Add Database.Spec CABundle and Secrets options, fix Database.Spec.Path getters

.gitignore

@@ -36,4 +36,5 @@ fabric.properties
 
 bin/
 config/
-vendor/
+vendor/
+.envrc

.golangci.yml

@@ -170,7 +170,7 @@ linters:
 #    - nilnil
 #    - nlreturn
     - nolintlint
-    - prealloc
+#    - prealloc
     - predeclared
     - rowserrcheck
     - revive

api/v1alpha1/const.go

@@ -31,9 +31,9 @@ const (
 	BinariesDir      = "/opt/ydb/bin"
 	DaemonBinaryName = "ydbd"
 
-	TenantNameFormat = "/%s/%s"
-
 	AnnotationSkipInitialization = "ydb.tech/skip-initialization"
+
+	legacyTenantNameFormat = "/%s/%s"
 )
 
 type ErasureType string

api/v1alpha1/database_types.go

@@ -64,6 +64,15 @@ type DatabaseSpec struct {
 	// +optional
 	PublicHost string `json:"publicHost,omitempty"`
 
+	// (Optional) YDBVersion sets the explicit version of the YDB image
+	// Default: ""
+	// +optional
+	YDBVersion string `json:"version,omitempty"`
+
+	// (Optional) YDB Image
+	// +optional
+	Image PodImage `json:"image,omitempty"`
+
 	// List of initialization containers belonging to the pod.
 	// Init containers are executed in order prior to containers being started. If any
 	// init container fails, the pod is considered to have failed and is handled according
@@ -85,14 +94,15 @@ type DatabaseSpec struct {
 	// +optional
 	Monitoring *MonitoringOptions `json:"monitoring,omitempty"`
 
-	// (Optional) YDBVersion sets the explicit version of the YDB image
-	// Default: ""
+	// User-defined root certificate authority that is added to system trust
+	// store of Storage pods on startup.
 	// +optional
-	YDBVersion string `json:"version,omitempty"`
+	CABundle []byte `json:"caBundle,omitempty"`
 
-	// (Optional) YDB Image
+	// Secret names that will be mounted into the well-known directory of
+	// every storage pod. Directory: `/opt/ydb/secrets/<secret_name>/<secret_key>`
 	// +optional
-	Image PodImage `json:"image,omitempty"`
+	Secrets []*corev1.LocalObjectReference `json:"secrets,omitempty"`
 
 	// NodeSelector is a selector which must be true for the pod to fit on a node.
 	// Selector which must match a node's labels for the pod to be scheduled on that node.

api/v1alpha1/database_webhook.go

@@ -26,7 +26,14 @@ func (r *Database) SetupWebhookWithManager(mgr ctrl.Manager) error {
 var _ webhook.Defaulter = &Database{}
 
 func GetDatabasePath(r *Database) string {
-	return fmt.Sprintf(TenantNameFormat, r.Spec.Domain, r.Name) // FIXME: review later in context of multiple namespaces
+	if r.Spec.Path != "" {
+		return r.Spec.Path
+	}
+	return GetLegacyDatabasePath(r)
+}
+
+func GetLegacyDatabasePath(r *Database) string {
+	return fmt.Sprintf(legacyTenantNameFormat, r.Spec.Domain, r.Name) // FIXME: review later in context of multiple namespaces
 }
 
 // Default implements webhook.Defaulter so a webhook will be registered for the type
@@ -72,7 +79,7 @@ func (r *Database) Default() {
 	}
 
 	if r.Spec.Path == "" {
-		r.Spec.Path = GetDatabasePath(r)
+		r.Spec.Path = GetLegacyDatabasePath(r)
 	}
 
 	if r.Spec.Encryption == nil {
@@ -121,11 +128,7 @@ func (r *Database) ValidateUpdate(old runtime.Object) error {
 		return errors.New("database domain cannot be changed")
 	}
 
-	oldDatabasePath := oldDatabase.Spec.Path
-	if oldDatabase.Spec.Path == "" {
-		oldDatabasePath = GetDatabasePath(r)
-	}
-	if r.Spec.Path != oldDatabasePath {
+	if GetDatabasePath(oldDatabase) != GetDatabasePath(r) {
 		return errors.New("database path cannot be changed")
 	}
 

api/v1alpha1/storage_types.go

@@ -46,6 +46,11 @@ type StorageSpec struct {
 	// +optional
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
 
+	// (Optional) YDBVersion sets the explicit version of the YDB image
+	// Default: ""
+	// +optional
+	YDBVersion string `json:"version,omitempty"`
+
 	// Container image information
 	// +required
 	Image PodImage `json:"image,omitempty"`
@@ -66,11 +71,6 @@ type StorageSpec struct {
 	// +optional
 	InitContainers []corev1.Container `json:"initContainers,omitempty"`
 
-	// (Optional) YDBVersion sets the explicit version of the YDB image
-	// Default: ""
-	// +optional
-	YDBVersion string `json:"version,omitempty"`
-
 	// (Optional) Monitoring sets configuration options for YDB observability
 	// Default: ""
 	// +optional

deploy/ydb-operator/crds/database.yaml

@@ -873,6 +873,11 @@ spec:
                         type: array
                     type: object
                 type: object
+              caBundle:
+                description: User-defined root certificate authority that is added
+                  to system trust store of Storage pods on startup.
+                format: byte
+                type: string
               configuration:
                 description: YDB configuration in YAML format. Will be applied on
                   top of generated one in internal/configuration
@@ -2357,6 +2362,19 @@ spec:
                       type: object
                     type: array
                 type: object
+              secrets:
+                description: 'Secret names that will be mounted into the well-known
+                  directory of every storage pod. Directory: `/opt/ydb/secrets/<secret_name>/<secret_key>`'
+                items:
+                  description: LocalObjectReference contains enough information to
+                    let you locate the referenced object inside the same namespace.
+                  properties:
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
+                      type: string
+                  type: object
+                type: array
               serverlessResources:
                 description: (Optional) If specified, created database will be "serverless".
                 properties:

internal/controllers/database/sync.go

@@ -214,7 +214,7 @@ func (r *Reconciler) handleResourcesSync(
 ) (bool, ctrl.Result, error) {
 	r.Log.Info("running step handleResourcesSync")
 
-	for _, builder := range database.GetResourceBuilders() {
+	for _, builder := range database.GetResourceBuilders(r.Config) {
 		newResource := builder.Placeholder(database)
 
 		result, err := resources.CreateOrUpdateIgnoreStatus(ctx, r.Client, newResource, func() error {
@@ -349,7 +349,7 @@ func (r *Reconciler) handleTenantCreation(
 ) (bool, ctrl.Result, error) {
 	r.Log.Info("running step handleTenantCreation")
 
-	path := database.GetPath()
+	path := v1alpha1.GetDatabasePath(database.Database)
 	var storageUnits []v1alpha1.StorageUnit
 	var shared bool
 	var sharedDatabasePath string
@@ -408,7 +408,7 @@ func (r *Reconciler) handleTenantCreation(
 			)
 			return Stop, ctrl.Result{RequeueAfter: SharedDatabaseAwaitRequeueDelay}, err
 		}
-		sharedDatabasePath = fmt.Sprintf(v1alpha1.TenantNameFormat, sharedDatabaseCr.Spec.Domain, sharedDatabaseCr.Name)
+		sharedDatabasePath = v1alpha1.GetDatabasePath(sharedDatabaseCr)
 	default:
 		// TODO: move this logic to webhook
 		r.Recorder.Event(

internal/resources/database.go

@@ -5,6 +5,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
 
 	api "github.com/ydb-platform/ydb-kubernetes-operator/api/v1alpha1"
 	"github.com/ydb-platform/ydb-kubernetes-operator/internal/configuration"
@@ -56,14 +57,7 @@ func (b *DatabaseBuilder) GetStorageEndpoint() string {
 	return fmt.Sprintf("%s:%d", host, api.GRPCPort)
 }
 
-func (b *DatabaseBuilder) GetPath() string {
-	if b.Spec.Path == "" {
-		return api.GetDatabasePath(b.Database)
-	}
-	return b.Spec.Path
-}
-
-func (b *DatabaseBuilder) GetResourceBuilders() []ResourceBuilder {
+func (b *DatabaseBuilder) GetResourceBuilders(restConfig *rest.Config) []ResourceBuilder {
 	if b.Spec.ServerlessResources != nil {
 		return []ResourceBuilder{}
 	}
@@ -196,7 +190,12 @@ func (b *DatabaseBuilder) GetResourceBuilders() []ResourceBuilder {
 
 	optionalBuilders = append(
 		optionalBuilders,
-		&DatabaseStatefulSetBuilder{Database: b.Unwrap(), Labels: databaseLabels, Storage: b.Storage},
+		&DatabaseStatefulSetBuilder{
+			Database:   b.Unwrap(),
+			Labels:     databaseLabels,
+			RestConfig: restConfig,
+			Storage:    b.Storage,
+		},
 	)
 
 	return optionalBuilders