nakamasato · ffais · Jun 24, 2024 · Jun 24, 2024 · Jul 2, 2024 · Sep 24, 2024
diff --git a/charts/mysql-operator/README.md b/charts/mysql-operator/README.md
@@ -2,12 +2,12 @@
 
 ## Values
 
-1. **cloudSecretManagerType**: `raw` or `gcp`. With `raw`, you need to give root user password in `MySQL` custom resource. With `gcp`, you can securely store root user password in GCP SecretManager. This root user password is used to manage (create/edit/update) MySQL users, databases, etc.
-1. **gcpServiceAccount**: Only for `cloudSecretManagerType=gcp`. GCP service account for Pod `SA_NAME@PROJECT.iam.gserviceaccount.com`
+1. **adminUserSecretType**: `raw`, `gcp` or `k8s` . With `raw`, you need to give root user password in `MySQL` custom resource. With `gcp`, you can securely store root user password in GCP SecretManager. This root user password is used to manage (create/edit/update) MySQL users, databases, etc. With k8s you need to create (in the same namespace where this operator is installed) two kubernetes secrets one for the root username and another one for root password.
+1. **gcpServiceAccount**: Only for `adminUserSecretType=gcp`. GCP service account for Pod `SA_NAME@PROJECT.iam.gserviceaccount.com`
     1. This service account needs the following roles:
         1. `roles/secretmanager.secretAccessor` to allow to get root password from SecretManager
 
-1. **gcpProjectId**: Only for `cloudSecretManagerType=gcp`
+1. **gcpProjectId**: Only for `adminUserSecretType=gcp`
 1. **cloudSQL.instanceConnectionName**: `InstanceConnectionName` for [Google Cloud SQL](https://cloud.google.com/sql/) if you use Cloud SQL to manage with mysql-operator. `<project-id>:<region>:<instance-name>`
 
 
@@ -21,7 +21,7 @@ You can check the final yaml with `--dry-run`:
 ```
 helm install mysql-operator ./charts/mysql-operator \
     --dry-run \
-    --set cloudSecretManagerType=gcp \
+    --set adminUserSecretType=gcp \
     --set gcpServiceAccount=${SA_NAME}@${PROJECT}.iam.gserviceaccount.com \
     --set gcpProjectId=$PROJECT \
     --set cloudSQL.instanceConnectionName=$PROJECT:$REGION:$INSTANCE_NAME \
@@ -32,7 +32,7 @@ helm install mysql-operator ./charts/mysql-operator \
 
 ```
 helm install mysql-operator ./charts/mysql-operator \
-    --set cloudSecretManagerType=gcp \
+    --set adminUserSecretType=gcp \
     --set gcpServiceAccount=${SA_NAME}@${PROJECT}.iam.gserviceaccount.com \
     --set gcpProjectId=$PROJECT \
     --set cloudSQL.instanceConnectionName=$PROJECT:$REGION:$INSTANCE_NAME \

diff --git a/...s/mysql-operator/templates/mysql-crd.yaml → charts/mysql-operator/crds/mysql-crd.yaml b/...s/mysql-operator/templates/mysql-crd.yaml → charts/mysql-operator/crds/mysql-crd.yaml
diff --git a/...mysql-operator/templates/mysqldb-crd.yaml → charts/mysql-operator/crds/mysqldb-crd.yaml b/...mysql-operator/templates/mysqldb-crd.yaml → charts/mysql-operator/crds/mysqldb-crd.yaml
diff --git a/...sql-operator/templates/mysqluser-crd.yaml → ...ts/mysql-operator/crds/mysqluser-crd.yaml b/...sql-operator/templates/mysqluser-crd.yaml → ...ts/mysql-operator/crds/mysqluser-crd.yaml
diff --git a/charts/mysql-operator/templates/deployment.yaml b/charts/mysql-operator/templates/deployment.yaml
@@ -31,9 +31,12 @@ spec:
       containers:
       - args:
         - --leader-elect
-        {{- if eq .Values.cloudSecretManagerType "gcp" }}
+        {{- if eq .Values.adminUserSecretType "gcp" }}
         - --cloud-secret-manager=gcp
         {{- end }}
+        {{- if eq .Values.adminUserSecretType "k8s" }}
+        - --cloud-secret-manager=k8s
+        {{- end }}
         command:
         - /manager
         image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
@@ -56,7 +59,7 @@ spec:
           }}
         securityContext:
           allowPrivilegeEscalation: false
-        {{- if eq .Values.cloudSecretManagerType "gcp" }}
+        {{- if eq .Values.adminUserSecretType "gcp" }}
         {{- if .Values.gcpServiceAccount }}
         env:
           - name: PROJECT_ID
@@ -72,7 +75,13 @@ spec:
             value: {{ .Values.gcpProjectId }}
         {{- end }}
         {{- end }}
-
+        {{- if eq .Values.adminUserSecretType "k8s" }}
+        env:
+          - name: WATCH_NAMESPACE
+            value: {{ .Release.Namespace }}
+          - name: SECRET_NAMESPACE
+            value: {{ .Release.Namespace }}
+        {{- end }}
       # https://cloud.google.com/sql/docs/mysql/connect-instance-kubernetes#deploy_the_sample_app
       {{- with .Values.cloudSQL }}
       # If you are using the Go Connector (recommended), you can
@@ -110,7 +119,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
-      {{- if and (eq .Values.cloudSecretManagerType "gcp") (empty .Values.gcpServiceAccount) }}
+      {{- if and (eq .Values.adminUserSecretType "gcp") (empty .Values.gcpServiceAccount) }}
       volumes:
         - name: gcp-sa-private-key
           secret:

diff --git a/charts/mysql-operator/templates/manager-rbac.yaml b/charts/mysql-operator/templates/manager-rbac.yaml
@@ -10,13 +10,10 @@ rules:
   resources:
   - secrets
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
+  - create
 - apiGroups:
   - ""
   resources:

diff --git a/charts/mysql-operator/values.yaml b/charts/mysql-operator/values.yaml
@@ -1,4 +1,6 @@
-cloudSecretManagerType: raw # set gcp if you use GCP SecretManager
+# set gcp if you use GCP SecretManager
+# set k8s if you use Kubernetes secrets
+adminUserSecretType: raw
 # gcpServiceAccount: GSA_NAME@GSA_PROJECT.iam.gserviceaccount.com
 # gcpProjectId: <projectid>
 # cloudSQL:
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,13 +10,10 @@ rules: @@
       resources:
       - secrets
       verbs:
-      - create
-      - delete
       - get
       - list
-      - patch
-      - update
       - watch
+      - create
     - apiGroups:
       - ""
       resources:
@@ Expand Down @@