user: make passwordRef optional

Keystone allows creating passwordless users for authentication via
federation, application credentials, or other means. Make passwordRef
optional so ORC can create users without a password.

A CEL validation on UserResourceSpec prevents removing passwordRef
once set, since Keystone does not support clearing a password via the
API. The field remains mutable (can be changed to a different Secret).

Author: mandre

api/v1alpha1/user_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 // UserResourceSpec contains the desired state of the resource.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.passwordRef) || has(self.passwordRef)",message="passwordRef may not be removed once set"
 type UserResourceSpec struct {
 	// name will be the name of the created resource. If not specified, the
 	// name of the ORC object will be used.
@@ -45,8 +46,9 @@ type UserResourceSpec struct {
 
 	// passwordRef is a reference to a Secret containing the password
 	// for this user. The Secret must contain a key named "password".
-	// +required
-	PasswordRef KubernetesNameRef `json:"passwordRef,omitempty"`
+	// If not specified, the user is created without a password.
+	// +optional
+	PasswordRef *KubernetesNameRef `json:"passwordRef,omitempty"`
 }
 
 // UserFilter defines an existing resource by its properties

api/v1alpha1/zz_generated.deepcopy.go

@@ -190,12 +190,14 @@ spec:
                     description: |-
                       passwordRef is a reference to a Secret containing the password
                       for this user. The Secret must contain a key named "password".
+                      If not specified, the user is created without a password.
                     maxLength: 253
                     minLength: 1
                     type: string
-                required:
-                - passwordRef
                 type: object
+                x-kubernetes-validations:
+                - message: passwordRef may not be removed once set
+                  rule: '!has(oldSelf.passwordRef) || has(self.passwordRef)'
             required:
             - cloudCredentialsRef
             type: object

cmd/models-schema/zz_generated.openapi.go

@@ -140,10 +140,10 @@ func (actuator userActuator) CreateResource(ctx context.Context, obj orcObjectPT
 	}
 
 	var password string
-	{
+	if resource.PasswordRef != nil {
 		secret, secretReconcileStatus := dependency.FetchDependency(
 			ctx, actuator.k8sClient, obj.Namespace,
-			&resource.PasswordRef, "Secret",
+			resource.PasswordRef, "Secret",
 			func(*corev1.Secret) bool { return true },
 		)
 		reconcileStatus = reconcileStatus.WithReconcileStatus(secretReconcileStatus)
@@ -189,11 +189,11 @@ func (actuator userActuator) DeleteResource(ctx context.Context, _ orcObjectPT,
 func (actuator userActuator) reconcilePassword(ctx context.Context, obj orcObjectPT, osResource *osResourceT) progress.ReconcileStatus {
 	log := ctrl.LoggerFrom(ctx)
 	resource := obj.Spec.Resource
-	if resource == nil {
+	if resource == nil || resource.PasswordRef == nil {
 		return nil
 	}
 
-	currentRef := string(resource.PasswordRef)
+	currentRef := string(*resource.PasswordRef)
 	var lastAppliedRef string
 	if obj.Status.Resource != nil {
 		lastAppliedRef = obj.Status.Resource.AppliedPasswordRef
@@ -206,7 +206,7 @@ func (actuator userActuator) reconcilePassword(ctx context.Context, obj orcObjec
 	// Read the password from the referenced Secret
 	secret, secretRS := dependency.FetchDependency(
 		ctx, actuator.k8sClient, obj.Namespace,
-		&resource.PasswordRef, "Secret",
+		resource.PasswordRef, "Secret",
 		func(*corev1.Secret) bool { return true },
 	)
 	if secretRS != nil {

config/crd/bases/openstack.k-orc.cloud_users.yaml

@@ -91,10 +91,10 @@ var passwordDependency = dependency.NewDependency[*orcv1alpha1.UserList, *corev1
 	"spec.resource.passwordRef",
 	func(user *orcv1alpha1.User) []string {
 		resource := user.Spec.Resource
-		if resource == nil {
+		if resource == nil || resource.PasswordRef == nil {
 			return nil
 		}
-		return []string{string(resource.PasswordRef)}
+		return []string{string(*resource.PasswordRef)}
 	},
 )
 

internal/controllers/user/actuator.go

@@ -1,12 +1,4 @@
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: user-create-minimal
-type: Opaque
-stringData:
-  password: "TestPassword"
----
 apiVersion: openstack.k-orc.cloud/v1alpha1
 kind: User
 metadata:
@@ -16,5 +8,4 @@ spec:
     cloudName: openstack-admin
     secretName: openstack-clouds
   managementPolicy: managed
-  resource:
-    passwordRef: user-create-minimal
+  resource: {}

internal/controllers/user/controller.go

@@ -2,7 +2,7 @@
 
 ## Step 00
 
-Create a minimal User, that sets only the required fields, and verify that the observed state corresponds to the spec.
+Create a minimal User without a password, and verify that the observed state corresponds to the spec.
 
 Also validate that the OpenStack resource uses the name of the ORC object when no name is explicitly specified.
 

internal/controllers/user/tests/user-create-minimal/00-create-resource.yaml

@@ -1,12 +1,4 @@
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: user-import-dependency-password
-type: Opaque
-stringData:
-  password: "TestPassword"
----
 apiVersion: openstack.k-orc.cloud/v1alpha1
 kind: Domain
 metadata:

internal/controllers/user/tests/user-create-minimal/README.md

@@ -21,5 +21,4 @@ spec:
     secretName: openstack-clouds
   managementPolicy: managed
   resource:
-    domainRef: user-import-dependency-not-this-one
-    passwordRef: user-import-dependency-password
+    domainRef: user-import-dependency-not-this-one