support add/delete User manager my sql

PROJECT

@@ -92,8 +92,11 @@ resources:
   version: v1alpha1
   kind: MySQLVNetRule
 - group: azure
+  kind: MySQLUser
   version: v1alpha1
+- group: azure
   kind: AzureVirtualMachine
+  version: v1alpha1
 - group: azure
   version: v1alpha1
   kind: AzureSQLManagedUser
@@ -130,6 +133,4 @@ resources:
 - group: azure
   kind: AzureVirtualMachineExtension
   version: v1alpha1
-- group: azure
-  kind: AzureVirtualMachineExtension
-  version: v1alpha1
+

api/v1alpha1/mysqluser_types.go

@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// MySQLUserSpec defines the desired state of MySqlUser
+type MySQLUserSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+	Server        string   `json:"server"`
+	DbName        string   `json:"dbName"`
+	ResourceGroup string   `json:"resourceGroup,omitempty"`
+	Roles         []string `json:"roles"`
+	// optional
+	AdminSecret            string `json:"adminSecret,omitempty"`
+	AdminSecretKeyVault    string `json:"adminSecretKeyVault,omitempty"`
+	Username               string `json:"username,omitempty"`
+	KeyVaultToStoreSecrets string `json:"keyVaultToStoreSecrets,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+
+// MySQLUser is the Schema for the mysqlusers API
+// +kubebuilder:printcolumn:name="Provisioned",type="string",JSONPath=".status.provisioned"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message"
+type MySQLUser struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   MySQLUserSpec `json:"spec,omitempty"`
+	Status ASOStatus     `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// MySQLUserList contains a list of MySQLUser
+type MySQLUserList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MySQLUser `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&MySQLUser{}, &MySQLUserList{})
+}
+
+// IsSubmitted checks if sqluser is provisioning
+func (s *MySQLUser) IsSubmitted() bool {
+	return s.Status.Provisioning || s.Status.Provisioned
+}

charts/index.yaml

@@ -3,19 +3,19 @@ entries:
   azure-service-operator:
   - apiVersion: v2
     appVersion: 0.1.0
-    created: "2020-06-02T09:40:24.98057+08:00"
+    created: "2020-06-07T20:44:33.146559-06:00"
     dependencies:
     - condition: azureUseMI
       name: aad-pod-identity
       repository: https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
       version: 1.5.5
     description: Deploy components and dependencies of azure-service-operator
-    digest: b549a78f07f6dca8a8f761cd65791ca8cad73b3bf90b03891101fa2cd70e3de8
+    digest: e5b46b9d1fb5a9183673bee06dc9592b3106aa692cfd9bef807ccab615163603
     home: https://github.com/Azure/azure-service-operator
     name: azure-service-operator
     sources:
     - https://github.com/Azure/azure-service-operator
     urls:
     - azure-service-operator-0.1.0.tgz
     version: 0.1.0
-generated: "2020-06-02T09:40:24.976336+08:00"
+generated: "2020-06-07T20:44:33.143346-06:00"

config/crd/kustomization.yaml

@@ -32,6 +32,7 @@ resources:
 - bases/azure.microsoft.com_mysqlservers.yaml
 - bases/azure.microsoft.com_mysqldatabases.yaml
 - bases/azure.microsoft.com_mysqlfirewallrules.yaml
+- bases/azure.microsoft.com_mysqlusers.yaml
 - bases/azure.microsoft.com_azurepublicipaddresses.yaml
 - bases/azure.microsoft.com_azurenetworkinterfaces.yaml
 - bases/azure.microsoft.com_mysqlvnetrules.yaml
@@ -83,6 +84,7 @@ patches:
 #- patches/webhook_in_rediscacheactions.yaml
 #- patches/webhook_in_rediscachefirewallrules.yaml
 #- patches/webhook_in_azurevirtualmachineextensions.yaml
+#- patches/webhook_in_mysqlusers.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CAINJECTION] patches here are for enabling the CA injection for each CRD
@@ -123,6 +125,7 @@ patches:
 #- patches/cainjection_in_rediscacheactions.yaml
 #- patches/cainjection_in_rediscachefirewallrules.yaml
 #- patches/cainjection_in_azurevirtualmachineextensions.yaml
+#- patches/cainjection_in_mysqlusers.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd/patches/cainjection_in_mysqlusers.yaml

@@ -0,0 +1,9 @@
+
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: mysqlusers.azure.microsoft.com

config/crd/patches/webhook_in_mysqlusers.yaml

@@ -0,0 +1,17 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: mysqlusers.azure.microsoft.com
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+      caBundle: Cg==
+      service:
+        namespace: system
+        name: webhook-service
+        path: /convert

config/rbac/mysqluser_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit mysqlusers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mysqluser-editor-role
+rules:
+- apiGroups:
+  - azure.microsoft.com
+  resources:
+  - mysqlusers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - azure.microsoft.com
+  resources:
+  - mysqlusers/status
+  verbs:
+  - get

config/rbac/mysqluser_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view mysqlusers.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: mysqluser-viewer-role
+rules:
+- apiGroups:
+  - azure.microsoft.com
+  resources:
+  - mysqlusers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - azure.microsoft.com
+  resources:
+  - mysqlusers/status
+  verbs:
+  - get

config/samples/azure_v1alpha1_mysql_everything.yaml

@@ -0,0 +1,36 @@
+apiVersion: azure.microsoft.com/v1alpha1
+kind: MySQLServer
+metadata:
+  name: mysqlserver-sample
+spec:  
+  location: eastus2
+  resourceGroup: resourcegroup-azure-operators
+  serverVersion: "8.0"
+  sslEnforcement: Enabled
+  createMode: Default # Possible values include: Default, Replica, PointInTimeRestore (not implemented), GeoRestore (not implemented)
+  sku:
+    name: GP_Gen5_4 # tier + family + cores eg. - B_Gen4_1, GP_Gen5_4
+    tier: GeneralPurpose # possible values - 'Basic', 'GeneralPurpose', 'MemoryOptimized'
+    family: Gen5 
+    size: "51200"
+    capacity: 4
+---
+apiVersion: azure.microsoft.com/v1alpha1
+kind: MySQLDatabase
+metadata:
+  name: mysqldatabase-sample
+spec:
+  resourceGroup: resourcegroup-azure-operators
+  server: mysqlserver-sample
+
+---
+apiVersion: azure.microsoft.com/v1alpha1
+kind: MySQLFirewallRule
+metadata:
+  name: mysqlfirewallrule-sample
+spec:
+  resourceGroup: resourcegroup-azure-operators
+  server: mysqlserver-sample
+  startIpAddress: 0.0.0.0
+  endIpAddress: 0.0.0.0
+

config/samples/azure_v1alpha1_mysqluser.yaml

@@ -0,0 +1,25 @@
+apiVersion: azure.microsoft.com/v1alpha1
+kind: MySQLUser
+metadata:
+  name: mysqluser-sample
+spec:
+  server: mysqlserver-sample
+  dbName: mysqldatabase-sample
+  resourceGroup: resourcegroup-azure-operators
+  roles: 
+  #now only supports to grant privileges to a new user, the privileges could be one or more of the below
+  #SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, 
+  #CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, 
+  #CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGER
+  # This adds the privileges to the specified database
+    - SELECT
+  # Specify a specific username for the user
+  # username: mysqluser-sample
+  # Specify adminSecret and adminSecretKeyVault if you want to 
+  # read the MYSQL server admin creds from a specific keyvault secret
+  # adminSecret: mysqlserver-sample
+  # adminSecretKeyVault: asokeyvault
+
+  # Use the field below to optionally specify a different keyvault 
+  # to store the secrets in
+  # keyVaultToStoreSecrets: asokeyvault

controllers/mysqluser_controller.go

@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package controllers
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	azurev1alpha1 "github.com/Azure/azure-service-operator/api/v1alpha1"
+)
+
+// MySQLUserReconciler reconciles a MySQLUser object
+type MySQLUserReconciler struct {
+	Reconciler *AsyncReconciler
+}
+
+// Reconcile for mysqluser
+// +kubebuilder:rbac:groups=azure.microsoft.com,resources=mysqlusers,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=azure.microsoft.com,resources=mysqlusers/status,verbs=get;update;patch
+func (r *MySQLUserReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+	return r.Reconciler.Reconcile(req, &azurev1alpha1.MySQLUser{})
+}
+
+// SetupWithManager runs reconcile loop with manager
+func (r *MySQLUserReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&azurev1alpha1.MySQLUser{}).
+		Complete(r)
+}