fix: Manage OIDC admin password secret via cluster_resources

Author: dervoeti

rust/operator-binary/src/controller.rs

@@ -106,7 +106,7 @@ use crate::{
             NifiAuthenticationConfig, STACKABLE_SERVER_TLS_DIR, STACKABLE_TLS_STORE_PASSWORD,
         },
         authorization::{self, OPA_TLS_MOUNT_PATH, ResolvedNifiAuthorizationConfig},
-        build_tls_volume, check_or_generate_oidc_admin_password, check_or_generate_sensitive_key,
+        build_oidc_admin_password_secret, build_tls_volume, check_or_generate_sensitive_key,
         tls::{KEYSTORE_NIFI_CONTAINER_MOUNT, KEYSTORE_VOLUME_NAME, TRUSTSTORE_VOLUME_NAME},
     },
     service::{build_rolegroup_headless_service, build_rolegroup_metrics_service},
@@ -241,6 +241,11 @@ pub enum Error {
         cm_name: String,
     },
 
+    #[snafu(display("failed to apply OIDC admin password secret"))]
+    ApplyOidcAdminPasswordSecret {
+        source: stackable_operator::cluster_resources::Error,
+    },
+
     #[snafu(display("failed to patch service account"))]
     ApplyServiceAccount {
         source: stackable_operator::cluster_resources::Error,
@@ -443,10 +448,23 @@ pub async fn reconcile_nifi(
     )
     .context(InvalidNifiAuthenticationConfigSnafu)?;
 
-    if let NifiAuthenticationConfig::Oidc { .. } = authentication_config {
-        check_or_generate_oidc_admin_password(client, nifi)
+    if let NifiAuthenticationConfig::Oidc { .. } = &authentication_config {
+        let oidc_admin_password_secret = build_oidc_admin_password_secret(
+            client,
+            nifi,
+            build_recommended_labels(
+                nifi,
+                &resolved_product_image.app_version_label_value,
+                "node",
+                "oidc",
+            ),
+        )
+        .await
+        .context(SecuritySnafu)?;
+        cluster_resources
+            .add(client, oidc_admin_password_secret)
             .await
-            .context(SecuritySnafu)?;
+            .context(ApplyOidcAdminPasswordSecretSnafu)?;
     }
 
     let authorization_config = ResolvedNifiAuthorizationConfig::from(

rust/operator-binary/src/security/mod.rs

@@ -35,11 +35,12 @@ pub async fn check_or_generate_sensitive_key(
         .context(SensitiveKeySnafu)
 }
 
-pub async fn check_or_generate_oidc_admin_password(
+pub async fn build_oidc_admin_password_secret(
     client: &Client,
     nifi: &v1alpha1::NifiCluster,
-) -> Result<bool> {
-    oidc::check_or_generate_oidc_admin_password(client, nifi)
+    labels: stackable_operator::kvp::ObjectLabels<'_, v1alpha1::NifiCluster>,
+) -> Result<stackable_operator::k8s_openapi::api::core::v1::Secret> {
+    oidc::build_oidc_admin_password_secret(client, nifi, labels)
         .await
         .context(OidcAdminPasswordSnafu)
 }

rust/operator-binary/src/security/oidc.rs

@@ -9,6 +9,7 @@ use stackable_operator::{
     crd::authentication::oidc,
     k8s_openapi::api::core::v1::Secret,
     kube::{ResourceExt, runtime::reflector::ObjectRef},
+    kvp::ObjectLabels,
 };
 
 use crate::{crd::v1alpha1, security::authentication::STACKABLE_ADMIN_USERNAME};
@@ -37,64 +38,70 @@ pub enum Error {
 
     #[snafu(display("Nifi doesn't support skipping the OIDC TLS verification"))]
     SkippingTlsVerificationNotSupported {},
+
+    #[snafu(display("failed to build OIDC admin password secret metadata"))]
+    BuildOidcAdminPasswordSecretMetadata {
+        source: stackable_operator::builder::meta::Error,
+    },
 }
 
-/// Generate a secret containing the password for the admin user that can access the API.
+/// Build a Secret containing the OIDC admin password.
 ///
-/// This admin user is the same as for SingleUser authentication.
-pub(crate) async fn check_or_generate_oidc_admin_password(
+/// If the secret already exists, the existing password is preserved.
+/// Otherwise a new random password is generated.
+pub(crate) async fn build_oidc_admin_password_secret(
     client: &Client,
     nifi: &v1alpha1::NifiCluster,
-) -> Result<bool, Error> {
+    labels: ObjectLabels<'_, v1alpha1::NifiCluster>,
+) -> Result<Secret, Error> {
     let namespace: &str = &nifi.namespace().context(ObjectHasNoNamespaceSnafu)?;
     tracing::debug!("Checking for OIDC admin password configuration");
-    match client
+
+    let password = match client
         .get_opt::<Secret>(&build_oidc_admin_password_secret_name(nifi), namespace)
         .await
         .context(OidcAdminPasswordSecretSnafu)?
     {
         Some(secret) => {
-            let admin_password_present = secret
+            let existing_password = secret
                 .data
-                .iter()
-                .flat_map(|data| data.keys())
-                .any(|key| key == STACKABLE_ADMIN_USERNAME);
-
-            if admin_password_present {
-                Ok(false)
-            } else {
-                MissingAdminPasswordKeySnafu {
+                .as_ref()
+                .and_then(|data| data.get(STACKABLE_ADMIN_USERNAME))
+                .map(|bytes| String::from_utf8_lossy(&bytes.0).into_owned());
+
+            match existing_password {
+                Some(password) => password,
+                None => MissingAdminPasswordKeySnafu {
                     secret: ObjectRef::from_obj(&secret),
                 }
-                .fail()?
+                .fail()?,
             }
         }
         None => {
-            tracing::info!("No existing oidc admin password secret found, generating new one");
-            let password: String = rand::rng()
+            tracing::info!("No existing OIDC admin password secret found, generating new one");
+            rand::rng()
                 .sample_iter(&Alphanumeric)
                 .take(15)
                 .map(char::from)
-                .collect();
-
-            let mut secret_data = BTreeMap::new();
-            secret_data.insert("admin".to_string(), password);
-
-            let new_secret = Secret {
-                metadata: ObjectMetaBuilder::new()
-                    .namespace(namespace)
-                    .name(build_oidc_admin_password_secret_name(nifi))
-                    .build(),
-                string_data: Some(secret_data),
-                ..Secret::default()
-            };
-            client
-                .create(&new_secret)
-                .await
-                .context(OidcAdminPasswordSecretSnafu)?;
-            Ok(true)
+                .collect()
         }
-    }
+    };
+
+    Ok(Secret {
+        metadata: ObjectMetaBuilder::new()
+            .name_and_namespace(nifi)
+            .name(build_oidc_admin_password_secret_name(nifi))
+            .ownerreference_from_resource(nifi, None, Some(true))
+            .context(BuildOidcAdminPasswordSecretMetadataSnafu)?
+            .with_recommended_labels(labels)
+            .context(BuildOidcAdminPasswordSecretMetadataSnafu)?
+            .build(),
+        string_data: Some(BTreeMap::from([(
+            STACKABLE_ADMIN_USERNAME.to_string(),
+            password,
+        )])),
+        ..Secret::default()
+    })
 }
 
 pub fn build_oidc_admin_password_secret_name(nifi: &v1alpha1::NifiCluster) -> String {