Skip to content

user: make passwordRef optional#726

Open
mandre wants to merge 1 commit intok-orc:mainfrom
shiftstack:optional-password
Open

user: make passwordRef optional#726
mandre wants to merge 1 commit intok-orc:mainfrom
shiftstack:optional-password

Conversation

@mandre
Copy link
Copy Markdown
Collaborator

@mandre mandre commented Mar 30, 2026

Keystone allows creating passwordless users for authentication via
federation, application credentials, or other means. Make passwordRef
optional so ORC can create users without a password.

A CEL validation on UserResourceSpec prevents removing passwordRef
once set, since Keystone does not support clearing a password via the
API. The field remains mutable (can be changed to a different Secret).

Fixes #724
Depends on #725

@github-actions github-actions bot added the semver:major Breaking change label Mar 30, 2026
@mandre
Copy link
Copy Markdown
Collaborator Author

mandre commented Mar 30, 2026

Not actually a semver:major because the breaking changes affects codes that is not part of a release yet.

@mandre mandre mentioned this pull request Mar 30, 2026
Merged
@dlaw4608 dlaw4608 mentioned this pull request Mar 31, 2026
Merged
dlaw4608
dlaw4608 approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dlaw4608 dlaw4608 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks @mandre

@mandre mandre added this pull request to the merge queue Mar 31, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to invalid changes in the merge commit Mar 31, 2026
@mandre
user: make passwordRef optional
5dc3f40 
Keystone allows creating passwordless users for authentication via
federation, application credentials, or other means. Make passwordRef
optional so ORC can create users without a password.

A CEL validation on UserResourceSpec prevents removing passwordRef
once set, since Keystone does not support clearing a password via the
API. The field remains mutable (can be changed to a different Secret).
@mandre mandre force-pushed the optional-password branch from 7bb10be to 5dc3f40 Compare March 31, 2026 14:49
@mandre mandre enabled auto-merge March 31, 2026 14:49
@mandre mandre added this pull request to the merge queue Mar 31, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dlaw4608 dlaw4608 dlaw4608 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

semver:major Breaking change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keystone: Make user password optional

2 participants

@mandre @dlaw4608