chore: optional secret-ref namespace for system account (#9971)

(cherry picked from commit 693d482)

Author: leon-inf

apis/apps/v1/types.go

@@ -494,8 +494,10 @@ type ProvisionSecretRef struct {
 
 	// The namespace where the secret is located.
 	//
-	// +kubebuilder:validation:Required
-	Namespace string `json:"namespace"`
+	// If not specified, the secret is assumed to be in the same namespace as the cluster.
+	//
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
 
 	// The key in the secret data that contains the password.
 	//

config/crd/bases/apps.kubeblocks.io_clusters.yaml

@@ -4170,7 +4170,11 @@ spec:
                                 description: The unique identifier of the secret.
                                 type: string
                               namespace:
-                                description: The namespace where the secret is located.
+                                description: |-
+                                  The namespace where the secret is located.
+
+
+                                  If not specified, the secret is assumed to be in the same namespace as the cluster.
                                 type: string
                               password:
                                 default: password
@@ -4179,7 +4183,6 @@ spec:
                                 type: string
                             required:
                             - name
-                            - namespace
                             type: object
                         required:
                         - name
@@ -11697,8 +11700,11 @@ spec:
                                     description: The unique identifier of the secret.
                                     type: string
                                   namespace:
-                                    description: The namespace where the secret is
-                                      located.
+                                    description: |-
+                                      The namespace where the secret is located.
+
+
+                                      If not specified, the secret is assumed to be in the same namespace as the cluster.
                                     type: string
                                   password:
                                     default: password
@@ -11707,7 +11713,6 @@ spec:
                                     type: string
                                 required:
                                 - name
-                                - namespace
                                 type: object
                             required:
                             - name

config/crd/bases/apps.kubeblocks.io_components.yaml

@@ -4368,7 +4368,11 @@ spec:
                           description: The unique identifier of the secret.
                           type: string
                         namespace:
-                          description: The namespace where the secret is located.
+                          description: |-
+                            The namespace where the secret is located.
+
+
+                            If not specified, the secret is assumed to be in the same namespace as the cluster.
                           type: string
                         password:
                           default: password
@@ -4377,7 +4381,6 @@ spec:
                           type: string
                       required:
                       - name
-                      - namespace
                       type: object
                   required:
                   - name

controllers/apps/component/transformer_component_account.go

@@ -108,7 +108,7 @@ func (t *componentAccountTransformer) Transform(ctx graph.TransformContext, dag
 
 func (t *componentAccountTransformer) createAccount(transCtx *componentTransformContext,
 	dag *graph.DAG, graphCli model.GraphClient, account synthesizedSystemAccount) error {
-	secret, err := t.buildAccountSecret(transCtx, transCtx.SynthesizeComponent, account)
+	secret, err := t.buildAccountSecret(transCtx, account)
 	if err != nil {
 		return err
 	}
@@ -126,7 +126,7 @@ func (t *componentAccountTransformer) deleteAccount(transCtx *componentTransform
 
 func (t *componentAccountTransformer) updateAccount(transCtx *componentTransformContext,
 	dag *graph.DAG, graphCli model.GraphClient, account synthesizedSystemAccount, running *corev1.Secret) error {
-	secret, err := t.buildAccountSecret(transCtx, transCtx.SynthesizeComponent, account)
+	secret, err := t.buildAccountSecret(transCtx, account)
 	if err != nil {
 		return err
 	}
@@ -164,34 +164,36 @@ func (t *componentAccountTransformer) buildAccountHash(account synthesizedSystem
 	return signatureSystemAccountPassword(secret)
 }
 
-func (t *componentAccountTransformer) buildAccountSecret(ctx *componentTransformContext,
-	synthesizeComp *component.SynthesizedComponent, account synthesizedSystemAccount) (*corev1.Secret, error) {
+func (t *componentAccountTransformer) buildAccountSecret(transCtx *componentTransformContext, account synthesizedSystemAccount) (*corev1.Secret, error) {
 	var password []byte
 	var err error
 	switch {
 	case account.SecretRef != nil:
-		if password, err = t.getPasswordFromSecret(ctx, account); err != nil {
+		if password, err = t.getPasswordFromSecret(transCtx, account); err != nil {
 			return nil, err
 		}
 	default:
-		password, err = t.buildPassword(ctx, account)
+		password, err = t.buildPassword(transCtx, account)
 		if err != nil {
 			return nil, err
 		}
 	}
 	if len(password) > maximumPasswordLength {
 		return nil, errPasswordTooLong
 	}
-	return t.buildAccountSecretWithPassword(ctx, synthesizeComp, account, password)
+	return t.buildAccountSecretWithPassword(transCtx, account, password)
 }
 
-func (t *componentAccountTransformer) getPasswordFromSecret(ctx graph.TransformContext, account synthesizedSystemAccount) ([]byte, error) {
+func (t *componentAccountTransformer) getPasswordFromSecret(transCtx *componentTransformContext, account synthesizedSystemAccount) ([]byte, error) {
 	secretKey := types.NamespacedName{
 		Namespace: account.SecretRef.Namespace,
 		Name:      account.SecretRef.Name,
 	}
+	if len(secretKey.Namespace) == 0 {
+		secretKey.Namespace = transCtx.SynthesizeComponent.Namespace
+	}
 	secret := &corev1.Secret{}
-	if err := ctx.GetClient().Get(ctx.GetContext(), secretKey, secret); err != nil {
+	if err := transCtx.GetClient().Get(transCtx.GetContext(), secretKey, secret); err != nil {
 		return nil, err
 	}
 
@@ -205,17 +207,18 @@ func (t *componentAccountTransformer) getPasswordFromSecret(ctx graph.TransformC
 	return secret.Data[passwordKey], nil
 }
 
-func (t *componentAccountTransformer) buildPassword(ctx *componentTransformContext, account synthesizedSystemAccount) ([]byte, error) {
+func (t *componentAccountTransformer) buildPassword(transCtx *componentTransformContext, account synthesizedSystemAccount) ([]byte, error) {
+	synthesizedComp := transCtx.SynthesizeComponent
 	// get restore password if exists during recovery.
-	password, err := appsutil.GetRestoreSystemAccountPassword(ctx.Context, ctx.Client,
-		ctx.SynthesizeComponent.Annotations, ctx.SynthesizeComponent.Name, account.Name)
+	password, err := appsutil.GetRestoreSystemAccountPassword(transCtx.Context, transCtx.Client,
+		synthesizedComp.Annotations, synthesizedComp.Name, account.Name)
 	if err != nil {
-		return nil, fmt.Errorf("failed to restore password for system account %s of component %s from annotation, err: %w", account.Name, ctx.SynthesizeComponent.Name, err)
+		return nil, fmt.Errorf("failed to restore password for system account %s of component %s from annotation, err: %w", account.Name, synthesizedComp.Name, err)
 	}
 	if account.InitAccount && len(password) == 0 {
-		// initAccount can also restore from factory.GetRestoreSystemAccountPassword(ctx.SynthesizeComponent, account).
+		// initAccount can also restore from factory.GetRestoreSystemAccountPassword(synthesizedComp, account).
 		// This is compatibility processing.
-		password = []byte(factory.GetRestorePassword(ctx.SynthesizeComponent))
+		password = []byte(factory.GetRestorePassword(synthesizedComp))
 	}
 	if len(password) == 0 {
 		password, err := common.GeneratePasswordByConfig(account.PasswordGenerationPolicy)
@@ -225,16 +228,17 @@ func (t *componentAccountTransformer) buildPassword(ctx *componentTransformConte
 }
 
 func (t *componentAccountTransformer) buildAccountSecretWithPassword(ctx *componentTransformContext,
-	synthesizeComp *component.SynthesizedComponent, account synthesizedSystemAccount, password []byte) (*corev1.Secret, error) {
-	secretName := constant.GenerateAccountSecretName(synthesizeComp.ClusterName, synthesizeComp.Name, account.Name)
-	secret := builder.NewSecretBuilder(synthesizeComp.Namespace, secretName).
+	account synthesizedSystemAccount, password []byte) (*corev1.Secret, error) {
+	synthesizedComp := ctx.SynthesizeComponent
+	secretName := constant.GenerateAccountSecretName(synthesizedComp.ClusterName, synthesizedComp.Name, account.Name)
+	secret := builder.NewSecretBuilder(synthesizedComp.Namespace, secretName).
 		// Priority: static < dynamic < built-in
-		AddLabelsInMap(synthesizeComp.StaticLabels).
-		AddLabelsInMap(synthesizeComp.DynamicLabels).
-		AddLabelsInMap(constant.GetCompLabels(synthesizeComp.ClusterName, synthesizeComp.Name)).
+		AddLabelsInMap(synthesizedComp.StaticLabels).
+		AddLabelsInMap(synthesizedComp.DynamicLabels).
+		AddLabelsInMap(constant.GetCompLabels(synthesizedComp.ClusterName, synthesizedComp.Name)).
 		AddLabels(systemAccountLabel, account.Name).
-		AddAnnotationsInMap(synthesizeComp.StaticAnnotations).
-		AddAnnotationsInMap(synthesizeComp.DynamicAnnotations).
+		AddAnnotationsInMap(synthesizedComp.StaticAnnotations).
+		AddAnnotationsInMap(synthesizedComp.DynamicAnnotations).
 		PutData(constant.AccountNameForSecret, []byte(account.Name)).
 		PutData(constant.AccountPasswdForSecret, password).
 		// SetImmutable(true).

deploy/helm/crds/apps.kubeblocks.io_clusters.yaml

@@ -4170,7 +4170,11 @@ spec:
                                 description: The unique identifier of the secret.
                                 type: string
                               namespace:
-                                description: The namespace where the secret is located.
+                                description: |-
+                                  The namespace where the secret is located.
+
+
+                                  If not specified, the secret is assumed to be in the same namespace as the cluster.
                                 type: string
                               password:
                                 default: password
@@ -4179,7 +4183,6 @@ spec:
                                 type: string
                             required:
                             - name
-                            - namespace
                             type: object
                         required:
                         - name
@@ -11697,8 +11700,11 @@ spec:
                                     description: The unique identifier of the secret.
                                     type: string
                                   namespace:
-                                    description: The namespace where the secret is
-                                      located.
+                                    description: |-
+                                      The namespace where the secret is located.
+
+
+                                      If not specified, the secret is assumed to be in the same namespace as the cluster.
                                     type: string
                                   password:
                                     default: password
@@ -11707,7 +11713,6 @@ spec:
                                     type: string
                                 required:
                                 - name
-                                - namespace
                                 type: object
                             required:
                             - name

deploy/helm/crds/apps.kubeblocks.io_components.yaml

@@ -4368,7 +4368,11 @@ spec:
                           description: The unique identifier of the secret.
                           type: string
                         namespace:
-                          description: The namespace where the secret is located.
+                          description: |-
+                            The namespace where the secret is located.
+
+
+                            If not specified, the secret is assumed to be in the same namespace as the cluster.
                           type: string
                         password:
                           default: password
@@ -4377,7 +4381,6 @@ spec:
                           type: string
                       required:
                       - name
-                      - namespace
                       type: object
                   required:
                   - name

docs/developer_docs/api-reference/cluster.md

@@ -9511,7 +9511,9 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>The namespace where the secret is located.</p>
+<p>If not specified, the secret is assumed to be in the same namespace as the cluster.</p>
 </td>
 </tr>
 <tr>