stackabletech · fhennig · Jul 10, 2024 · Jun 3, 2024 · Jun 3, 2024 · Jun 4, 2024
diff --git a/rust/crd/src/authentication/ldap.rs b/rust/crd/src/authentication/ldap.rs
@@ -8,7 +8,7 @@ use stackable_operator::kube::ResourceExt;
 use crate::authentication::ResolvedAuthenticationClasses;
 use crate::{
     security::{add_cert_to_trust_store_cmd, STACKABLE_TLS_DIR, TLS_STORE_PASSWORD},
-    ENV_INTERNAL_SECRET, RUNTIME_PROPS, RW_CONFIG_DIRECTORY,
+    ENV_INTERNAL_SECRET,
 };
 
 #[derive(Snafu, Debug)]
@@ -25,10 +25,8 @@ pub struct DruidLdapSettings {
     pub authentication_class_name: String,
 }
 
-pub const PLACEHOLDER_INTERNAL_CLIENT_PASSWORD: &str =
-    "xxx_druid_system_internal_client_password_xxx";
-pub const PLACEHOLDER_LDAP_BIND_PASSWORD: &str = "xxx_ldap_bind_password_xxx";
-pub const PLACEHOLDER_LDAP_BIND_USER: &str = "xxx_ldap_bind_user_xxx";
+pub const ENV_LDAP_BIND_USER: &str = "LDAP_BIND_USER";
+pub const ENV_LDAP_BIND_PASSWORD: &str = "LDAP_BIND_PASSWORD";
 
 impl DruidLdapSettings {
     pub fn new_from(
@@ -63,7 +61,7 @@ impl DruidLdapSettings {
 
         config.insert(
             format!("{PREFIX}.initialInternalClientPassword"),
-            Some(PLACEHOLDER_INTERNAL_CLIENT_PASSWORD.to_string()),
+            Some(format!("${{env:{ENV_INTERNAL_SECRET}}}").to_string()),
         );
         config.insert(
             format!("{PREFIX}.authorizerName"),
@@ -100,11 +98,11 @@ impl DruidLdapSettings {
         if self.ldap.bind_credentials_mount_paths().is_some() {
             config.insert(
                 format!("{PREFIX}.credentialsValidator.bindUser"),
-                Some(PLACEHOLDER_LDAP_BIND_USER.to_string()), // NOTE: this placeholder will be replaced from a mounted secret operator volume on container startup
+                Some(format!("${{env:{ENV_LDAP_BIND_USER}}}").to_string()),
             );
             config.insert(
                 format!("{PREFIX}.credentialsValidator.bindPassword"),
-                Some(PLACEHOLDER_LDAP_BIND_PASSWORD.to_string()), // NOTE: this placeholder will be replaced from a mounted secret operator volume on container startup
+                Some(format!("${{env:{ENV_LDAP_BIND_PASSWORD}}}").to_string()),
             );
         }
 
@@ -139,7 +137,7 @@ impl DruidLdapSettings {
         );
         config.insert(
             "druid.escalator.internalClientPassword".to_string(),
-            Some(PLACEHOLDER_INTERNAL_CLIENT_PASSWORD.to_string()),
+            Some(format!("${{env:{ENV_INTERNAL_SECRET}}}").to_string()),
         );
         config.insert(
             "druid.escalator.authorizerName".to_string(),
@@ -183,27 +181,15 @@ impl DruidLdapSettings {
     pub fn main_container_commands(&self) -> Vec<String> {
         let mut commands = Vec::new();
 
-        let runtime_properties_file: String = format!("{RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}");
-        let internal_client_password = format!("$(echo ${ENV_INTERNAL_SECRET})");
-
-        commands
-                .push(format!("echo \"Replacing LDAP placeholders with their proper values in {runtime_properties_file}\""));
-        commands.push(format!(
-            r#"sed "s|{PLACEHOLDER_INTERNAL_CLIENT_PASSWORD}|{internal_client_password}|g" -i {runtime_properties_file}"# // using another delimiter (|) here because of base64 string
-        ));
-
         if let Some((ldap_bind_user_path, ldap_bind_password_path)) =
             self.ldap.bind_credentials_mount_paths()
         {
-            let ldap_bind_user = format!("$(cat {ldap_bind_user_path})");
-            let ldap_bind_password = format!("$(cat {ldap_bind_password_path})");
-
             commands.push(format!(
-                    r#"sed "s/{PLACEHOLDER_LDAP_BIND_USER}/{ldap_bind_user}/g" -i {runtime_properties_file}"#
-                ));
+                "export {ENV_LDAP_BIND_USER}=\"$(cat {ldap_bind_user_path})\""
+            ));
             commands.push(format!(
-                    r#"sed "s/{PLACEHOLDER_LDAP_BIND_PASSWORD}/{ldap_bind_password}/g" -i {runtime_properties_file}"#
-                ));
+                "export {ENV_LDAP_BIND_PASSWORD}=\"$(cat {ldap_bind_password_path})\""
+            ));
         }
 
         commands

diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -136,9 +136,7 @@ pub const SC_VOLUME_NAME: &str = "segment-cache";
 
 pub const ENV_INTERNAL_SECRET: &str = "INTERNAL_SECRET";
 
-// DB credentials
-pub const DB_USERNAME_PLACEHOLDER: &str = "xxx_db_username_xxx";
-pub const DB_PASSWORD_PLACEHOLDER: &str = "xxx_db_password_xxx";
+// DB credentials - both of these are read from an env var by Druid with the ${env:...} syntax
 pub const DB_USERNAME_ENV: &str = "DB_USERNAME_ENV";
 pub const DB_PASSWORD_ENV: &str = "DB_PASSWORD_ENV";
 
@@ -518,7 +516,6 @@ impl DruidRole {
     pub fn main_container_prepare_commands(
         &self,
         s3_connection: Option<&S3ConnectionSpec>,
-        credentials_secret: Option<&String>,
     ) -> Vec<String> {
         let mut commands = vec![];
 
@@ -560,15 +557,6 @@ impl DruidRole {
             rw_conf = RW_CONFIG_DIRECTORY,
         ));
 
-        // db credentials
-        if credentials_secret.is_some() {
-            commands.extend([
-                format!("echo replacing {DB_USERNAME_PLACEHOLDER} and {DB_PASSWORD_PLACEHOLDER} with secret values."),
-                format!("sed -i \"s|{DB_USERNAME_PLACEHOLDER}|${DB_USERNAME_ENV}|g\" {RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}"),
-                format!("sed -i \"s|{DB_PASSWORD_PLACEHOLDER}|${DB_PASSWORD_ENV}|g\" {RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}"),
-            ]);
-        }
-
         commands
     }
 
@@ -631,11 +619,11 @@ impl DruidCluster {
                 if mds.credentials_secret.is_some() {
                     result.insert(
                         METADATA_STORAGE_USER.to_string(),
-                        Some(DB_USERNAME_PLACEHOLDER.into()),
+                        Some(format!("${{env:{DB_USERNAME_ENV}}}")),
                     );
                     result.insert(
                         METADATA_STORAGE_PASSWORD.to_string(),
-                        Some(DB_PASSWORD_PLACEHOLDER.into()),
+                        Some(format!("${{env:{DB_PASSWORD_ENV}}}")),
                     );
                 }
 

diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs
@@ -915,8 +915,7 @@ fn build_rolegroup_statefulset(
         .metadata_storage_database
         .credentials_secret
         .as_ref();
-    let mut main_container_commands =
-        role.main_container_prepare_commands(s3_conn, credentials_secret);
+    let mut main_container_commands = role.main_container_prepare_commands(s3_conn);
     let mut prepare_container_commands = vec![];
     if let Some(ContainerLogConfig {
         choice: Some(ContainerLogConfigChoice::Automatic(log_config)),

diff --git a/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml b/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml
@@ -2,5 +2,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 commands:
-  - script: kubectl exec -n $NAMESPACE openldap-0 -- ldapsearch -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin -b ou=users,dc=example,dc=org > /dev/null
-  - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D cn=admin,dc=example,dc=org -w admin -b ou=users,dc=example,dc=org > /dev/null
+  - script: kubectl exec -n $NAMESPACE openldap-0 -- ldapsearch -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w "admin-pw withSpace$%\" &&} §" -b ou=users,dc=example,dc=org > /dev/null
+  - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D cn=admin,dc=example,dc=org -w "admin-pw withSpace$%\" &&} §" -b ou=users,dc=example,dc=org > /dev/null
diff --git a/tests/templates/kuttl/ldap-authentication/create-authentication-classes.yaml.j2 b/tests/templates/kuttl/ldap-authentication/create-authentication-classes.yaml.j2
@@ -46,4 +46,4 @@ metadata:
     secrets.stackable.tech/class: druid-ldap-secret
 stringData:
   user: cn=admin,dc=example,dc=org
-  password: admin
+  password: "admin-pw withSpace$%\" &&} §"
diff --git a/tests/templates/kuttl/ldap-authentication/install-openldap.yaml.j2 b/tests/templates/kuttl/ldap-authentication/install-openldap.yaml.j2
@@ -44,7 +44,7 @@ spec:
             - name: LDAP_ADMIN_USERNAME
               value: admin
             - name: LDAP_ADMIN_PASSWORD
-              value: admin
+              value: "admin-pw withSpace$%\" &&} §"  # use spaces and special characters to make sure it doesn't break anything
             - name: LDAP_ENABLE_TLS
               value: \"yes\"
             - name: LDAP_TLS_CERT_FILE