wip: refactor api

Author: Jorres

api/v1alpha1/const.go

@@ -9,12 +9,12 @@ const (
 	DefaultDomainName   = "cluster.local"
 	DNSDomainAnnotation = "dns.domain"
 
-	GRPCPort                      = 2135
-	GRPCServicePortName           = "grpc"
-	GRPCServiceAdditionalPortName = "additional-grpc"
-	GRPCProto                     = "grpc://"
-	GRPCSProto                    = "grpcs://"
-	GRPCServiceFQDNFormat         = "%s-grpc.%s.svc.%s"
+	GRPCPort                    = 2135
+	GRPCServicePortName         = "grpc"
+	GRPCServiceInsecurePortName = "insecure-grpc"
+	GRPCProto                   = "grpc://"
+	GRPCSProto                  = "grpcs://"
+	GRPCServiceFQDNFormat       = "%s-grpc.%s.svc.%s"
 
 	InterconnectPort              = 19001
 	InterconnectServicePortName   = "interconnect"

api/v1alpha1/service_types.go

@@ -20,8 +20,8 @@ type TLSConfiguration struct {
 type GRPCService struct {
 	Service `json:""`
 
-	AdditionalPort int32 `json:"additionalPort,omitempty"`
-	Port           int32 `json:"port,omitempty"`
+	InsecurePort int32 `json:"insecurePort,omitempty"`
+	Port         int32 `json:"port,omitempty"`
 
 	TLSConfiguration *TLSConfiguration `json:"tls,omitempty"`
 	ExternalHost     string            `json:"externalHost,omitempty"`

api/v1alpha1/storage_webhook.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"fmt"
 	"math/rand"
-	"reflect"
-	"sort"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-cmp/cmp"
@@ -453,39 +451,90 @@ func (r *Storage) ValidateUpdate(old runtime.Object) error {
 }
 
 func (r *Storage) validateGrpcPorts() error {
-	servicePorts := []int32{}
+	// There are three possible ways to configure grpc ports:
+
+	// service:
+	//    grpc:                  == this means one insecure port, tls is disabled
+	//      port: 2135
+
+	// service:
+	//    grpc:
+	//      port: 2136           == this means one secure port, tls is enabled
+	//      tls:
+	//        enabled: true
+
+	//  service:
+	//    grpc:
+	//      insecurePort: 2135   == this means two ports, one secure \ one insecure
+	//      port: 2136
+	//      tls:
+	//        enabled: true
 
-	firstPort := int32(GRPCPort)
-	if r.Spec.Service.GRPC.Port != 0 {
-		firstPort = r.Spec.Service.GRPC.Port
-	}
-	servicePorts = append(servicePorts, firstPort)
-	if r.Spec.Service.GRPC.AdditionalPort != 0 {
-		servicePorts = append(servicePorts, r.Spec.Service.GRPC.AdditionalPort)
-	}
 	configuration, err := ParseConfiguration(r.Spec.Configuration)
 	if err != nil {
 		return fmt.Errorf("failed to parse configuration immediately after building it, should not happen, %w", err)
 	}
-
-	configurationPorts := []int32{}
+	configurationPort := int32(GRPCPort)
 	if configuration.GrpcConfig.Port != 0 {
-		configurationPorts = append(configurationPorts, configuration.GrpcConfig.Port)
+		configurationPort = configuration.GrpcConfig.Port
 	}
+	configurationSslPort := int32(0)
 	if configuration.GrpcConfig.SslPort != 0 {
-		configurationPorts = append(configurationPorts, configuration.GrpcConfig.SslPort)
+		configurationSslPort = configuration.GrpcConfig.SslPort
 	}
 
-	sort.Slice(servicePorts, func(i, j int) bool {
-		return servicePorts[i] < servicePorts[j]
-	})
+	if !r.Spec.Service.GRPC.TLSConfiguration.Enabled {
+		// there should be only 1 port, both in service and in config, insecure
+		servicePort := int32(GRPCPort)
+		if r.Spec.Service.GRPC.Port != 0 {
+			servicePort = r.Spec.Service.GRPC.Port
+		}
+		if configurationPort != servicePort {
+			return fmt.Errorf(
+				"inconsistent grpc ports: spec.service.grpc.port (%v) != configuration.grpc_config.port (%v)",
+				servicePort,
+				configurationPort,
+			)
+		}
 
-	sort.Slice(configurationPorts, func(i, j int) bool {
-		return configurationPorts[i] < configurationPorts[j]
-	})
+		if r.Spec.Service.GRPC.InsecurePort != 0 {
+			return fmt.Errorf(
+				"spec.service.grpc.tls.enabled is false, use `port` instead of `insecurePort` field to assign non-tls grpc port",
+			)
+		}
+		return nil
+	}
+
+	// otherwise, there might be 1 (secure only) port...
+	servicePort := int32(GRPCPort)
+	if r.Spec.Service.GRPC.Port != 0 {
+		servicePort = r.Spec.Service.GRPC.Port
+	}
+	if configurationSslPort == 0 {
+		return fmt.Errorf(
+			"configuration.grpc_config.ssl_port is absent in cluster configuration, but spec.service.grpc has tls enabled and port %v",
+			servicePort,
+		)
+	}
+	if configurationSslPort != servicePort {
+		return fmt.Errorf(
+			"inconsistent grpc ports: spec.service.grpc.port (%v) != configuration.grpc_config.ssl_port (%v)",
+			servicePort,
+			configurationSslPort,
+		)
+	}
+
+	// or, optionally, one more: insecure port
+	if r.Spec.Service.GRPC.InsecurePort != 0 {
+		serviceInsecurePort := r.Spec.Service.GRPC.InsecurePort
 
-	if !reflect.DeepEqual(servicePorts, configurationPorts) {
-		return fmt.Errorf("grpc port mismatch: %v in spec.service.grpc, %v in YDB configuration", servicePorts, configurationPorts)
+		if configurationPort != serviceInsecurePort {
+			return fmt.Errorf(
+				"inconsistent grpc insecure ports: spec.service.grpc.insecure_port (%v) != configuration.grpc_config.port (%v)",
+				serviceInsecurePort,
+				configurationPort,
+			)
+		}
 	}
 
 	return nil

deploy/ydb-operator/crds/database.yaml

@@ -4073,14 +4073,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

deploy/ydb-operator/crds/databasenodeset.yaml

@@ -2685,14 +2685,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

deploy/ydb-operator/crds/remotedatabasenodeset.yaml

@@ -2686,14 +2686,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

deploy/ydb-operator/crds/remotestoragenodeset.yaml

@@ -2713,14 +2713,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

deploy/ydb-operator/crds/storage.yaml

@@ -5214,14 +5214,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

deploy/ydb-operator/crds/storagenodeset.yaml

@@ -2712,14 +2712,14 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
-                      additionalPort:
-                        format: int32
-                        type: integer
                       externalHost:
                         type: string
                       externalPort:
                         format: int32
                         type: integer
+                      insecurePort:
+                        format: int32
+                        type: integer
                       ipDiscovery:
                         properties:
                           enabled:

internal/controllers/storage/controller_test.go

@@ -317,7 +317,7 @@ var _ = Describe("Storage controller medium tests", func() {
 
 			storage.Spec.Service.GRPC.Port = 2137
 
-			configWithNewPorts, err := patchGRPCPortsInConfiguration(storage.Spec.Configuration, 2137, -1)
+			configWithNewPorts, err := patchGRPCPortsInConfiguration(storage.Spec.Configuration, -1, 2137)
 			Expect(err).To(BeNil())
 			storage.Spec.Configuration = configWithNewPorts
 
@@ -348,17 +348,23 @@ var _ = Describe("Storage controller medium tests", func() {
 			)
 		})
 
-		By("Checking additionalPort propagation in GRPC Service...", func() {
+		By("Checking insecurePort propagation in GRPC Service...", func() {
 			storage := v1alpha1.Storage{}
 			Expect(k8sClient.Get(ctx, types.NamespacedName{
 				Name:      testobjects.StorageName,
 				Namespace: testobjects.YdbNamespace,
 			}, &storage)).Should(Succeed())
 
 			storage.Spec.Service.GRPC.Port = v1alpha1.GRPCPort
-			storage.Spec.Service.GRPC.AdditionalPort = 2136
+			storage.Spec.Service.GRPC.InsecurePort = 2136
+			storage.Spec.Service.GRPC.TLSConfiguration.Enabled = true
+
+			configWithNewPorts, err := patchGRPCPortsInConfiguration(
+				storage.Spec.Configuration,
+				storage.Spec.Service.GRPC.Port,
+				storage.Spec.Service.GRPC.InsecurePort,
+			)
 
-			configWithNewPorts, err := patchGRPCPortsInConfiguration(storage.Spec.Configuration, 2135, 2136)
 			Expect(err).To(BeNil())
 			storage.Spec.Configuration = configWithNewPorts
 
@@ -382,9 +388,9 @@ var _ = Describe("Storage controller medium tests", func() {
 				g.Expect(len(ports)).To(Equal(2), "expected 2 ports but got %d", len(ports))
 				g.Expect(ports[0].Port).To(Equal(int32(v1alpha1.GRPCPort)))
 				g.Expect(ports[0].Name).To(Equal(v1alpha1.GRPCServicePortName))
-				g.Expect(ports[1].Port).To(Equal(storage.Spec.Service.GRPC.AdditionalPort))
-				g.Expect(ports[1].Name).To(Equal(v1alpha1.GRPCServiceAdditionalPortName))
-				g.Expect(ports[1].TargetPort.IntVal).To(Equal(storage.Spec.Service.GRPC.AdditionalPort))
+				g.Expect(ports[1].Port).To(Equal(storage.Spec.Service.GRPC.InsecurePort))
+				g.Expect(ports[1].Name).To(Equal(v1alpha1.GRPCServiceInsecurePortName))
+				g.Expect(ports[1].TargetPort.IntVal).To(Equal(storage.Spec.Service.GRPC.InsecurePort))
 				return nil
 			}, test.Timeout, test.Interval).Should(Succeed(),
 				"Service %s/%s should eventually have proper ports", testobjects.YdbNamespace, serviceName,
@@ -398,38 +404,48 @@ var _ = Describe("Storage controller medium tests", func() {
 				Namespace: testobjects.YdbNamespace,
 			}, &storage)).Should(Succeed())
 
+			storage.Spec.Service.GRPC.TLSConfiguration.Enabled = true
+
 			storage.Spec.Service.GRPC.Port = v1alpha1.GRPCPort
 			By("Specify 2136 in manifest spec...")
-			storage.Spec.Service.GRPC.AdditionalPort = 2136
+			storage.Spec.Service.GRPC.InsecurePort = 2136
 
 			By("And then specify 2137 in manifest spec...")
 			configWithNewPorts, err := patchGRPCPortsInConfiguration(storage.Spec.Configuration, v1alpha1.GRPCPort, 2137)
 			Expect(err).To(BeNil())
 			storage.Spec.Configuration = configWithNewPorts
 
 			err = k8sClient.Update(ctx, &storage)
-			Expect(err).To(MatchError(ContainSubstring("grpc port mismatch")))
+			Expect(err).To(MatchError(ContainSubstring(
+				"inconsistent grpc insecure ports: spec.service.grpc.insecure_port (2136) != configuration.grpc_config.port (2137)",
+			)))
 		})
 	})
 })
 
-func patchGRPCPortsInConfiguration(in string, port, sslPort int) (string, error) {
-	m := make(map[string]interface{})
+func patchGRPCPortsInConfiguration(in string, sslPort, port int32) (string, error) {
+	m := make(map[string]any)
 	if err := yaml.Unmarshal([]byte(in), &m); err != nil {
 		return "", err
 	}
 
-	cfg, _ := m["grpc_config"].(map[string]interface{})
+	cfg, _ := m["grpc_config"].(map[string]any)
 	if cfg == nil {
-		cfg = make(map[string]interface{})
+		cfg = make(map[string]any)
 	}
 
 	if sslPort != -1 {
 		cfg["ssl_port"] = sslPort
+	} else {
+		delete(cfg, "ssl_port")
 	}
+
 	if port != -1 {
 		cfg["port"] = port
+	} else {
+		delete(cfg, "port")
 	}
+
 	m["grpc_config"] = cfg
 
 	res, err := yaml.Marshal(m)