thelabdude commented on a change in pull request #221:
URL:
https://github.com/apache/lucene-solr-operator/pull/221#discussion_r579845189
##########
File path: api/v1beta1/solrcloud_types.go
##########
@@ -1022,3 +1044,35 @@ type SolrTLSOptions struct {
// +optional
RestartOnTLSSecretUpdate bool
`json:"restartOnTLSSecretUpdate,omitempty"`
}
+
+type SolrSecurityOptions struct {
+ // Secret containing credentials the operator should use for API
requests to secure Solr pods.
+ // If you provide this secret, then the operator assumes you've also
configured your own security.json file and
+ // uploaded it to Solr. The 'key' of the secret selector is the
username. If you change the password for this
+ // user using the Solr security API, then you *must* update the secret
with the new password or the operator will be
+ // locked out of Solr and API requests will fail, ultimately causing a
CrashBackoffLoop for all pods if probe endpoints
+ // are secured.
+ //
+ // If you don't supply this secret, then the operator bootstraps a
default security.json file and creates a
+ // corresponding secret containing the credentials for three users:
admin, solr, and k8s-oper. All API requests
+ // from the operator are made as the 'k8s-oper' user, which is
configured with minimal access. The 'solr' user has
+ // basic read access to Solr resources. Once the security.json is
bootstrapped, the operator will not update it!
+ // You're expected to use the 'admin' user to access the Security API
to make further changes. It's strictly a
+ // bootstrapping operation.
+ // +optional
+ BasicAuthSecret *corev1.SecretKeySelector
`json:"basicAuthSecret,omitempty"`
Review comment:
One idea I liking more and more is to have 2 secrets, one that is a
`"kubernetes.io/basic-auth"` that holds the creds for the `k8s-oper` user and
another `Opaque` that holds the bootstrapped `admin` user and the
`security.json`. We can name the latter `<cloud>-solrcloud-security-bootstrap`
(or similar) which makes it clear it's only for bootstrapping security and the
former holds the creds for the user needed by the operator.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
