Support auth through ydb-go-sdk in communication with YDB cluster (#158)

* feat: all debugging output

* chore: clean up debug output

* feat: moved healthcheck from grpc to go-sdk

* feat: create tenant uses go-sdk now

* refactor: a better entrypoint for all YDB connections

* feat: no more useless logs

* refactor: less copypaste

* refactor: less copypaste

* fix: typo

* chore: make linter check after autoformatting

* revert: now I understand our CI

* fix: lint

* chore: bump up chart version

* init authOptions

* some fixes after merge

* lint errors fixes

* rename field in spec to operatorConnection

---------

Co-authored-by: tarasov-egor <jorres.tarasov@gmail.com>

Author: kobzonega

api/v1alpha1/connection_types.go

@@ -0,0 +1,23 @@
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+type ConnectionOptions struct {
+	AccessToken       *AccessTokenAuth       `json:"accessToken,omitempty"`
+	StaticCredentials *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
+}
+
+type AccessTokenAuth struct {
+	*CredentialSource `json:",inline"`
+}
+
+type StaticCredentialsAuth struct {
+	Username string            `json:"username"`
+	Password *CredentialSource `json:"password,omitempty"`
+}
+
+type CredentialSource struct {
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef"`
+}

api/v1alpha1/const.go

@@ -31,6 +31,9 @@ const (
 	BinariesDir      = "/opt/ydb/bin"
 	DaemonBinaryName = "ydbd"
 
+	DefaultRootUsername = "root"
+	DefaultRootPassword = ""
+
 	AnnotationUpdateStrategyOnDelete = "ydb.tech/update-strategy-on-delete"
 	AnnotationUpdateDNSPolicy        = "ydb.tech/update-dns-policy"
 	AnnotationSkipInitialization     = "ydb.tech/skip-initialization"

api/v1alpha1/storage_types.go

@@ -27,6 +27,11 @@ type StorageSpec struct {
 	// +required
 	DataStore []corev1.PersistentVolumeClaimSpec `json:"dataStore"`
 
+	// (Optional) Operator connection settings
+	// Default: (not specified)
+	// +optional
+	OperatorConnection *ConnectionOptions `json:"operatorConnection,omitempty"`
+
 	// (Optional) Storage services parameter overrides
 	// Default: (not specified)
 	// +optional

api/v1alpha1/storage_webhook.go

@@ -3,7 +3,7 @@ package v1alpha1
 import (
 	"fmt"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/strings/slices"
@@ -21,6 +21,12 @@ func (r *Storage) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
+type DomainsConfig struct {
+	SecurityConfig struct {
+		EnforceUserTokenRequirement bool `yaml:"enforce_user_token_requirement"`
+	} `yaml:"security_config"`
+}
+
 //+kubebuilder:webhook:path=/mutate-ydb-tech-v1alpha1-storage,mutating=true,failurePolicy=fail,sideEffects=None,groups=ydb.tech,resources=storages,verbs=create;update,versions=v1alpha1,name=mutate-storage.ydb.tech,admissionReviewVersions=v1
 
 var _ webhook.Defaulter = &Storage{}
@@ -84,6 +90,15 @@ func (r *Storage) ValidateCreate() error {
 		nodesNumber = int32(len(hosts))
 	}
 
+	if configuration["domains_config"] != nil {
+		if domainsConfig, ok := configuration["domains_config"].(DomainsConfig); ok {
+			authEnabled := domainsConfig.SecurityConfig.EnforceUserTokenRequirement
+			if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
+				return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
+			}
+		}
+	}
+
 	minNodesPerErasure := map[ErasureType]int32{
 		ErasureMirror3DC: 9,
 		ErasureBlock42:   8,
@@ -103,7 +118,6 @@ func (r *Storage) ValidateCreate() error {
 			return fmt.Errorf("the secret name %s is reserved, use another one", secret.Name)
 		}
 	}
-
 	if r.Spec.Volumes != nil {
 		for _, volume := range r.Spec.Volumes {
 			if volume.HostPath == nil {
@@ -124,6 +138,21 @@ func (r *Storage) ValidateCreate() error {
 func (r *Storage) ValidateUpdate(old runtime.Object) error {
 	storagelog.Info("validate update", "name", r.Name)
 
+	configuration := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(r.Spec.Configuration), &configuration)
+	if err != nil {
+		return fmt.Errorf("failed to parse Storage.spec.configuration, error: %w", err)
+	}
+
+	if configuration["domains_config"] != nil {
+		if domainsConfig, ok := configuration["domains_config"].(DomainsConfig); ok {
+			authEnabled := domainsConfig.SecurityConfig.EnforceUserTokenRequirement
+			if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
+				return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
+			}
+		}
+	}
+
 	crdCheckError := checkMonitoringCRD(manager, storagelog, r.Spec.Monitoring != nil)
 	if crdCheckError != nil {
 		return crdCheckError

api/v1alpha1/zz_generated.deepcopy.go

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.33
+version: 0.4.34
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.4.33"
+appVersion: "0.4.34"

deploy/ydb-operator/Chart.yaml

@@ -2445,6 +2445,65 @@ spec:
                 description: Number of nodes (pods) in the cluster
                 format: int32
                 type: integer
+              operatorConnection:
+                description: '(Optional) Operator connection settings Default: (not
+                  specified)'
+                properties:
+                  accessToken:
+                    properties:
+                      secretKeyRef:
+                        description: SecretKeySelector selects a key of a Secret.
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                    required:
+                    - secretKeyRef
+                    type: object
+                  staticCredentials:
+                    properties:
+                      password:
+                        properties:
+                          secretKeyRef:
+                            description: SecretKeySelector selects a key of a Secret.
+                            properties:
+                              key:
+                                description: The key of the secret to select from.  Must
+                                  be a valid secret key.
+                                type: string
+                              name:
+                                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  TODO: Add other useful fields. apiVersion, kind,
+                                  uid?'
+                                type: string
+                              optional:
+                                description: Specify whether the Secret or its key
+                                  must be defined
+                                type: boolean
+                            required:
+                            - key
+                            type: object
+                        required:
+                        - secretKeyRef
+                        type: object
+                      username:
+                        type: string
+                    required:
+                    - username
+                    type: object
+                type: object
               priorityClassName:
                 description: (Optional) If specified, the pod's priorityClassName.
                 type: string

deploy/ydb-operator/crds/storage.yaml

@@ -6,7 +6,7 @@ containerdConfigPatches:
  snapshotter = "native"
 nodes:
 - role: control-plane
-- role: worker 
+- role: worker
   labels:
     worker: true
 - role: worker

e2e/kind-cluster-config.yaml

@@ -9,10 +9,10 @@ require (
 	github.com/onsi/gomega v1.27.6
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.50.0
-	github.com/ydb-platform/ydb-go-genproto v0.0.0-20210916081217-f4e55570b874
-	google.golang.org/grpc v1.49.0
+	github.com/ydb-platform/ydb-go-genproto v0.0.0-20230801151335-81e01be38941
+	github.com/ydb-platform/ydb-go-sdk/v3 v3.53.0
+	google.golang.org/grpc v1.53.0
 	google.golang.org/protobuf v1.28.1
-	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.1
 	k8s.io/apimachinery v0.26.1
@@ -37,6 +37,7 @@ require (
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
@@ -45,6 +46,7 @@ require (
 	github.com/google/pprof v0.0.0-20230510103437-eeec1cb781c3 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/jonboulle/clockwork v0.3.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -63,15 +65,17 @@ require (
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.4.0 // indirect
+	golang.org/x/sync v0.2.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/term v0.8.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.9.1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
+	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.26.1 // indirect
 	k8s.io/component-base v0.26.1 // indirect
 	k8s.io/klog/v2 v2.90.0 // indirect