From ae7bf9195deb2dd063b9e00c3db3311790f3755e Mon Sep 17 00:00:00 2001 From: Aleksei Kobzev Date: Tue, 14 Nov 2023 22:30:07 +0700 Subject: [PATCH] annotation ydb.tech/ca-bundle-secret for mount secret volume with custom CA --- api/v1alpha1/const.go | 1 + internal/resources/database_statefulset.go | 17 +++++++++++++++++ internal/resources/storage_statefulset.go | 20 +++++++++++++++++++- 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/api/v1alpha1/const.go b/api/v1alpha1/const.go index 12d2731e..05b2690c 100644 --- a/api/v1alpha1/const.go +++ b/api/v1alpha1/const.go @@ -41,6 +41,7 @@ const ( AnnotationDataCenter = "ydb.tech/data-center" AnnotationNodeHost = "ydb.tech/node-host" AnnotationNodeDomain = "ydb.tech/node-domain" + AnnotationCABundleSecret = "ydb.tech/ca-bundle-secret" AnnotationValueTrue = "true" diff --git a/internal/resources/database_statefulset.go b/internal/resources/database_statefulset.go index d1a5ff2f..bc0dea8d 100644 --- a/internal/resources/database_statefulset.go +++ b/internal/resources/database_statefulset.go @@ -197,6 +197,17 @@ func (b *DatabaseStatefulSetBuilder) buildVolumes() []corev1.Volume { EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }) + } else if value, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok { + volumes = append(volumes, corev1.Volume{ + Name: caCertificatesVolumeName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: value, + DefaultMode: ptr.Int32(0644), + Optional: ptr.Bool(false), + }, + }, + }) } return volumes @@ -472,6 +483,12 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount { Name: systemCertsVolumeName, MountPath: systemCertsDir, }) + } else if _, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: caCertificatesVolumeName, + MountPath: systemCertsDir, + ReadOnly: true, + }) } for _, secret := range b.Spec.Secrets { diff --git a/internal/resources/storage_statefulset.go b/internal/resources/storage_statefulset.go index 1babe704..bd9328cd 100644 --- a/internal/resources/storage_statefulset.go +++ b/internal/resources/storage_statefulset.go @@ -18,7 +18,8 @@ import ( ) const ( - configVolumeName = "ydb-config" + configVolumeName = "ydb-config" + caCertificatesVolumeName = "ca-certificates" ) type StorageStatefulSetBuilder struct { @@ -229,6 +230,17 @@ func (b *StorageStatefulSetBuilder) buildVolumes() []corev1.Volume { EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }) + } else if value, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok { + volumes = append(volumes, corev1.Volume{ + Name: caCertificatesVolumeName, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: value, + DefaultMode: ptr.Int32(0644), + Optional: ptr.Bool(false), + }, + }, + }) } return volumes @@ -402,6 +414,12 @@ func (b *StorageStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount { Name: systemCertsVolumeName, MountPath: systemCertsDir, }) + } else if _, ok := b.ObjectMeta.Annotations[v1alpha1.AnnotationCABundleSecret]; ok { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: caCertificatesVolumeName, + MountPath: systemCertsDir, + ReadOnly: true, + }) } for _, secret := range b.Spec.Secrets {