(feat) Support for creating users on cluster init

[utdrmac]

Resolves #36

This feature allows for the creation of Valkey users on cluster initialization. The feature abstracts Valkey ACL permissions into several objects, giving better readability, and creation flexibility to users that may not be intimately familiar with Valkey ACLs.

[utdrmac]

e2e tests pass in my local kind cluster

=== RUN   TestE2E
  Starting valkey-operator e2e test suite
Running Suite: e2e suite - /home/utdrmac/dockers/valkey-operator/test/e2e
=======================================================================
Random Seed: 1770743918

Will run 10 of 10 specs
------------------------------
...
Ran 10 of 10 Specs in 135.056 seconds
SUCCESS! -- 10 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestE2E (135.06s)
PASS
ok  	valkey.io/valkey-operator/test/e2e	135.065s
make cleanup-test-e2e
...

[utdrmac]

K8S holds on to events for an extended period of time, even after a cluster is deleted. This call to purge events was added because subsequent e2e tests would fail if a previous test failed due to the e2e test fetching all events.

[bjosv]

Good catch. We could move it to valkeycluster_test.go to have it close to where its needed.
This is also the only testcase/context where we use involvedObject.name=valkeycluster-sample.
I guess it needs to be in a BeforeEach instead then.

[utdrmac]

The golangci-lint was only ran during github e2e tests, and it was frustrating for this to fail remotely. Simple change to check this locally first.

[utdrmac]

I added some comments for 2 changes outside the scope of the PR.

[jdheyburn]

This is great to see, thank you for putting the time in! Just left some comments for clarity

[sandeepkunusoth]

i think passwordEnabled or enabledPassword would be good naming here instead of NoPassword. Also i am not sure this is general use case of having nopass attached to user. if they really want to acheieve this they can always use rawacl.

[jdheyburn]

It might not be general or recommended, but if Valkey exposes it as an option it might be useful to abstract it away.

https://valkey.io/topics/acl/#configure-acls-with-the-acl-command

This boolean is used in the PR in a few places. If we were to remove NoPassword here, would we change those conditions to be 'nopass' in RawAcl (pseudocode) ?

[utdrmac]

I think the idea was since the ACL keyword is nopass then this follows-ish 1:1. Since the default is false if not specified, is there a strong reason to remove it? As the code is now, if removed, then passwords are always searched for even in a nopass=true case. The code would then need to check rawAcl for presence of nopass to achieve same logic.

[jdheyburn]

I think we're almost there with this PR, just pending @sandeepkunusoth approval from their remaining comments

[bjosv]

Good catch. We could move it to valkeycluster_test.go to have it close to where its needed.
This is also the only testcase/context where we use involvedObject.name=valkeycluster-sample.
I guess it needs to be in a BeforeEach instead then.

[bjosv]

Interesting that this isn't showing in CI, our current main (given by kubebuilder) uses

make lint            
...
Downloading github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.7.2
0 issues.

which is using
go: downloading github.com/alexkohler/prealloc v1.0.0

Is this seen with newer versions of golangci-lint/prealloc?

[utdrmac]

Must be. I'm using golangci-lint has version 2.8.0 built with go1.25.5

[bjosv]

LGTM, my previous comments are nits

[utdrmac]

Resolved conflict with c679809

[jdheyburn]

@utdrmac I think there is a bad merge pulling in some functions that no longer exist. Would you mind double checking to see what can be removed? Once that's done I'll approve and merge. Thanks again!

[utdrmac]

Hmm, I didn't run into any issues with git merge main. 🤷 Anyooo, I merged main and reran test suite:

...
  STEP: uninstalling CRDs @ 02/26/26 15:08:00.503
  running: "make uninstall"
  STEP: removing manager namespace @ 02/26/26 15:08:01.891
  running: "kubectl delete ns valkey-operator-system"
[AfterSuite] PASSED [26.256 seconds]
------------------------------

Ran 11 of 11 Specs in 220.267 seconds
SUCCESS! -- 11 Passed | 0 Failed | 0 Pending | 0 Skipped
--- PASS: TestE2E (220.27s)
PASS
ok  	valkey.io/valkey-operator/test/e2e	220.277s

[utdrmac]

f976ef7 is my forgotten sign-off of 318c67e

318c67e is a quick refactor to remove the extra boolean variable, and move around the logic so it's a bit cleaner

[jdheyburn]

Is this, and the other functions above it, the result of a bad merge?

[utdrmac]

upsertAnnotation is added by this PR. findShardPrimary was added in d777c83 I'm not seeing any merge issues.

[jdheyburn]

My apologies, the comparison I was making made it appear as something different :(

[jdheyburn]

Thank for your time and effort on this @utdrmac !

[jdheyburn]

Hey @utdrmac, I just deployed the sample cluster to a test cluster with this commit.

I am wanting to check on the expectation for the charlie user which does not have a password (although they are disabled). The logs are erroring on that there is a missing password key for the user.

2026-02-27T17:29:09Z    ERROR   missing password key in secret  {"controller": "valkeycluster", "controllerGroup": "valkey.io", "controllerKind": "ValkeyCluster", "ValkeyCluster": {"name":"valkeycluster-sample","namespace":"valkey-operator-system"}, "namespace": "valkey-operator-system", "name": "valkeycluster-sample", "reconcileID": "d110d30b-4d32-45ff-adae-023fbb440395", "user": "charlie", "secret": "valkeycluster-sample-users", "key": "charlie"}

[utdrmac]

@jdheyburn That is correct due to the logic flow. The first thing checked for is a password. If NoPassword is true, fetchUserPasswords exits early, and then then continues building the user. If NoPassword is false, (as is the case for charlie), the search inside the Secret takes place. This returns error because we can't add a user without password. If charlie did have a password, or NoPassword was true, he would get added in disabled ("user charlie off").

I guess it comes down to a design decision: Should users that are disabled appear in the ACL file? If yes, (current behavior), then the error is correct. If no, then the logic can be changed to completely skip users which are disabled (and print info message that user was skipped due to being disabled).

[hieu2102]

@utdrmac I think we should still create users if no password is provided. Otherwise modules that override the authentication flow (i.e valkey-ldap) will not works

[sandeepkunusoth]

@utdrmac I think we should still create users if no password is provided. Otherwise modules that override the authentication flow (i.e valkey-ldap) will not works

for nopass users we need to allow users with resetpass

[jdheyburn]

for nopass users we need to allow users with resetpass

@sandeepkunusoth Can you expand on the workflow you're describing and how it might be used?

@utdrmac @hieu2102 I think we should still create the user, but perhaps the logs could be tidied. If NoPass is defined then we don't need to error out, because we're not expecting a password.

[utdrmac]

@hieu2102 Gotcha; easy enough to change
@jdheyburn That makes sense on the logs.