apecloud · cjc7373 · Jun 26, 2025 · Jun 25, 2025 · Jun 25, 2025 · Jun 25, 2025
@@ -441,6 +441,12 @@ type PasswordConfig struct {
 	// +optional
 	NumSymbols int32 `json:"numSymbols,omitempty"`
 
+	// The set of symbols allowed when generating password. If empty, kubeblocks will
+	// use a default symbol set, which is "!@#&*".
+	//
+	// +optional
+	SymbolCharacters string `json:"symbolCharacters,omitempty"`
+
 	// The case of the letters in the password.
 	//
 	// +kubebuilder:default=MixedCases

@@ -4207,6 +4207,11 @@ spec:
                                   Seed to generate the account's password.
                                   Cannot be updated.
                                 type: string
+                              symbolCharacters:
+                                description: |-
+                                  The set of symbols allowed when generating password. If empty, kubeblocks will
+                                  use a default symbol set, which is "!@#&*".
+                                type: string
                             type: object
                           secretRef:
                             description: |-
@@ -11933,6 +11938,11 @@ spec:
                                       Seed to generate the account's password.
                                       Cannot be updated.
                                     type: string
+                                  symbolCharacters:
+                                    description: |-
+                                      The set of symbols allowed when generating password. If empty, kubeblocks will
+                                      use a default symbol set, which is "!@#&*".
+                                    type: string
                                 type: object
                               secretRef:
                                 description: |-

@@ -16658,6 +16658,11 @@ spec:
                             Seed to generate the account's password.
                             Cannot be updated.
                           type: string
+                        symbolCharacters:
+                          description: |-
+                            The set of symbols allowed when generating password. If empty, kubeblocks will
+                            use a default symbol set, which is "!@#&*".
+                          type: string
                       type: object
                     statement:
                       description: |-

@@ -4403,6 +4403,11 @@ spec:
                             Seed to generate the account's password.
                             Cannot be updated.
                           type: string
+                        symbolCharacters:
+                          description: |-
+                            The set of symbols allowed when generating password. If empty, kubeblocks will
+                            use a default symbol set, which is "!@#&*".
+                          type: string
                       type: object
                     secretRef:
                       description: |-

@@ -21,7 +21,6 @@ package cluster
 
 import (
 	"fmt"
-	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -163,25 +162,12 @@ func (t *clusterShardingAccountTransformer) buildPassword(transCtx *clusterTrans
 		return nil, fmt.Errorf("failed to restore password for system account %s of shard %s from annotation", account.Name, shardingName)
 	}
 	if len(password) == 0 {
-		password = t.generatePassword(account)
+		password, err := common.GeneratePasswordByConfig(account.PasswordGenerationPolicy)
+		return []byte(password), err
 	}
 	return password, nil
 }
 
-func (t *clusterShardingAccountTransformer) generatePassword(account appsv1.SystemAccount) []byte {
-	config := account.PasswordGenerationPolicy
-	passwd, _ := common.GeneratePassword((int)(config.Length), (int)(config.NumDigits), (int)(config.NumSymbols), config.Seed)
-	switch config.LetterCase {
-	case appsv1.UpperCases:
-		passwd = strings.ToUpper(passwd)
-	case appsv1.LowerCases:
-		passwd = strings.ToLower(passwd)
-	case appsv1.MixedCases:
-		passwd, _ = common.EnsureMixedCase(passwd, config.Seed)
-	}
-	return []byte(passwd)
-}
-
 func (t *clusterShardingAccountTransformer) newAccountSecretWithPassword(transCtx *clusterTransformContext,
 	sharding *appsv1.ClusterSharding, accountName string, password []byte) (*corev1.Secret, error) {
 	var (

@@ -22,7 +22,6 @@ package component
 import (
 	"fmt"
 	"reflect"
-	"strings"
 
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/exp/maps"
@@ -219,25 +218,12 @@ func (t *componentAccountTransformer) buildPassword(ctx *componentTransformConte
 		password = []byte(factory.GetRestorePassword(ctx.SynthesizeComponent))
 	}
 	if len(password) == 0 {
-		return t.generatePassword(account), nil
+		password, err := common.GeneratePasswordByConfig(account.PasswordGenerationPolicy)
+		return []byte(password), err
 	}
 	return password, nil
 }
 
-func (t *componentAccountTransformer) generatePassword(account synthesizedSystemAccount) []byte {
-	config := account.PasswordGenerationPolicy
-	passwd, _ := common.GeneratePassword((int)(config.Length), (int)(config.NumDigits), (int)(config.NumSymbols), config.Seed)
-	switch config.LetterCase {
-	case appsv1.UpperCases:
-		passwd = strings.ToUpper(passwd)
-	case appsv1.LowerCases:
-		passwd = strings.ToLower(passwd)
-	case appsv1.MixedCases:
-		passwd, _ = common.EnsureMixedCase(passwd, config.Seed)
-	}
-	return []byte(passwd)
-}
-
 func (t *componentAccountTransformer) buildAccountSecretWithPassword(ctx *componentTransformContext,
 	synthesizeComp *component.SynthesizedComponent, account synthesizedSystemAccount, password []byte) (*corev1.Secret, error) {
 	secretName := constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, account.Name)

@@ -4207,6 +4207,11 @@ spec:
                                   Seed to generate the account's password.
                                   Cannot be updated.
                                 type: string
+                              symbolCharacters:
+                                description: |-
+                                  The set of symbols allowed when generating password. If empty, kubeblocks will
+                                  use a default symbol set, which is "!@#&*".
+                                type: string
                             type: object
                           secretRef:
                             description: |-
@@ -11933,6 +11938,11 @@ spec:
                                       Seed to generate the account's password.
                                       Cannot be updated.
                                     type: string
+                                  symbolCharacters:
+                                    description: |-
+                                      The set of symbols allowed when generating password. If empty, kubeblocks will
+                                      use a default symbol set, which is "!@#&*".
+                                    type: string
                                 type: object
                               secretRef:
                                 description: |-

@@ -16658,6 +16658,11 @@ spec:
                             Seed to generate the account's password.
                             Cannot be updated.
                           type: string
+                        symbolCharacters:
+                          description: |-
+                            The set of symbols allowed when generating password. If empty, kubeblocks will
+                            use a default symbol set, which is "!@#&*".
+                          type: string
                       type: object
                     statement:
                       description: |-

@@ -4403,6 +4403,11 @@ spec:
                             Seed to generate the account's password.
                             Cannot be updated.
                           type: string
+                        symbolCharacters:
+                          description: |-
+                            The set of symbols allowed when generating password. If empty, kubeblocks will
+                            use a default symbol set, which is "!@#&*".
+                          type: string
                       type: object
                     secretRef:
                       description: |-

diff --git a/docs/developer_docs/api-reference/cluster.md b/docs/developer_docs/api-reference/cluster.md
@@ -8634,6 +8634,19 @@ int32
 </tr>
 <tr>
 <td>
+<code>symbolCharacters</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The set of symbols allowed when generating password. If empty, kubeblocks will
+use a default symbol set, which is &ldquo;!@#&amp;*&rdquo;.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>letterCase</code><br/>
 <em>
 <a href="#apps.kubeblocks.io/v1.LetterCase">

@@ -23,15 +23,18 @@ import (
 	"crypto/sha256"
 	"encoding/binary"
 	mathrand "math/rand"
+	"strings"
 	"time"
 	"unicode"
 
 	"github.com/sethvargo/go-password/password"
+
+	appsv1 "github.com/apecloud/kubeblocks/apis/apps/v1"
 )
 
 const (
-	// Symbols is the list of symbols.
-	Symbols = "!@#&*"
+	// DefaultSymbols is the list of default symbols to generate password.
+	DefaultSymbols = "!@#&*"
 )
 
 type PasswordReader struct {
@@ -46,17 +49,36 @@ func (r *PasswordReader) Seed(seed int64) {
 	r.rand.Seed(seed)
 }
 
+func GeneratePasswordByConfig(config appsv1.PasswordConfig) (string, error) {
+	passwd, err := GeneratePassword((int)(config.Length), (int)(config.NumDigits), (int)(config.NumSymbols), config.Seed, config.SymbolCharacters)
+	if err != nil {
+		return "", err
+	}
+	switch config.LetterCase {
+	case appsv1.UpperCases:
+		passwd = strings.ToUpper(passwd)
+	case appsv1.LowerCases:
+		passwd = strings.ToLower(passwd)
+	case appsv1.MixedCases:
+		passwd, err = EnsureMixedCase(passwd, config.Seed)
+	}
+	return passwd, err
+}
+
 // GeneratePassword generates a password with the given requirements and seed in lowercase.
-func GeneratePassword(length, numDigits, numSymbols int, seed string) (string, error) {
+func GeneratePassword(length, numDigits, numSymbols int, seed string, symbols string) (string, error) {
 	rand, err := newRngFromSeed(seed)
 	if err != nil {
 		return "", err
 	}
 	passwordReader := &PasswordReader{rand: rand}
+	if symbols == "" {
+		symbols = DefaultSymbols
+	}
 	gen, err := password.NewGenerator(&password.GeneratorInput{
 		LowerLetters: password.LowerLetters,
 		UpperLetters: password.UpperLetters,
-		Symbols:      Symbols,
+		Symbols:      symbols,
 		Digits:       password.Digits,
 		Reader:       passwordReader,
 	})
@@ -67,7 +89,8 @@ func GeneratePassword(length, numDigits, numSymbols int, seed string) (string, e
 }
 
 // EnsureMixedCase randomizes the letter casing in the given string, ensuring
-// that the result contains at least one uppercase and one lowercase letter
+// that the result contains at least one uppercase and one lowercase letter.
+// If the give string only has one letter, it is returned unmodified.
 func EnsureMixedCase(in, seed string) (string, error) {
 	runes := []rune(in)
 	letterIndices := make([]int, 0, len(runes))

@@ -20,6 +20,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 package common
 
 import (
+	"strings"
 	"testing"
 
 	"github.com/sethvargo/go-password/password"
@@ -34,7 +35,7 @@ func testGeneratorGeneratePasswordWithSeed(t *testing.T) {
 	resultSeedFirstTime := ""
 	resultSeedEachTime := ""
 	for i := 0; i < N; i++ {
-		res, err := GeneratePassword(10, 5, 0, seed)
+		res, err := GeneratePassword(10, 5, 0, seed, "")
 		if err != nil {
 			t.Error(err)
 		}
@@ -52,22 +53,43 @@ func testGeneratorGeneratePassword(t *testing.T) {
 	t.Run("exceeds_length", func(t *testing.T) {
 		t.Parallel()
 
-		if _, err := GeneratePassword(0, 1, 0, ""); err != password.ErrExceedsTotalLength {
+		if _, err := GeneratePassword(0, 1, 0, "", ""); err != password.ErrExceedsTotalLength {
 			t.Errorf("expected %q to be %q", err, password.ErrExceedsTotalLength)
 		}
 
-		if _, err := GeneratePassword(0, 0, 1, ""); err != password.ErrExceedsTotalLength {
+		if _, err := GeneratePassword(0, 0, 1, "", ""); err != password.ErrExceedsTotalLength {
 			t.Errorf("expected %q to be %q", err, password.ErrExceedsTotalLength)
 		}
 	})
 
+	t.Run("should respect allowed symbols", func(t *testing.T) {
+		t.Parallel()
+
+		symbols := "!$_#"
+		for i := 0; i < N; i++ {
+			res, err := GeneratePassword(10, 0, 5, "", symbols)
+			if err != nil {
+				t.Error(err)
+			}
+			for _, r := range res {
+				if r >= '0' && r <= '9' || r >= 'a' && r <= 'z' || r >= 'A' && r <= 'Z' {
+					continue
+				}
+				if !strings.ContainsRune(symbols, r) {
+					t.Errorf("unexpected symbol %q in password %q", r, res)
+				}
+			}
+		}
+
+	})
+
 	t.Run("should be different when seed is empty", func(t *testing.T) {
 		t.Parallel()
 		resultSeedFirstTime := ""
 		resultSeedEachTime := ""
 		hasDiffPassword := false
 		for i := 0; i < N; i++ {
-			res, err := GeneratePassword(i%(len(password.LowerLetters)+len(password.UpperLetters)), 0, 0, "")
+			res, err := GeneratePassword(i%(len(password.LowerLetters)+len(password.UpperLetters)), 0, 0, "", "")
 			if err != nil {
 				t.Error(err)
 			}
@@ -126,7 +148,7 @@ func TestGeneratorEnsureMixedCase(t *testing.T) {
 
 		// Generate multiple passwords and check they have both upper and lower letters.
 		for i := 0; i < 100; i++ {
-			pwd, err := GeneratePassword(length, numDigits, numSymbols, seed)
+			pwd, err := GeneratePassword(length, numDigits, numSymbols, seed, "")
 			if err != nil {
 				t.Fatalf("unexpected error generating password: %v", err)
 			}
@@ -148,7 +170,7 @@ func TestGeneratorEnsureMixedCase(t *testing.T) {
 
 		var firstPwd string
 		for i := 0; i < 50; i++ {
-			pwd, err := GeneratePassword(length, numDigits, numSymbols, seed)
+			pwd, err := GeneratePassword(length, numDigits, numSymbols, seed, "")
 			if err != nil {
 				t.Fatalf("unexpected error generating password with seed: %v", err)
 			}