Add reconfigure TLS

go.mod

@@ -44,7 +44,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	kmodules.xyz/client-go v0.34.2
 	kmodules.xyz/custom-resources v0.34.0
-	kubedb.dev/apimachinery v0.61.0-rc.1
+	kubedb.dev/apimachinery v0.61.0-rc.1.0.20260224045112-8a1decd57883
 	sigs.k8s.io/controller-runtime v0.22.4
 	xorm.io/xorm v1.3.11
 )

go.sum

@@ -1131,8 +1131,8 @@ kmodules.xyz/prober v0.34.0 h1:ElZkZYCjLaytAA0M8EH42To7i9gh1IIX+d0qfaIohys=
 kmodules.xyz/prober v0.34.0/go.mod h1:rsu/fxxfNxY70GDbH6Ju8G66459hi7AhWSSBoiIp8ic=
 kmodules.xyz/resource-metadata v0.42.1 h1:RxAi354cKOeCVLoZI+WjR+tooU4lEq/axIafm1SYa20=
 kmodules.xyz/resource-metadata v0.42.1/go.mod h1:xntcQko2QLbLEHwGE4TQ7I/80fcBQzcexbep97Akstk=
-kubedb.dev/apimachinery v0.61.0-rc.1 h1:PKF3R0wFe8PwVPaDDBxNh49KAcw3uQhpIoGS3cWnx9U=
-kubedb.dev/apimachinery v0.61.0-rc.1/go.mod h1:PscykF7tqpp+MS9Q7P+lxceW4pUnkWKzNZg2fdMA4Jw=
+kubedb.dev/apimachinery v0.61.0-rc.1.0.20260224045112-8a1decd57883 h1:xuJqg3fMxV9t3Z2OKumwBnWuDMjMt9aCdn+U8pKRcCk=
+kubedb.dev/apimachinery v0.61.0-rc.1.0.20260224045112-8a1decd57883/go.mod h1:PscykF7tqpp+MS9Q7P+lxceW4pUnkWKzNZg2fdMA4Jw=
 kubeops.dev/operator-shard-manager v0.0.5 h1:i7VnyUfIa9u3RQhSTVWNsooXcgmrWWxJyI9gJ10onE8=
 kubeops.dev/operator-shard-manager v0.0.5/go.mod h1:NE6GzlhwLRiwiUUpqi4Uf+J7e/gniITM0uJnE5r1mzY=
 kubeops.dev/petset v0.0.15 h1:iwTRFAp0RNw0A87sw2c97UZ6WIA9H/nhJBpDhXLa7fk=

neo4j/kubedb_client_builder.go

@@ -194,6 +194,29 @@ func (c *Client) ExecuteQuery(ctx context.Context, query string, params map[stri
 		neo4j.ExecuteQueryWithDatabase(dbName))
 }
 
+func (c *Client) ReloadTLS(ctx context.Context) error {
+	session := c.NewSession(ctx, neo4j.SessionConfig{
+		AccessMode: neo4j.AccessModeRead,
+	})
+	defer func() {
+		if err := session.Close(ctx); err != nil {
+			klog.Error(err, "failed to close neo4j session")
+		}
+	}()
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	_, err := session.Run(timeoutCtx, `
+	CALL dbms.security.reloadTLS()
+	`, nil)
+	if err != nil {
+		return fmt.Errorf("failed to execute TLS reload procedure: %w", err)
+	}
+
+	return nil
+}
+
 func (o *KubeDBClientBuilder) buildConnectionURL() string {
 	scheme := "neo4j"
 
@@ -202,7 +225,7 @@ func (o *KubeDBClientBuilder) buildConnectionURL() string {
 	}
 
 	if o.podName != "" {
-		return fmt.Sprintf("%s://%s.%s.%s.svc.%s:%d", scheme, o.podName, o.db.OffshootName(), o.db.Namespace, apiutils.FindDomain(), kubedb.Neo4jBoltPort)
+		return fmt.Sprintf("%s://%s.%s.svc.%s:%d", scheme, o.podName, o.db.Namespace, apiutils.FindDomain(), kubedb.Neo4jBoltPort)
 	}
 
 	return fmt.Sprintf("%s://%s.%s.svc.%s:%d", scheme, o.db.ServiceName(), o.db.Namespace, apiutils.FindDomain(), kubedb.Neo4jBoltPort)

vendor/kubedb.dev/apimachinery/apis/ops/v1alpha1/neo4j_ops_types.go

@@ -18,6 +18,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	dbapi "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
+
 	core "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -56,6 +58,8 @@ type Neo4jOpsRequestSpec struct {
 	Type Neo4jOpsRequestType `json:"type"`
 	// Specifies information necessary for restarting database
 	Restart *RestartSpec `json:"restart,omitempty"`
+	// Specifies information necessary for configuring TLS
+	TLS *Neo4jTLSSpec `json:"tls,omitempty"`
 	// Timeout for each step of the ops request in second. If a step doesn't finish within the specified timeout, the ops request will result in failure.
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
 	// ApplyOption is to control the execution of OpsRequest depending on the database state.
@@ -65,8 +69,22 @@ type Neo4jOpsRequestSpec struct {
 	MaxRetries int32 `json:"maxRetries,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=Restart;
-// ENUM(Restart)
+type Neo4jTLSSpec struct {
+	// Neo4jTLSSpec contains updated tls configurations for client and server.
+	// +optional
+	dbapi.Neo4jTLSConfig `json:",inline,omitempty"`
+
+	// RotateCertificates tells operator to initiate certificate rotation
+	// +optional
+	RotateCertificates bool `json:"rotateCertificates,omitempty"`
+
+	// Remove tells operator to remove TLS configuration
+	// +optional
+	Remove bool `json:"remove,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=Restart;ReconfigureTLS
+// ENUM(Restart,ReconfigureTLS)
 type Neo4jOpsRequestType string
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object