thelabdude commented on a change in pull request #221:
URL:
https://github.com/apache/lucene-solr-operator/pull/221#discussion_r579366325
##########
File path: api/v1beta1/solrcloud_types.go
##########
@@ -1022,3 +1044,35 @@ type SolrTLSOptions struct {
// +optional
RestartOnTLSSecretUpdate bool
`json:"restartOnTLSSecretUpdate,omitempty"`
}
+
+type SolrSecurityOptions struct {
+ // Secret containing credentials the operator should use for API
requests to secure Solr pods.
+ // If you provide this secret, then the operator assumes you've also
configured your own security.json file and
+ // uploaded it to Solr. The 'key' of the secret selector is the
username. If you change the password for this
+ // user using the Solr security API, then you *must* update the secret
with the new password or the operator will be
+ // locked out of Solr and API requests will fail, ultimately causing a
CrashBackoffLoop for all pods if probe endpoints
+ // are secured.
+ //
+ // If you don't supply this secret, then the operator bootstraps a
default security.json file and creates a
+ // corresponding secret containing the credentials for three users:
admin, solr, and k8s-oper. All API requests
+ // from the operator are made as the 'k8s-oper' user, which is
configured with minimal access. The 'solr' user has
+ // basic read access to Solr resources. Once the security.json is
bootstrapped, the operator will not update it!
+ // You're expected to use the 'admin' user to access the Security API
to make further changes. It's strictly a
+ // bootstrapping operation.
+ // +optional
+ BasicAuthSecret *corev1.SecretKeySelector
`json:"basicAuthSecret,omitempty"`
+
+ // Flag to indicate if the configured HTTP endpoint(s) used for the
probes require authentication; defaults
+ // to false. If you set to true, then probes will use a local command
on the main container to hit the secured
+ // endpoints with credentials sourced from an env var instead of HTTP
directly.
+ // +optional
+ ProbesRequireAuth bool `json:"probesRequireAuth,omitempty"`
+
+ // A list of endpoints that allow un-authenticated (aka "anonymous")
access; this allows you to open Solr for
+ // un-authenticated access to query endpoints but lock down all other
requests. This setting only applies during
+ // initial bootstrapping of the security.json file. Changing this after
security.json has been applied by the
+ // operator to a SolrCloud instance has no effect. Obviously, if you're
supplying your own basicAuthSecret, then this
+ // setting does not apply as you're expected to configure your own
security.json.
+ // +optional
+ InitAnonymousEndpoints []string
`json:"initAnonymousEndpoints,omitempty"`
Review comment:
ok, I removed it
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
