diff --git a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentials.java b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentials.java index 42fb7ab5f62..9d959b5d0c4 100644 --- a/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentials.java +++ b/cluster-operator/src/main/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentials.java @@ -223,7 +223,13 @@ private static String generateApiAuthFileAsString(Map entries if (secret != null) { if (secret.getData().containsKey(AUTH_FILE_KEY)) { String credentialsAsString = Util.decodeFromBase64(secret.getData().get(AUTH_FILE_KEY)); - entries.putAll(parseEntriesFromString(credentialsAsString)); + for (Map.Entry entry : parseEntriesFromString(credentialsAsString).entrySet()) { + String key = entry.getKey(); + UserEntry value = entry.getValue(); + if (key.equals(REBALANCE_OPERATOR_USERNAME) || key.equals(HEALTHCHECK_USERNAME)) { + entries.put(key, value); + } + } } } diff --git a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentialsTest.java b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentialsTest.java index e3d9662c928..2bc49a7d5a7 100644 --- a/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentialsTest.java +++ b/cluster-operator/src/test/java/io/strimzi/operator/cluster/model/cruisecontrol/HashLoginServiceApiCredentialsTest.java @@ -268,10 +268,12 @@ public void testGenerateUserManagedApiCredentials() { public void testGenerateCoManagedApiCredentials() { PasswordGenerator mockPasswordGenerator = new PasswordGenerator(10, "a", "a"); - // Test that credentials from previous secret are reused + // Given an existing cruiseControlApi secret test that CO credentials are reused and user-managed credentials are deleted Map map1 = Map.of("cruise-control.authFile", encodeToBase64("rebalance-operator: password,ADMIN\n" + - "healthcheck: password,USER")); + "healthcheck: password,USER\n" + + "userOne: passwordOne, USER\n" + + "userTwo: passwordOne, VIEWER")); Map entries = new HashMap<>(); HashLoginServiceApiCredentials.generateCoManagedApiCredentials(entries, mockPasswordGenerator, createSecret(map1)); assertThat(entries.get("rebalance-operator").username(), is("rebalance-operator")); @@ -282,6 +284,10 @@ public void testGenerateCoManagedApiCredentials() { assertThat(entries.get("healthcheck").password(), is("password")); assertThat(entries.get("healthcheck").role(), is(HashLoginServiceApiCredentials.Role.USER)); + assertThat(entries.size(), is(2)); + assertThat(entries.get("userOne"), is(nullValue())); + assertThat(entries.get("userTwo"), is(nullValue())); + // Test malformed secret credentials with blank password for user throws error final Map map2 = Map.of("cruise-control.authFile", encodeToBase64("rebalance-operator: ,ADMIN\n" + diff --git a/documentation/api/io.strimzi.api.kafka.model.kafka.cruisecontrol.CruiseControlSpec.adoc b/documentation/api/io.strimzi.api.kafka.model.kafka.cruisecontrol.CruiseControlSpec.adoc index 2a66ab39137..a0415a521a6 100644 --- a/documentation/api/io.strimzi.api.kafka.model.kafka.cruisecontrol.CruiseControlSpec.adoc +++ b/documentation/api/io.strimzi.api.kafka.model.kafka.cruisecontrol.CruiseControlSpec.adoc @@ -193,7 +193,7 @@ spec: cruiseControl: # ... apiUsers: - type: hashloginservice + type: hashLoginService valueFrom: secretKeyRef: name: cruise-control-api-users-secret