YDBOPS-9691 fix GRPC TLS certificates in dynnodes (ydb-platform#207)

Author: kobzonega

deploy/ydb-operator/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.10
+version: 0.5.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.5.10"
+appVersion: "0.5.11"

internal/resources/database_statefulset.go

@@ -302,15 +302,15 @@ func buildTLSVolume(name string, configuration *api.TLSConfiguration) corev1.Vol
 				Items: []corev1.KeyToPath{
 					{
 						Key:  configuration.CertificateAuthority.Key,
-						Path: "ca.crt",
+						Path: wellKnownNameForTLSCertificateAuthority,
 					},
 					{
 						Key:  configuration.Certificate.Key,
-						Path: "tls.crt",
+						Path: wellKnownNameForTLSCertificate,
 					},
 					{
 						Key:  configuration.Key.Key,
-						Path: "tls.key",
+						Path: wellKnownNameForTLSPrivateKey,
 					},
 				},
 			},
@@ -434,15 +434,15 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      grpcTLSVolumeName,
 			ReadOnly:  true,
-			MountPath: "/tls/grpc", // fixme const
+			MountPath: grpcTLSVolumeMountPath,
 		})
 	}
 
 	if b.Spec.Service.Interconnect.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      interconnectTLSVolumeName,
 			ReadOnly:  true,
-			MountPath: "/tls/interconnect", // fixme const
+			MountPath: interconnectTLSVolumeMountPath,
 		})
 	}
 
@@ -464,7 +464,7 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 			volumeMounts = append(volumeMounts, corev1.VolumeMount{
 				Name:      datastreamsTLSVolumeName,
 				ReadOnly:  true,
-				MountPath: "/tls/datastreams", // fixme const
+				MountPath: datastreamsTLSVolumeMountPath,
 			})
 		}
 	}
@@ -535,6 +535,18 @@ func (b *DatabaseStatefulSetBuilder) buildContainerArgs() ([]string, []string) {
 		)
 	}
 
+	// hotfix KIKIMR-16728
+	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
+		args = append(args,
+			"--grpc-cert",
+			fmt.Sprintf("%s/%s", grpcTLSVolumeMountPath, wellKnownNameForTLSCertificate),
+			"--grpc-key",
+			fmt.Sprintf("%s/%s", grpcTLSVolumeMountPath, wellKnownNameForTLSPrivateKey),
+			"--grpc-ca",
+			fmt.Sprintf("%s/%s", grpcTLSVolumeMountPath, wellKnownNameForTLSCertificateAuthority),
+		)
+	}
+
 	for _, secret := range b.Spec.Secrets {
 		exist, err := CheckSecretKey(
 			context.Background(),

internal/resources/resource.go

@@ -53,9 +53,12 @@ const (
 	localCertsVolumeName    = "init-main-shared-source-dir-volume"
 	operatorTokenVolumeName = "operator-token-volume"
 
-	wellKnownDirForAdditionalSecrets = "/opt/ydb/secrets"
-	wellKnownDirForAdditionalVolumes = "/opt/ydb/volumes"
-	wellKnownNameForOperatorToken    = "token-file"
+	wellKnownDirForAdditionalSecrets        = "/opt/ydb/secrets"
+	wellKnownDirForAdditionalVolumes        = "/opt/ydb/volumes"
+	wellKnownNameForOperatorToken           = "token-file"
+	wellKnownNameForTLSCertificateAuthority = "ca.crt"
+	wellKnownNameForTLSCertificate          = "tls.crt"
+	wellKnownNameForTLSPrivateKey           = "tls.key"
 
 	caBundleEnvName         = "CA_BUNDLE"
 	caBundleFileName        = "userCABundle.crt"
@@ -519,11 +522,11 @@ func buildCAStorePatchingCommandArgs(
 	}
 
 	if grpcService.TLSConfiguration.Enabled {
-		arg += fmt.Sprintf("cp %s/ca.crt %s/grpcRoot.crt && ", grpcTLSVolumeMountPath, localCertsDir)
+		arg += fmt.Sprintf("cp %s/%s %s/grpcRoot.crt && ", grpcTLSVolumeMountPath, wellKnownNameForTLSCertificateAuthority, localCertsDir)
 	}
 
 	if interconnectService.TLSConfiguration.Enabled {
-		arg += fmt.Sprintf("cp %s/ca.crt %s/interconnectRoot.crt && ", interconnectTLSVolumeMountPath, localCertsDir)
+		arg += fmt.Sprintf("cp %s/%s %s/interconnectRoot.crt && ", interconnectTLSVolumeMountPath, wellKnownNameForTLSCertificateAuthority, localCertsDir)
 	}
 
 	if arg != "" {

internal/resources/storage_statefulset.go

@@ -402,15 +402,15 @@ func (b *StorageStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      grpcTLSVolumeName,
 			ReadOnly:  true,
-			MountPath: "/tls/grpc", // fixme const
+			MountPath: grpcTLSVolumeMountPath,
 		})
 	}
 
 	if b.Spec.Service.Interconnect.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
 			Name:      interconnectTLSVolumeName,
 			ReadOnly:  true,
-			MountPath: "/tls/interconnect", // fixme const
+			MountPath: interconnectTLSVolumeMountPath,
 		})
 	}