Merge branch 'master' into YDBOPS-9679

Author: kobzonega

.gitignore

@@ -5,34 +5,15 @@
 *.dylib
 *.test
 *.out
-.idea/**/workspace.xml
-.idea/**/tasks.xml
-.idea/**/usage.statistics.xml
-.idea/**/dictionaries
-.idea/**/shelf
-.idea/**/contentModel.xml
-.idea/**/dataSources/
-.idea/**/dataSources.ids
-.idea/**/dataSources.local.xml
-.idea/**/sqlDataSources.xml
-.idea/**/dynamic.xml
-.idea/**/uiDesigner.xml
-.idea/**/dbnavigator.xml
-.idea/**/gradle.xml
-.idea/**/libraries
-cmake-build-*/
-.idea/**/mongoSettings.xml
 *.iws
 out/
+.idea/*
 .idea_modules/
 atlassian-ide-plugin.xml
-.idea/replstate.xml
 com_crashlytics_export_strings.xml
 crashlytics.properties
 crashlytics-build.properties
 fabric.properties
-.idea/httpRequests
-.idea/caches/build_file_checksums.ser
 
 bin/
 config/

Makefile

@@ -81,11 +81,11 @@ opts ?= ''
 
 .PHONY: unit-test
 unit-test: manifests generate fmt vet envtest ## Run unit tests
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use --arch=amd64 $(ENVTEST_K8S_VERSION) -p path)" go test -v -timeout 1800s -p 1 ./internal/... -ginkgo.v -coverprofile cover.out $(opts)
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use --arch=amd64 $(ENVTEST_K8S_VERSION) -p path)" go test -v -timeout 900s -p 1 ./internal/... -ginkgo.v -coverprofile cover.out $(opts)
 
 .PHONY: e2e-test
 e2e-test: manifests generate fmt vet docker-build kind-init kind-load ## Run e2e tests
-	go test -v -timeout 1800s -p 1 ./e2e/... -ginkgo.v $(opts)
+	go test -v -timeout 3600s -p 1 ./e2e/... -ginkgo.v $(opts)
 
 .PHONY: test
 test: unit-test e2e-test ## Run all tests

api/v1alpha1/configuration.go

@@ -2,30 +2,15 @@ package v1alpha1
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"errors"
 	"fmt"
-	"path"
 	"strconv"
 
 	"gopkg.in/yaml.v3"
 
 	"github.com/ydb-platform/ydb-kubernetes-operator/internal/configuration/schema"
 )
 
-const (
-	DatabaseEncryptionKeyPath           = "/opt/ydb/secrets/database_encryption"
-	DatabaseEncryptionKeyFile           = "key"
-	DatastreamsIAMServiceAccountKeyPath = "/opt/ydb/secrets/datastreams"
-	DatastreamsIAMServiceAccountKeyFile = "sa_key.json"
-)
-
-func hash(text string) string {
-	h := sha256.New()
-	h.Write([]byte(text))
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
-
 func generateHosts(cr *Storage) []schema.Host {
 	var hosts []schema.Host
 
@@ -62,36 +47,6 @@ func generateHosts(cr *Storage) []schema.Host {
 	return hosts
 }
 
-func generateKeyConfig(cr *Storage, crDB *Database) *schema.KeyConfig {
-	var keyConfig *schema.KeyConfig
-	if crDB != nil && crDB.Spec.Encryption != nil && crDB.Spec.Encryption.Enabled {
-		keyConfig = &schema.KeyConfig{
-			Keys: []schema.Key{
-				{
-					ContainerPath: path.Join(DatabaseEncryptionKeyPath, DatabaseEncryptionKeyFile),
-					ID:            hash(cr.Name),
-					Pin:           crDB.Spec.Encryption.Pin,
-					Version:       1,
-				},
-			},
-		}
-	}
-
-	return keyConfig
-}
-
-func tryFillMissingSections(
-	resultConfig map[string]interface{},
-	generatedConfig schema.Configuration,
-) {
-	if resultConfig["hosts"] == nil {
-		resultConfig["hosts"] = generatedConfig.Hosts
-	}
-	if generatedConfig.KeyConfig != nil {
-		resultConfig["key_config"] = generatedConfig.KeyConfig
-	}
-}
-
 func BuildConfiguration(cr *Storage, crDB *Database) ([]byte, error) {
 	config := make(map[string]interface{})
 
@@ -106,28 +61,29 @@ func BuildConfiguration(cr *Storage, crDB *Database) ([]byte, error) {
 		rawYamlConfiguration = cr.Spec.Configuration
 	}
 
-	hosts := generateHosts(cr)
-	keyConfig := generateKeyConfig(cr, crDB)
-	generatedConfig := schema.Configuration{
-		Hosts:     hosts,
-		KeyConfig: keyConfig,
-	}
-
-	success, dynconfig, err := TryParseDynconfig(rawYamlConfiguration)
+	success, dynConfig, err := ParseDynConfig(rawYamlConfiguration)
 	if success {
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse dynconfig, error: %w", err)
 		}
-		tryFillMissingSections(dynconfig.Config, generatedConfig)
-		return yaml.Marshal(dynconfig)
+		if dynConfig.Config["hosts"] == nil {
+			hosts := generateHosts(cr)
+			dynConfig.Config["hosts"] = hosts
+		}
+
+		return yaml.Marshal(dynConfig)
 	}
 
 	err = yaml.Unmarshal([]byte(rawYamlConfiguration), &config)
 	if err != nil {
 		return nil, fmt.Errorf("failed to serialize YAML config, error: %w", err)
 	}
 
-	tryFillMissingSections(config, generatedConfig)
+	if config["hosts"] == nil {
+		hosts := generateHosts(cr)
+		config["hosts"] = hosts
+	}
+
 	return yaml.Marshal(config)
 }
 
@@ -144,25 +100,25 @@ func ParseConfiguration(rawYamlConfiguration string) (schema.Configuration, erro
 	return configuration, nil
 }
 
-func TryParseDynconfig(rawYamlConfiguration string) (bool, schema.Dynconfig, error) {
+func ParseDynConfig(rawYamlConfiguration string) (bool, schema.DynConfig, error) {
 	dec := yaml.NewDecoder(bytes.NewReader([]byte(rawYamlConfiguration)))
 	dec.KnownFields(true)
 
-	var dynconfig schema.Dynconfig
-	err := dec.Decode(&dynconfig)
+	var dynConfig schema.DynConfig
+	err := dec.Decode(&dynConfig)
 	if err != nil {
-		return false, schema.Dynconfig{}, fmt.Errorf("error unmarshal yaml to dynconfig: %w", err)
+		return false, schema.DynConfig{}, fmt.Errorf("error unmarshal yaml to dynconfig: %w", err)
 	}
 
-	err = validateDynconfig(dynconfig)
+	err = validateDynConfig(dynConfig)
 	if err != nil {
-		return true, dynconfig, fmt.Errorf("error validate dynconfig: %w", err)
+		return true, dynConfig, fmt.Errorf("error validate dynconfig: %w", err)
 	}
 
-	return true, dynconfig, nil
+	return true, dynConfig, err
 }
 
-func validateDynconfig(dynConfig schema.Dynconfig) error {
+func validateDynConfig(dynConfig schema.DynConfig) error {
 	if _, exist := dynConfig.Config["yaml_config_enabled"]; !exist {
 		return errors.New("failed to find mandatory `yaml_config_enabled` field inside config")
 	}
@@ -182,12 +138,12 @@ func validateDynconfig(dynConfig schema.Dynconfig) error {
 	return nil
 }
 
-func GetConfigForCMS(dynconfig schema.Dynconfig) ([]byte, error) {
-	delete(dynconfig.Config, "static_erasure")
-	delete(dynconfig.Config, "host_configs")
-	delete(dynconfig.Config, "nameservice_config")
-	delete(dynconfig.Config, "blob_storage_config")
-	delete(dynconfig.Config, "hosts")
+func GetConfigForCMS(dynConfig schema.DynConfig) ([]byte, error) {
+	delete(dynConfig.Config, "static_erasure")
+	delete(dynConfig.Config, "host_configs")
+	delete(dynConfig.Config, "nameservice_config")
+	delete(dynConfig.Config, "blob_storage_config")
+	delete(dynConfig.Config, "hosts")
 
-	return yaml.Marshal(dynconfig)
+	return yaml.Marshal(dynConfig)
 }

api/v1alpha1/connection_types.go

@@ -5,9 +5,9 @@ import (
 )
 
 type ConnectionOptions struct {
-	AccessToken        *AccessTokenAuth       `json:"accessToken,omitempty"`
-	StaticCredentials  *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
-	Oauth2TokenExhange *Oauth2TokenExchange   `json:"oauth2TokenExchange,omitempty"`
+	AccessToken         *AccessTokenAuth       `json:"accessToken,omitempty"`
+	StaticCredentials   *StaticCredentialsAuth `json:"staticCredentials,omitempty"`
+	Oauth2TokenExchange *Oauth2TokenExchange   `json:"oauth2TokenExchange,omitempty"`
 }
 
 type AccessTokenAuth struct {
@@ -22,13 +22,13 @@ type StaticCredentialsAuth struct {
 type Oauth2TokenExchange struct {
 	Endpoint   string            `json:"endpoint"`
 	PrivateKey *CredentialSource `json:"privateKey"`
-	JWTHeader  *JWTHeader        `json:",inline"`
-	JWTClaims  *JWTClaims        `json:",inline"`
+	JWTHeader  `json:",inline"`
+	JWTClaims  `json:",inline"`
 }
 
 type JWTHeader struct {
-	KeyID   string `json:"keyID,omitempty"`
-	SignAlg string `json:"signAlg,omitempty"`
+	KeyID   *string `json:"keyID"`
+	SignAlg string  `json:"signAlg,omitempty"`
 }
 type JWTClaims struct {
 	Issuer   string `json:"issuer,omitempty"`

api/v1alpha1/const.go

@@ -30,11 +30,21 @@ const (
 	ConfigDir      = "/opt/ydb/cfg"
 	ConfigFileName = "config.yaml"
 
+	DatabaseEncryptionKeySecretDir  = "encryption"
+	DatabaseEncryptionKeySecretFile = "key.pem"
+	DatabaseEncryptionKeyConfigFile = "key.txt"
+
+	DatastreamsIAMServiceAccountKeyDir  = "datastreams"
+	DatastreamsIAMServiceAccountKeyFile = "sa_key.json"
+
 	BinariesDir      = "/opt/ydb/bin"
 	DaemonBinaryName = "ydbd"
 
-	DefaultRootUsername = "root"
-	DefaultRootPassword = ""
+	DefaultRootUsername          = "root"
+	DefaultRootPassword          = ""
+	DefaultDatabaseDomain        = "Root"
+	DefaultDatabaseEncryptionPin = "EmptyPin"
+	DefaultSignAlgorithm         = "RS256"
 
 	LabelDeploymentKey             = "deployment"
 	LabelDeploymentValueKubernetes = "kubernetes"

api/v1alpha1/database_webhook.go

@@ -17,10 +17,6 @@ import (
 	. "github.com/ydb-platform/ydb-kubernetes-operator/internal/controllers/constants" //nolint:revive,stylecheck
 )
 
-const (
-	DefaultDatabaseDomain = "Root"
-)
-
 // log is for logging in this package.
 var databaselog = logf.Log.WithName("database-resource")
 
@@ -126,6 +122,13 @@ func (r *DatabaseDefaulter) Default(ctx context.Context, obj runtime.Object) err
 		database.Spec.Encryption = &EncryptionConfig{Enabled: false}
 	}
 
+	if database.Spec.Encryption.Enabled && database.Spec.Encryption.Key == nil {
+		if database.Spec.Encryption.Pin == nil || len(*database.Spec.Encryption.Pin) == 0 {
+			encryptionPin := DefaultDatabaseEncryptionPin
+			database.Spec.Encryption.Pin = &encryptionPin
+		}
+	}
+
 	if database.Spec.Datastreams == nil {
 		database.Spec.Datastreams = &DatastreamsConfig{Enabled: false}
 	}
@@ -149,7 +152,7 @@ func (r *DatabaseDefaulter) Default(ctx context.Context, obj runtime.Object) err
 		database.Spec.StorageEndpoint = storage.GetStorageEndpointWithProto()
 	}
 
-	if database.Spec.Configuration != "" || (database.Spec.Encryption != nil && database.Spec.Encryption.Enabled) {
+	if database.Spec.Configuration != "" {
 		configuration, err := BuildConfiguration(storage, database)
 		if err != nil {
 			return err