oyaml | yq .metadata.uid) --all
dbMasterUserPassword=123barfoo
dbWasRestored=

$ kubectl --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -h example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com -U masterUser postgres
Password for user masterUser: 123barfoo
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=>

Password change worked!

dbinstance (restore) - autogeneratePassword: null - masterUserPasswordSecretRef: null/set - writeConnectionSecretToRef: set

$ kg dbinstance.rds example-dbinstance
NAME                 READY   SYNCED   EXTERNAL-NAME        AGE
example-dbinstance   True    True     example-dbinstance   3h24m 

---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata: 
  name: example-dbinstance-restored
spec: 
  forProvider: 
    allocatedStorage: 20
#    autogeneratePassword: true
    dbInstanceClass: db.t3.micro
    dbSubnetGroupName: shared-primary
    engine: postgres
    masterUsername: masterUser
    region: eu-central-1
    skipFinalSnapshot: true
#    masterUserPasswordSecretRef: #      name: example-dbinstance #      namespace: crossplane-system #      key: password
    applyImmediately: true
    restoreFrom: 
      source: PointInTime
      pointInTime: 
        sourceDBInstanceIdentifier: example-dbinstance
        useLatestRestorableTime: true
  writeConnectionSecretToRef: 
    name: example-dbinstance-restored
    namespace: default
  providerConfigRef: 
    name: provider-aws-provider-config

$ kg dbinstance.rds example-dbinstance-restored
NAME                          READY   SYNCED   EXTERNAL-NAME                 AGE
example-dbinstance-restored   True    True     example-dbinstance-restored   13m

$ k view-secret example-dbinstance-restored --all
endpoint=example-dbinstance-restored.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=        <==== EMPTY!!!
port=5432
username=masterUser

Now the OLD password can be used:

$ k view-secret example-dbinstance --all
endpoint=example-dbinstance.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=passwordOfToBeRestoredDB
port=5432
username=masterUser

To connect to the DB:

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -h example-dbinstance-restored.cafru2638u9h.eu-central-1.rds.amazonaws.com -U masterUser postgres Password for user masterUser: passwordOfToBeRestoredDB
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=>

Or it can be changed:

$ k diff -f repos/crossplane/local-test/dbs/dbinstance-mr.yaml
diff -u -N /tmp/LIVE-3139368524/rds.aws.crossplane.io.v1alpha1.DBInstance..example-dbinstance-restored /tmp/MERGED-3174011549/rds.aws.crossplane.io.v1alpha1.DBInstance..example-dbinstance-restored
--- /tmp/LIVE-3139368524/rds.aws.crossplane.io.v1alpha1.DBInstance..example-dbinstance-restored 2023-05-22 14:23:41.304484930 +0200
+++ /tmp/MERGED-3174011549/rds.aws.crossplane.io.v1alpha1.DBInstance..example-dbinstance-restored       2023-05-22 14:23:41.304484930 +0200
@@ -10,7 +10,7 @@
   creationTimestamp: "2023-05-22T12:04:39Z"
   finalizers:
   - finalizer.managedresource.crossplane.io
-  generation: 4
+  generation: 5
   name: example-dbinstance-restored
   resourceVersion: "114926"
   uid: 16714fcb-5d89-4dc7-933a-74320e670143
@@ -33,6 +33,10 @@
     engine: postgres
     engineVersion: "14.6"
     licenseModel: postgresql-license
+    masterUserPasswordSecretRef:
+      key: password
+      name: example-dbinstance-new-password
+      namespace: crossplane-system
     masterUsername: masterUser
     multiAZ: false
     port: 5432
diff -u -N /tmp/LIVE-3139368524/v1.Secret.crossplane-system.example-dbinstance-new-password /tmp/MERGED-3174011549/v1.Secret.crossplane-system.example-dbinstance-new-password
--- /tmp/LIVE-3139368524/v1.Secret.crossplane-system.example-dbinstance-new-password    2023-05-22 14:23:41.294484935 +0200
+++ /tmp/MERGED-3174011549/v1.Secret.crossplane-system.example-dbinstance-new-password  2023-05-22 14:23:41.294484935 +0200
@@ -1 +1,10 @@
-null
+apiVersion: v1
+data:
+  password: '***'
+kind: Secret
+metadata:
+  creationTimestamp: "2023-05-22T12:23:41Z"
+  name: example-dbinstance-new-password
+  namespace: crossplane-system
+  uid: 5ad05f31-a83d-4188-a389-fc140724e495
+type: Opaque

$ k view-secret example-dbinstance-restored --all
endpoint=example-dbinstance-restored.cafru2638u9h.eu-central-1.rds.amazonaws.com
password=newDBPassword
port=5432
username=masterUser

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -h example-dbinstance-restored.cafru2638u9h.eu-central-1.rds.amazonaws.com -U masterUser postgres Password for user masterUser: newDBPassword
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, compression: off)
Type "help" for help.

postgres=>

dbcluster - autogeneratePassword: true - masterUserPasswordSecretRef: null - writeConnectionSecretToRef: set

---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata: 
  name: example-dbcluster
spec: 
  forProvider: 
    applyImmediately: true
    autogeneratePassword: true
    dbSubnetGroupName: shared-primary
    engine: aurora-postgresql
    masterUsername: masterUser
    port: 5432
    region: eu-central-1
    skipFinalSnapshot: true
    serverlessV2ScalingConfiguration: # patched
      minCapacity: 0.5
      maxCapacity: 1
#    masterUserPasswordSecretRef: #      name: example-dbcluster #      namespace: crossplane-system #      key: password #    restoreFrom: #      source: PointInTime #      pointInTime: #        sourceDBInstanceIdentifier: example-dbcluster #        useLatestRestorableTime: true
  writeConnectionSecretToRef: 
    name: example-dbcluster
    namespace: default
  providerConfigRef: 
    name: provider-aws-provider-config
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata: 
  name: example-aurora-serverless-instance
spec: 
  forProvider: 
    region: eu-central-1
    dbInstanceClass: db.serverless
    engine: aurora-postgresql
    dbClusterIdentifier: example-dbcluster
  providerConfigRef: 
    name: provider-aws-provider-config

$ kg dbcluster.rds
NAME                READY   SYNCED   EXTERNAL-NAME       AGE
example-dbcluster   True    True     example-dbcluster   5m25s

$ kg dbinstance.rds
NAME                                 READY   SYNCED   EXTERNAL-NAME                        AGE
example-aurora-serverless-instance   True    True     example-aurora-serverless-instance   17m

$ k view-secret -n crossplane-system dbcluster.74383abd-0a1a-4677-9a05-029777e98fad
Choosing key: dbMasterUserPassword
OiGni8h7cioObzCwVocqFpoNL 

$ k view-secret  example-dbcluster --all
endpoint=example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
password=OiGni8h7cioObzCwVocqFpoNLnp
port=5432
username=masterUser

Note if no port was given, the default is used but 0 is displayed (the cluster observation does not supply it). The behaviour will be changed to not display the port if it is the default (to also adher more to the instance).

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -U masterUser postgres -h example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
Password for user masterUser: OiGni8h7cioObzCwVocqFpoNLnp
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: AES128-SHA256, compression: off)
Type "help" for help.

postgres=>

dbcluster - autogeneratePassword: true - masterUserPasswordSecretRef: set/changed - writeConnectionSecretToRef: set

---
apiVersion: v1
kind: Secret
type: Opaque
metadata: 
  name: example-dbcluster
  namespace: crossplane-system
stringData: 
  password: dbToBeRestoredPassword
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata: 
  name: example-dbcluster
spec: 
  forProvider: 
    applyImmediately: true
    autogeneratePassword: true
    dbSubnetGroupName: shared-primary
    engine: aurora-postgresql
    masterUsername: masterUser
    port: 5432
    region: eu-central-1
    skipFinalSnapshot: true
    serverlessV2ScalingConfiguration: # patched
      minCapacity: 0.5
      maxCapacity: 1
    masterUserPasswordSecretRef: 
      name: example-dbcluster
      namespace: crossplane-system
      key: password
#    restoreFrom: #      source: PointInTime #      pointInTime: #        sourceDBInstanceIdentifier: example-dbcluster #        useLatestRestorableTime: true
  writeConnectionSecretToRef: 
    name: example-dbcluster
    namespace: default
  providerConfigRef: 
    name: provider-aws-provider-config
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata: 
  name: example-aurora-serverless-instance
spec: 
  forProvider: 
    region: eu-central-1
    dbInstanceClass: db.serverless
    engine: aurora-postgresql
    dbClusterIdentifier: example-dbcluster
  providerConfigRef: 
    name: provider-aws-provider-config

 $ kg -f repos/crossplane/local-test/dbs/dbcluster-mr.yaml
NAME                       TYPE     DATA   AGE
secret/example-dbcluster   Opaque   1      12m

NAME                                                READY   SYNCED   EXTERNAL-NAME       AGE
dbcluster.rds.aws.crossplane.io/example-dbcluster   True    True     example-dbcluster   12m

NAME                                                                  READY   SYNCED   EXTERNAL-NAME                        AGE
dbinstance.rds.aws.crossplane.io/example-aurora-serverless-instance   True    True     example-aurora-serverless-instance   12m

$ k view-secret example-dbcluster --all
endpoint=example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
password=dbToBeRestoredPassword
port=5432
username=masterUser

$ k view-secret -n crossplane-system example-dbcluster --all
password=dbToBeRestoredPassword

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -U masterUser postgres -h example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
Password for user masterUser: dbToBeRestoredPassword
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: AES128-SHA256, compression: off)
Type "help" for help.

postgres=> 

$ k diff -f  repos/crossplane/local-test/dbs/dbcluster-mr.yaml
diff -u -N /tmp/LIVE-3432366171/v1.Secret.crossplane-system.example-dbcluster /tmp/MERGED-1933901772/v1.Secret.crossplane-system.example-dbcluster
--- /tmp/LIVE-3432366171/v1.Secret.crossplane-system.example-dbcluster  2023-05-23 11:22:51.931069549 +0200
+++ /tmp/MERGED-1933901772/v1.Secret.crossplane-system.example-dbcluster        2023-05-23 11:22:51.931069549 +0200
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-  password: dbToBeRestoredPassword
+  password: newPassword
 kind: Secret
 metadata:
   annotations: 

$ ka repos/crossplane/local-test/dbs/dbcluster-mr.yaml
secret/example-dbcluster configured
...

$ k view-secret -n crossplane-system example-dbcluster --all
password=newPassword

$ k view-secret example-dbcluster --all
endpoint=example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
password=newPassword
port=5432
username=masterUser

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine sch
roeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -U masterUser postgres -h example-dbcluster.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
Password for user masterUser: newPassword
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: AES128-SHA256, compression: off)
Type "help" for help.

postgres=>

dbcluster (restore) - autogeneratePassword: null - masterUserPasswordSecretRef: null/set - writeConnectionSecretToRef: set

Old DB:

---
apiVersion: v1
kind: Secret
type: Opaque
metadata: 
  name: example-dbcluster
  namespace: crossplane-system
stringData: 
  password: dbToBeRestoredPassword
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata: 
  name: example-dbcluster
spec: 
  forProvider: 
    applyImmediately: true
    autogeneratePassword: true
    dbSubnetGroupName: shared-primary
    engine: aurora-postgresql
    masterUsername: masterUser
    port: 5432
    region: eu-central-1
    skipFinalSnapshot: true
    serverlessV2ScalingConfiguration: # patched
      minCapacity: 0.5
      maxCapacity: 1
    masterUserPasswordSecretRef: 
      name: example-dbcluster
      namespace: crossplane-system
      key: password
#    restoreFrom: #      source: PointInTime #      pointInTime: #        sourceDBInstanceIdentifier: example-dbcluster #        useLatestRestorableTime: true
  writeConnectionSecretToRef: 
    name: example-dbcluster
    namespace: default
  providerConfigRef: 
    name: provider-aws-provider-config
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata: 
  name: example-aurora-serverless-instance
spec: 
  forProvider: 
    region: eu-central-1
    dbInstanceClass: db.serverless
    engine: aurora-postgresql
    dbClusterIdentifier: example-dbcluster
  providerConfigRef: 
    name: provider-aws-provider-config

New (restored DB):

 apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBCluster
metadata: 
  name: example-dbcluster-restored
spec: 
  forProvider: 
    applyImmediately: true
#    autogeneratePassword: true
    dbSubnetGroupName: shared-primary
    engine: aurora-postgresql
    masterUsername: masterUser
    port: 5432
    region: eu-central-1
    skipFinalSnapshot: true
    serverlessV2ScalingConfiguration: # patched
      minCapacity: 0.5
      maxCapacity: 1
#    masterUserPasswordSecretRef: #      name: example-dbcluster #      namespace: crossplane-system #      key: password
    restoreFrom: 
      source: PointInTime
      pointInTime: 
        sourceDBClusterIdentifier: example-dbcluster
        useLatestRestorableTime: true
  writeConnectionSecretToRef: 
    name: example-dbcluster-restored
    namespace: default
  providerConfigRef: 
    name: provider-aws-provider-config
---
apiVersion: rds.aws.crossplane.io/v1alpha1
kind: DBInstance
metadata: 
  name: example-aurora-serverless-instance-restored
spec: 
  forProvider: 
    region: eu-central-1
    dbInstanceClass: db.serverless
    engine: aurora-postgresql
    dbClusterIdentifier: example-dbcluster-restored
  providerConfigRef: 
    name: provider-aws-provider-config

$ kg dbcluster.rds example-dbcluster-restored
NAME                         READY   SYNCED   EXTERNAL-NAME                AGE
example-dbcluster-restored   True    True     example-dbcluster-restored   63m

$ k view-secret example-dbcluster-restored --all
endpoint=example-dbcluster-restored.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
password=
port=5432
username=masterUser

$ k view-secret -n crossplane-system dbcluster.e1b02b1b-5194-4d3b-995e-db86d723ce08 --all
dbMasterUserPassword=
dbWasRestored=

$ k --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine sch
roeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -U masterUser postgres -h example-dbcluster-restored.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
Password for user masterUser: dbToBeRestoredPassword
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: AES128-SHA256, compression: off)
Type "help" for help.

postgres=> 

Set new password:

 $ k diff -f  repos/crossplane/local-test/dbs/dbcluster-mr.yaml
diff -u -N /tmp/LIVE-2201771892/rds.aws.crossplane.io.v1alpha1.DBCluster..example-dbcluster-restored /tmp/MERGED-1982028579/rds.aws.crossplane.io.v1alpha1.DBCluster..example-dbcluster-restored
--- /tmp/LIVE-2201771892/rds.aws.crossplane.io.v1alpha1.DBCluster..example-dbcluster-restored   2023-05-23 12:50:43.229873374 +0200
+++ /tmp/MERGED-1982028579/rds.aws.crossplane.io.v1alpha1.DBCluster..example-dbcluster-restored 2023-05-23 12:50:43.229873374 +0200
@@ -10,7 +10,7 @@
   creationTimestamp: "2023-05-23T09:39:41Z"
   finalizers:
   - finalizer.managedresource.crossplane.io
-  generation: 1
+  generation: 2
   name: example-dbcluster-restored
   resourceVersion: "166625"
   uid: e1b02b1b-5194-4d3b-995e-db86d723ce08
@@ -20,6 +20,10 @@
     applyImmediately: true
     dbSubnetGroupName: shared-primary
     engine: aurora-postgresql
+    masterUserPasswordSecretRef:
+      key: password
+      name: example-dbcluster
+      namespace: crossplane-system
     masterUsername: masterUser
     port: 5432
     region: eu-central-1

$ k view-secret -n crossplane-system dbcluster.e1b02b1b-5194-4d3b-995e-db86d723ce08 --all
dbMasterUserPassword=newPassword
dbWasRestored= 

$ k view-secret example-dbcluster-restored --all
endpoint=example-dbcluster-restored.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
password=newPassword
port=5432
username=masterUser

$ kubectl --context dev-e2e --namespace=schroeder-dev run --rm -it --image=postgres:alpine schroeder-devops --command -- bash
If you don't see a command prompt, try pressing enter.
schroeder-devops:/# psql -U masterUser postgres -h example-dbcluster-restored.cluster-cafru2638u9h.eu-central-1.rds.amazonaws.com
Password for user masterUser: newPassword
psql (15.3, server 14.6)
SSL connection (protocol: TLSv1.2, cipher: AES128-SHA256, compression: off)
Type "help" for help.

postgres=>

[MisterMX]

LGTM. Thanks @schroeder-paul.

@chlunde, @haarchri since this is quite a complicated PR, can you take a second or third look at it?

[MisterMX]

Rebased on latest master. LGTM. Thanks a lot @schroeder-paul!