Skip to content

(feat): Support user creation on cluster init #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
utdrmac wants to merge 8 commits into from
Closed

(feat): Support user creation on cluster init #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c323af4
add support for users
utdrmac Jan 15, 2026
cb2ef36
merge upstream
utdrmac Jan 16, 2026
7f47abd
add support for creating users
utdrmac Jan 16, 2026
3b1dbf1
golangci fix
utdrmac Jan 16, 2026
119b29a
reconcile on changed user secret
utdrmac Jan 18, 2026
5f8daae
e2e fix
utdrmac Jan 18, 2026
b17b26b
e2e test
utdrmac Jan 20, 2026
2f4d593
fix charlie user test
utdrmac Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions api/v1alpha1/valkeycluster_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,46 @@ type ValkeyClusterSpec struct {
// +kubebuilder:default:={enabled:true}
// +optional
Exporter ExporterSpec `json:"exporter,omitempty"`

// Options, or config which are specific to Valkey server
// +optional
ValkeySpec ValkeySpec `json:"valkeyConfig,omitempty"`
}

// ValkeySpec defines any options, or configuration that is specific to valkey-server
type ValkeySpec struct {

// Auth-related structure for handling users, and acls
Auth AuthSpec `json:"auth,omitempty"`
}

// AuthSpec contains authorization, user, and ACL-related configurations
type AuthSpec struct {

// Users ACL Secret
// A reference name to a Secret containing raw user:permission entries, which will be processed first
// Defaults to clusterName-secret
// +optional
UsersSecretRef string `json:"usersSecretRef,omitempty"`

// Array of users with raw ACL, or reference to a key in the UsersSecretRef
Users map[string]UserAcl `json:"users,omitempty"`
Copy link
Copy Markdown
Collaborator

@jdheyburn jdheyburn Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we use listType=map and listMapKey=name here to follow API design guidelines.

https://kubernetes.io/docs/reference/using-api/server-side-apply/

Copy link
Copy Markdown
Contributor Author

@utdrmac utdrmac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

valkeycluster_types.go:101:2: must apply listType to an array, found object
valkeycluster_types.go:101:2: must apply listMapKey to an array, found object

}

type UserAcl struct {

// Raw ACL line, including password
Permissions string `json:"permissions,omitempty"`
Copy link
Copy Markdown
Collaborator

@jdheyburn jdheyburn Jan 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking out loud: I wonder if the operator should help provide an abstraction away from the syntax for permissions.

https://valkey.io/commands/acl-setuser/

Copy link
Copy Markdown
Contributor Author

@utdrmac utdrmac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could, but I didn't want the operator to have to be responsible for validating ACL commands, and syntax. That seemed an overly complicated job for the operator.


// sha256 password
// kubebuilder:validation:MinLength=64
// kubebuilder:validation:MaxLength=65
// kubebuilder:XValidation:message="Password should be a sha256 hash"
Password string `json:"password,omitempty"`

// Reference to a key in UsersSecretRef containing the password for this user
// Defaults to the username
PasswordKeyRef string `json:"passwordKeyRef,omitempty"`
Comment on lines +111 to +115
Copy link
Copy Markdown
Collaborator

@jdheyburn jdheyburn Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACLs can support multiple passwords for a user. Such an example case would be if the password needs to be rolled, you can have both passwords active while the client switches between them.

Not critical for this PR, but so long as we're open to breaking changes while we're in alpha.

Copy link
Copy Markdown
Contributor Author

@utdrmac utdrmac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, that's an advanced operation outside the scope of the operator. If the community consensus is to have such functionality, there's no argument from me, and I'll implement it. Or we can keep things simple for now, and add rotation later on.

}

type ExporterSpec struct {
Expand Down Expand Up @@ -154,6 +194,7 @@ const (
ReasonSlotsUnassigned = "SlotsUnassigned"
ReasonPrimaryLost = "PrimaryLost"
ReasonNoSlots = "NoSlotsAvailable"
ReasonUsersAclError = "UsersACLError"
)

// +kubebuilder:object:root=true
Expand Down
54 changes: 54 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions config/crd/bases/valkey.io_valkeyclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1163,6 +1163,42 @@ spec:
type: string
type: object
type: array
valkeyConfig:
description: Options, or config which are specific to Valkey server
properties:
auth:
description: Auth-related structure for handling users, and acls
properties:
users:
additionalProperties:
properties:
password:
description: |-
sha256 password
kubebuilder:validation:MinLength=64
kubebuilder:validation:MaxLength=65
kubebuilder:XValidation:message="Password should be a sha256 hash"
type: string
passwordKeyRef:
description: |-
Reference to a key in UsersSecretRef containing the password for this user
Defaults to the username
type: string
permissions:
description: Raw ACL line, including password
type: string
type: object
description: Array of users with raw ACL, or reference to
a key in the UsersSecretRef
type: object
usersSecretRef:
description: |-
Users ACL Secret
A reference name to a Secret containing raw user:permission entries, which will be processed first
Defaults to clusterName-secret
type: string
type: object
type: object
type: object
status:
default:
Expand Down
1 change: 1 addition & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ rules:
- ""
resources:
- configmaps
- secrets
- services
verbs:
- create
Expand Down
23 changes: 23 additions & 0 deletions config/samples/v1alpha1_valkeycluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,33 @@
---
apiVersion: v1
kind: Secret
metadata:
name: valkeycluster-sample-users
data:
alicepw: M21wdHlQQHNzdzByZA==
bob: YjFjMzY4OTZkMzk5MjMwNDU5NTVjMzczZjM2NWVkNjg2Y2I5N2RiNTA1NGE0NTJjN2EzZmQ5MjAwZTMzNGYxZAo=
---
apiVersion: valkey.io/v1alpha1
kind: ValkeyCluster
metadata:
name: valkeycluster-sample
spec:
shards: 3
replicas: 1
valkeyConfig:
auth:
usersSecretRef: valkeycluster-sample-users
users:
alice:
permissions: +@list +@connection ~jobs:*
passwordKeyRef: alicepw
bob:
permissions: ~* +@all
charlie:
permissions: -@all +get ~secretkey ~valkey:*
password: sup3rS3cr3t
Copy link
Copy Markdown
Collaborator

@jdheyburn jdheyburn Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't this fail the validation that you have in place?

                            password:
                              description: |-
                                sha256 password
                                kubebuilder:validation:MinLength=64
                                kubebuilder:validation:MaxLength=65
                                kubebuilder:XValidation:message="Password should be a sha256 hash"
                              type: string

Copy link
Copy Markdown
Contributor Author

@utdrmac utdrmac Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, so much for e2e tests... Shouldn't this have been caught by the K8S api when the e2e test attempted to apply an invalid CR? (Will remove this anyways)

david:
permissions: -@all +@admin
resources:
requests:
memory: "256Mi"
Expand Down
13 changes: 13 additions & 0 deletions internal/controller/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,11 @@ func generateContainersDef(cluster *valkeyiov1alpha1.ValkeyCluster) []corev1.Con
MountPath: "/config",
ReadOnly: true,
},
{
Name: "users-acl",
MountPath: "/config/users",
ReadOnly: true,
},
},
},
}
Expand Down Expand Up @@ -141,6 +146,14 @@ func createClusterDeployment(cluster *valkeyiov1alpha1.ValkeyCluster) *appsv1.De
},
},
},
{
Name: "users-acl",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: getInternalSecretName(cluster.Name),
},
},
},
},
},
},
Expand Down
Loading