annotation ydb.tech/ca-bundle-secret for mount secret volume with cus…

…tom CA
ydb-platform · Nov 14, 2023 · ae7bf91 · ae7bf91
1 parent f375df3
commit ae7bf91
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/api/v1alpha1/const.go b/api/v1alpha1/const.go
@@ -41,6 +41,7 @@ const (
 	AnnotationDataCenter             = "ydb.tech/data-center"
 	AnnotationNodeHost               = "ydb.tech/node-host"
 	AnnotationNodeDomain             = "ydb.tech/node-domain"
+	AnnotationCABundleSecret         = "ydb.tech/ca-bundle-secret"
 
 	AnnotationValueTrue = "true"
 

diff --git a/internal/resources/database_statefulset.go b/internal/resources/database_statefulset.go
@@ -197,6 +197,17 @@ func (b *DatabaseStatefulSetBuilder) buildVolumes() []corev1.Volume {
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		})
+	} else if value, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok {
+		volumes = append(volumes, corev1.Volume{
+			Name: caCertificatesVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName:  value,
+					DefaultMode: ptr.Int32(0644),
+					Optional:    ptr.Bool(false),
+				},
+			},
+		})
 	}
 
 	return volumes
@@ -472,6 +483,12 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 			Name:      systemCertsVolumeName,
 			MountPath: systemCertsDir,
 		})
+	} else if _, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      caCertificatesVolumeName,
+			MountPath: systemCertsDir,
+			ReadOnly:  true,
+		})
 	}
 
 	for _, secret := range b.Spec.Secrets {

diff --git a/internal/resources/storage_statefulset.go b/internal/resources/storage_statefulset.go
@@ -18,7 +18,8 @@ import (
 )
 
 const (
-	configVolumeName = "ydb-config"
+	configVolumeName         = "ydb-config"
+	caCertificatesVolumeName = "ca-certificates"
 )
 
 type StorageStatefulSetBuilder struct {
@@ -229,6 +230,17 @@ func (b *StorageStatefulSetBuilder) buildVolumes() []corev1.Volume {
 				EmptyDir: &corev1.EmptyDirVolumeSource{},
 			},
 		})
+	} else if value, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok {
+		volumes = append(volumes, corev1.Volume{
+			Name: caCertificatesVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName:  value,
+					DefaultMode: ptr.Int32(0644),
+					Optional:    ptr.Bool(false),
+				},
+			},
+		})
 	}
 
 	return volumes
@@ -402,6 +414,12 @@ func (b *StorageStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 			Name:      systemCertsVolumeName,
 			MountPath: systemCertsDir,
 		})
+	} else if _, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      caCertificatesVolumeName,
+			MountPath: systemCertsDir,
+			ReadOnly:  true,
+		})
 	}
 
 	for _, secret := range b.Spec.Secrets {