Feat/support authentication plugins like ldap simple

apis/cluster/mysql/v1alpha1/user_types.go

@@ -46,6 +46,17 @@ type UserParameters struct {
 	// +optional
 	ResourceOptions *ResourceOptions `json:"resourceOptions,omitempty"`
 
+	// AuthPlugin sets the mysql authentication plugin.
+	// If not specified (nil or empty string), the database server's default authentication plugin is used.
+	// This allows compatibility with different MySQL/MariaDB versions and their default authentication methods.
+	// Common plugins: caching_sha2_password (MySQL 8.0+), mysql_native_password, authentication_ldap_simple, etc.
+	// +optional
+	// +kubebuilder:validation:Pattern:=^([a-z]+_)+[a-z]+$
+	AuthPlugin *string `json:"authPlugin,omitempty"`
+
+	// UsePassword indicate whether the provided AuthPlugin requires setting a password, defaults to true
+	// +optional
+	UsePassword *bool `json:"usePassword,omitempty" default:"true"`
 	// BinLog defines whether the create, delete, update operations of this user are propagated to replicas. Defaults to true
 	// +optional
 	BinLog *bool `json:"binlog,omitempty"`
@@ -74,6 +85,9 @@ type ResourceOptions struct {
 type UserObservation struct {
 	// ResourceOptionsAsClauses represents the applied resource options
 	ResourceOptionsAsClauses []string `json:"resourceOptionsAsClauses,omitempty"`
+
+	// AuthPlugin represents the applied mysql authentication plugin
+	AuthPlugin *string `json:"authPlugin,omitempty"`
 }
 
 // +kubebuilder:object:root=true

apis/namespaced/mysql/v1alpha1/user_types.go

@@ -42,6 +42,18 @@ type UserParameters struct {
 	// +optional
 	PasswordSecretRef *xpv1.LocalSecretKeySelector `json:"passwordSecretRef,omitempty"`
 
+	// AuthPlugin specifies the authentication plugin to use for the user.
+	// If not specified (nil or empty string), the database server's default authentication plugin is used.
+	// Common values include "mysql_native_password", "caching_sha2_password", "authentication_ldap_simple".
+	// See https://dev.mysql.com/doc/refman/8.0/en/authentication-plugins.html
+	// +optional
+	// +kubebuilder:validation:Pattern:=^([a-z]+_)+[a-z]+$
+	AuthPlugin *string `json:"authPlugin,omitempty"`
+
+	// UsePassword indicate whether the provided AuthPlugin requires setting a password, defaults to true
+	// +optional
+	UsePassword *bool `json:"usePassword,omitempty" default:"true"`
+
 	// ResourceOptions sets account specific resource limits.
 	// See https://dev.mysql.com/doc/refman/8.0/en/user-resources.html
 	// +optional
@@ -73,6 +85,9 @@ type ResourceOptions struct {
 
 // A UserObservation represents the observed state of a MySQL user.
 type UserObservation struct {
+	// AuthPlugin is the authentication plugin currently configured for the user
+	AuthPlugin *string `json:"authPlugin,omitempty"`
+
 	// ResourceOptionsAsClauses represents the applied resource options
 	ResourceOptionsAsClauses []string `json:"resourceOptionsAsClauses,omitempty"`
 }

examples/cluster/mysql/user_with_auth_plugin.yaml

@@ -0,0 +1,52 @@
+---
+# Example: User with custom authentication plugin (e.g., LDAP)
+# Some authentication plugins like authentication_ldap_simple don't require
+# passwords, so usePassword is set to false
+apiVersion: mysql.sql.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-ldap-user
+spec:
+  forProvider:
+    authPlugin: authentication_ldap_simple
+    usePassword: false  # LDAP authentication doesn't use a MySQL password
+  providerConfigRef:
+    name: example
+---
+# Example: User with specific authentication plugin and password
+# For plugins that require passwords like caching_sha2_password
+apiVersion: mysql.sql.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-caching-sha2-user
+spec:
+  forProvider:
+    authPlugin: caching_sha2_password
+    passwordSecretRef:
+      name: example-pw
+      namespace: default
+      key: password
+  writeConnectionSecretToRef:
+    name: example-sha2-connection-secret
+    namespace: default
+  providerConfigRef:
+    name: example
+---
+# Example: User without authPlugin specified (uses database server default)
+# This is the recommended approach for maximum compatibility
+# across different MySQL/MariaDB versions
+apiVersion: mysql.sql.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-default-user
+spec:
+  forProvider:
+    passwordSecretRef:
+      name: example-pw
+      namespace: default
+      key: password
+  writeConnectionSecretToRef:
+    name: example-default-connection-secret
+    namespace: default
+  providerConfigRef:
+    name: example

examples/namespaced/mysql/user_with_auth_plugin.yaml

@@ -0,0 +1,51 @@
+---
+# Example: Namespaced User with custom authentication plugin (e.g., LDAP)
+# Some authentication plugins like authentication_ldap_simple don't require
+# passwords, so usePassword is set to false
+apiVersion: mysql.sql.m.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-ldap-user
+  namespace: default
+spec:
+  forProvider:
+    authPlugin: authentication_ldap_simple
+    usePassword: false  # LDAP authentication doesn't use a MySQL password
+  providerConfigRef:
+    name: example
+---
+# Example: Namespaced User with specific authentication plugin and password
+# For plugins that require passwords like caching_sha2_password
+apiVersion: mysql.sql.m.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-caching-sha2-user
+  namespace: default
+spec:
+  forProvider:
+    authPlugin: caching_sha2_password
+    passwordSecretRef:
+      name: example-pw
+      key: password
+  writeConnectionSecretToRef:
+    name: example-sha2-connection-secret
+  providerConfigRef:
+    name: example
+---
+# Example: Namespaced User without authPlugin specified (uses database server default)
+# This is the recommended approach for maximum compatibility
+# across different MySQL/MariaDB versions
+apiVersion: mysql.sql.m.crossplane.io/v1alpha1
+kind: User
+metadata:
+  name: example-default-user
+  namespace: default
+spec:
+  forProvider:
+    passwordSecretRef:
+      name: example-pw
+      key: password
+  writeConnectionSecretToRef:
+    name: example-default-connection-secret
+  providerConfigRef:
+    name: example

package/crds/mysql.sql.crossplane.io_users.yaml

@@ -71,6 +71,14 @@ spec:
                 description: UserParameters define the desired state of a MySQL user
                   instance.
                 properties:
+                  authPlugin:
+                    description: |-
+                      AuthPlugin sets the mysql authentication plugin.
+                      If not specified (nil or empty string), the database server's default authentication plugin is used.
+                      This allows compatibility with different MySQL/MariaDB versions and their default authentication methods.
+                      Common plugins: caching_sha2_password (MySQL 8.0+), mysql_native_password, authentication_ldap_simple, etc.
+                    pattern: ^([a-z]+_)+[a-z]+$
+                    type: string
                   binlog:
                     description: BinLog defines whether the create, delete, update
                       operations of this user are propagated to replicas. Defaults
@@ -117,6 +125,10 @@ spec:
                           connections to the server by an account
                         type: integer
                     type: object
+                  usePassword:
+                    description: UsePassword indicate whether the provided AuthPlugin
+                      requires setting a password, defaults to true
+                    type: boolean
                 type: object
               managementPolicies:
                 default:
@@ -211,6 +223,10 @@ spec:
                 description: A UserObservation represents the observed state of a
                   MySQL user.
                 properties:
+                  authPlugin:
+                    description: AuthPlugin represents the applied mysql authentication
+                      plugin
+                    type: string
                   resourceOptionsAsClauses:
                     description: ResourceOptionsAsClauses represents the applied resource
                       options

package/crds/mysql.sql.m.crossplane.io_users.yaml

@@ -57,6 +57,14 @@ spec:
                 description: UserParameters define the desired state of a MySQL user
                   instance.
                 properties:
+                  authPlugin:
+                    description: |-
+                      AuthPlugin specifies the authentication plugin to use for the user.
+                      If not specified (nil or empty string), the database server's default authentication plugin is used.
+                      Common values include "mysql_native_password", "caching_sha2_password", "authentication_ldap_simple".
+                      See https://dev.mysql.com/doc/refman/8.0/en/authentication-plugins.html
+                    pattern: ^([a-z]+_)+[a-z]+$
+                    type: string
                   binlog:
                     description: BinLog defines whether the create, delete, update
                       operations of this user are propagated to replicas. Defaults
@@ -98,6 +106,10 @@ spec:
                           connections to the server by an account
                         type: integer
                     type: object
+                  usePassword:
+                    description: UsePassword indicate whether the provided AuthPlugin
+                      requires setting a password, defaults to true
+                    type: boolean
                 type: object
               managementPolicies:
                 default:
@@ -164,6 +176,10 @@ spec:
                 description: A UserObservation represents the observed state of a
                   MySQL user.
                 properties:
+                  authPlugin:
+                    description: AuthPlugin is the authentication plugin currently
+                      configured for the user
+                    type: string
                   resourceOptionsAsClauses:
                     description: ResourceOptionsAsClauses represents the applied resource
                       options