ydb-platform
diff --git a/‎.github/workflows/run-tests.yml
+5-5 b/‎.github/workflows/run-tests.yml
+5-5
diff --git a/‎Makefile
+5-3 b/‎Makefile
+5-3
diff --git a/‎api/v1alpha1/storage_webhook.go
+35-20 b/‎api/v1alpha1/storage_webhook.go
+35-20
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go
-16 b/‎api/v1alpha1/zz_generated.deepcopy.go
-16
diff --git a/‎deploy/ydb-operator/Chart.yaml
+2-2 b/‎deploy/ydb-operator/Chart.yaml
+2-2
diff --git a/‎e2e/tests/data/storage-block-4-2-config-staticCreds.yaml
+105 b/‎e2e/tests/data/storage-block-4-2-config-staticCreds.yaml
+105
diff --git a/‎e2e/tests/data/storage-block-4-2-config.yaml
+12-16 b/‎e2e/tests/data/storage-block-4-2-config.yaml
+12-16
@@ -31,7 +31,7 @@ jobs:
           user: yc-admin
           ssh-public-key: ${{ secrets.CI_RUNNER_DEBUG_SHH_PUBLIC_KEY }}
   smart-checkout:
-    needs: 
+    needs:
       - start-runner
     runs-on: ${{ needs.start-runner.outputs.runner-label }}
     steps:
@@ -47,7 +47,7 @@ jobs:
     concurrency:
       group: lint-golangci-${{ github.ref }}
       cancel-in-progress: true
-    needs: 
+    needs:
       - start-runner
       - smart-checkout
     runs-on: ${{ needs.start-runner.outputs.runner-label }}
@@ -67,7 +67,7 @@ jobs:
     concurrency:
       group: lint-autoformat-${{ github.ref }}
       cancel-in-progress: true
-    needs: 
+    needs:
       - start-runner
       - smart-checkout
     runs-on: ${{ needs.start-runner.outputs.runner-label }}
@@ -88,7 +88,7 @@ jobs:
       - name: Check repository diff
         run: bash ./.github/scripts/check-work-copy-equals-to-committed.sh "auto-format broken"
   run-tests:
-    needs: 
+    needs:
       - start-runner
       - smart-checkout
     runs-on: ${{ needs.start-runner.outputs.runner-label }}
@@ -135,7 +135,7 @@ jobs:
           helm version
       - name: setup-medium-test-class-binaries
         run: |
-          # This installs kube-apiserver and etcd binaries for `medium` 
+          # This installs kube-apiserver and etcd binaries for `medium`
           # class tests. Refer to the writing tests docs for more info.
           make envtest
           KUBEBUILDER_ASSETS=$(./bin/setup-envtest use 1.26 -p path)
 
@@ -64,8 +64,10 @@ vet: ## Run go vet against code.
 test: manifests generate fmt vet envtest docker-build ## Run tests.
 	kind create cluster --config e2e/kind-cluster-config.yaml --name kind-ydb-operator
 	docker tag cr.yandex/yc/ydb-operator:latest kind/ydb-operator:current
-	kind load docker-image cr.yandex/yc/ydb-operator:latest --name kind-ydb-operator
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test ./... -coverprofile cover.out
+	kind load docker-image kind/ydb-operator:current --name kind-ydb-operator
+	docker pull cr.yandex/crptqonuodf51kdj7a7d/ydb:22.4.44
+	kind load docker-image cr.yandex/crptqonuodf51kdj7a7d/ydb:22.4.44 --name kind-ydb-operator
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -timeout 1800s -p 1 ./... -coverprofile cover.out
 
 .PHONY: clean
 clean:
@@ -77,7 +79,7 @@ build: generate fmt vet ## Build manager binary.
 	go build -o bin/manager cmd/ydb-kubernetes-operator/main.go
 
 docker-build: ## Build docker image with the manager.
-	docker build -t ${IMG} .
+	docker build --network=host -t ${IMG} .
 
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
 
@@ -21,16 +21,19 @@ func (r *Storage) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-type DomainsConfig struct {
-	SecurityConfig struct {
-		EnforceUserTokenRequirement bool `yaml:"enforce_user_token_requirement"`
-	} `yaml:"security_config"`
-}
-
 //+kubebuilder:webhook:path=/mutate-ydb-tech-v1alpha1-storage,mutating=true,failurePolicy=fail,sideEffects=None,groups=ydb.tech,resources=storages,verbs=create;update,versions=v1alpha1,name=mutate-storage.ydb.tech,admissionReviewVersions=v1
 
 var _ webhook.Defaulter = &Storage{}
 
+// +k8s:deepcopy-gen=false
+type PartialYamlConfig struct {
+	DomainsConfig struct {
+		SecurityConfig struct {
+			EnforceUserTokenRequirement bool `yaml:"enforce_user_token_requirement"`
+		} `yaml:"security_config"`
+	} `yaml:"domains_config"`
+}
+
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *Storage) Default() {
 	storagelog.Info("default", "name", r.Name)
@@ -90,13 +93,19 @@ func (r *Storage) ValidateCreate() error {
 		nodesNumber = int32(len(hosts))
 	}
 
-	if configuration["domains_config"] != nil {
-		if domainsConfig, ok := configuration["domains_config"].(DomainsConfig); ok {
-			authEnabled := domainsConfig.SecurityConfig.EnforceUserTokenRequirement
-			if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
-				return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
-			}
-		}
+	yamlConfig := PartialYamlConfig{}
+	err = yaml.Unmarshal([]byte(r.Spec.Configuration), &yamlConfig)
+	if err != nil {
+		return fmt.Errorf("failed to parse YAML to determine `enforce_user_token_requirement`")
+	}
+
+	var authEnabled bool
+	if yamlConfig.DomainsConfig.SecurityConfig.EnforceUserTokenRequirement {
+		authEnabled = true
+	}
+
+	if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
+		return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
 	}
 
 	minNodesPerErasure := map[ErasureType]int32{
@@ -144,13 +153,19 @@ func (r *Storage) ValidateUpdate(old runtime.Object) error {
 		return fmt.Errorf("failed to parse Storage.spec.configuration, error: %w", err)
 	}
 
-	if configuration["domains_config"] != nil {
-		if domainsConfig, ok := configuration["domains_config"].(DomainsConfig); ok {
-			authEnabled := domainsConfig.SecurityConfig.EnforceUserTokenRequirement
-			if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
-				return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
-			}
-		}
+	yamlConfig := PartialYamlConfig{}
+	err = yaml.Unmarshal([]byte(r.Spec.Configuration), &yamlConfig)
+	if err != nil {
+		return fmt.Errorf("failed to parse YAML to determine `enforce_user_token_requirement`")
+	}
+
+	var authEnabled bool
+	if yamlConfig.DomainsConfig.SecurityConfig.EnforceUserTokenRequirement {
+		authEnabled = true
+	}
+
+	if (authEnabled && r.Spec.OperatorConnection == nil) || (!authEnabled && r.Spec.OperatorConnection != nil) {
+		return fmt.Errorf("field 'spec.operatorConnection' does not satisfy with config option `enforce_user_token_requirement: %t`", authEnabled)
 	}
 
 	crdCheckError := checkMonitoringCRD(manager, storagelog, r.Spec.Monitoring != nil)
 
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.34
+version: 0.4.35
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.4.34"
+appVersion: "0.4.35"
@@ -0,0 +1,105 @@
+static_erasure: block-4-2
+host_configs:
+  - drive:
+      - path: SectorMap:1:1
+        type: SSD
+    host_config_id: 1
+domains_config:
+  security_config:
+    enforce_user_token_requirement: true
+  domain:
+  - name: Root
+    storage_pool_types:
+    - kind: ssd
+      pool_config:
+        box_id: 1
+        erasure_species: block-4-2
+        kind: ssd
+        pdisk_filter:
+        - property:
+          - type: SSD
+        vdisk_kind: Default
+  state_storage:
+  - ring:
+      node: [1, 2, 3, 4, 5, 6, 7, 8]
+      nto_select: 5
+    ssid: 1
+table_service_config:
+  sql_version: 1
+actor_system_config:
+  executor:
+  - name: System
+    threads: 1
+    type: BASIC
+  - name: User
+    threads: 1
+    type: BASIC
+  - name: Batch
+    threads: 1
+    type: BASIC
+  - name: IO
+    threads: 1
+    time_per_mailbox_micro_secs: 100
+    type: IO
+  - name: IC
+    spin_threshold: 10
+    threads: 4
+    time_per_mailbox_micro_secs: 100
+    type: BASIC
+  scheduler:
+    progress_threshold: 10000
+    resolution: 256
+    spin_threshold: 0
+blob_storage_config:
+  service_set:
+    groups:
+    - erasure_species: block-4-2
+      rings:
+      - fail_domains:
+        - vdisk_locations:
+          - node_id: storage-0
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-1
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-2
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-3
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-4
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-5
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-6
+            pdisk_category: SSD
+            path: SectorMap:1:1
+        - vdisk_locations:
+          - node_id: storage-7
+            pdisk_category: SSD
+            path: SectorMap:1:1
+channel_profile_config:
+  profile:
+  - channel:
+    - erasure_species: block-4-2
+      pdisk_category: 1
+      storage_pool_kind: ssd
+    - erasure_species: block-4-2
+      pdisk_category: 1
+      storage_pool_kind: ssd
+    - erasure_species: block-4-2
+      pdisk_category: 1
+      storage_pool_kind: ssd
+    profile_id: 0
+grpc_config:
+    port: 2135
@@ -6,20 +6,16 @@ host_configs:
     host_config_id: 1
 domains_config:
   domain:
-  # There can be only one root domain in a cluster. Domain name prefixes all scheme objects names, e.g. full name of a table table1 in database db1 
-  # in a cluster with domains_config.domain.name parameter set to Root would be equal to /Root/db1/table1
   - name: Root
     storage_pool_types:
     - kind: ssd
       pool_config:
         box_id: 1
-        # fault tolerance mode name - none, block-4-2, or mirror-3-dc. 
-        # See docs for more details https://ydb.tech/en/docs/deploy/configuration/config#domains-blob
         erasure_species: block-4-2
         kind: ssd
         pdisk_filter:
         - property:
-          - type: SSD # device type to match host_configs.drive.type
+          - type: SSD
         vdisk_kind: Default
   state_storage:
   - ring:
@@ -29,34 +25,34 @@ domains_config:
 table_service_config:
   sql_version: 1
 actor_system_config:
-  executor:         
-  - name: System    
+  executor:
+  - name: System
     threads: 1
     type: BASIC
-  - name: User      
+  - name: User
     threads: 1
     type: BASIC
-  - name: Batch     
-    threads: 1      
+  - name: Batch
+    threads: 1
     type: BASIC
-  - name: IO        
+  - name: IO
     threads: 1
     time_per_mailbox_micro_secs: 100
     type: IO
-  - name: IC        
+  - name: IC
     spin_threshold: 10
-    threads: 4      
+    threads: 4
     time_per_mailbox_micro_secs: 100
     type: BASIC
   scheduler:
     progress_threshold: 10000
     resolution: 256
     spin_threshold: 0
-blob_storage_config:    # configuration of static blobstorage group.
+blob_storage_config:
   service_set:
     groups:
-    - erasure_species: block-4-2  # fault tolerance mode name for the static group
-      rings:           # in block-4-2 must have exactly 1 ring or availability zone.
+    - erasure_species: block-4-2
+      rings:
       - fail_domains:
         - vdisk_locations:
           - node_id: storage-0