feat(api): enforce strict single-database topology via CEL validation and image settings to children#100
Merged
fernando-villalba merged 3 commits intomainfrom Jan 3, 2026
Merged
Conversation
This commit introduces CEL `XValidation` rules to the `MultigresCluster` API to
align the operator with the current limitations of the Multigres Gateway.
**The Problem:**
The Multigres Gateway currently hardcodes query routing to the "default"
tablegroup and ignores the database name provided in the connection string.
Consequently, creating multiple databases or custom-named tablegroups results in
resources that are provisioned but effectively unreachable, as the Gateway will
never route traffic to them.
**The Solution:**
We are enforcing a "Single Database" mode at the API level to prevent users
from creating invalid or "zombie" configurations.
**Changes:**
* **Max Items:** Restricted `spec.databases` to a maximum of 1 entry.
* **System Database Enforcement:** Added a CEL rule to `spec.databases` ensuring
the single database must be named `"postgres"` and marked as `default: true`.
* **TableGroup Naming:** Added a CEL rule to `TableGroupConfig` ensuring that
if `default: true` is set, the resource name must be `"default"`. (This will need to be changed when multigres is updated to support different naming here)
This comment has been minimized.
This comment has been minimized.
This commit updates the CEL validation rule for `TableGroups` to strictly require exactly one default TableGroup per database. **The Fix:** Previously, the validation only ensured *at most* one default (`<= 1`). This left a gap where a user could define a list of custom TableGroups but forget to mark any of them as `default`, leading to a valid CR but a broken runtime state (as the Gateway would have no target for standard traffic). **Change:** * Updated the `TableGroups` CEL rule from `size() <= 1` to `size() == 1`. This complements the Mutating Webhook (which handles empty lists) by ensuring that explicit, user-provided configurations are also complete and routable.
This comment has been minimized.
This comment has been minimized.
Replaces the standalone `MultiGatewayImage` field in `CellSpec` with a `CellImages` struct to align with the `Shard` resource structure. Additionally, adds `ImagePullPolicy` and `ImagePullSecrets` to both `CellImages` and `ShardImages`. This allows proper configuration of private registry credentials and pull policies at the Cell and Shard levels.
Collaborator
Author
|
Replaces the standalone Additionally, adds |
🔬 Go Test Coverage ReportSummary
Status✅ PASS DetailShow New Coverage |
fernando-villalba
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit introduces CEL
XValidationrules to theMultigresClusterAPI to align the operator with the current limitations of the Multigres Gateway.The Problem:
The Multigres Gateway currently hardcodes query routing to the "default" tablegroup and ignores the database name provided in the connection string. Consequently, creating multiple databases or custom-named tablegroups results in resources that are provisioned but effectively unreachable, as the Gateway will never route traffic to them.
The Solution:
We are enforcing a "Single Database" mode at the API level to prevent users from creating invalid or "zombie" configurations.
Changes:
spec.databasesto a maximum of 1 entry.spec.databasesensuring the single database must be named"postgres"and marked asdefault: true.TableGroupConfigensuring that ifdefault: trueis set, the resource name must be"default". (This will need to be changed when multigres is updated to support different naming here)