diff --git a/.changes/unreleased/Fixed-20250129-134226.yaml b/.changes/unreleased/Fixed-20250129-134226.yaml new file mode 100644 index 00000000..2405bd52 --- /dev/null +++ b/.changes/unreleased/Fixed-20250129-134226.yaml @@ -0,0 +1,3 @@ +kind: Fixed +body: Passing additional secret volumes to blobstorage-init. The init container can now use them without issues. +time: 2025-01-29T13:42:26.145577+01:00 diff --git a/internal/resources/database_statefulset.go b/internal/resources/database_statefulset.go index df84df23..a27f977b 100644 --- a/internal/resources/database_statefulset.go +++ b/internal/resources/database_statefulset.go @@ -192,7 +192,7 @@ func (b *DatabaseStatefulSetBuilder) buildVolumes() []corev1.Volume { } if b.Spec.Service.GRPC.TLSConfiguration.Enabled { - volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) + volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) } if b.Spec.Service.Interconnect.TLSConfiguration.Enabled { @@ -314,7 +314,7 @@ func (b *DatabaseStatefulSetBuilder) buildCaStorePatchingInitContainerVolumeMoun if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) @@ -482,7 +482,7 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount { if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) diff --git a/internal/resources/resource.go b/internal/resources/resource.go index c48965cf..81acea22 100644 --- a/internal/resources/resource.go +++ b/internal/resources/resource.go @@ -35,7 +35,7 @@ const ( StatusServiceNameFormat = "%s-status" DatastreamsServiceNameFormat = "%s-datastreams" - grpcTLSVolumeName = "grpc-tls-volume" + GRPCTLSVolumeName = "grpc-tls-volume" interconnectTLSVolumeName = "interconnect-tls-volume" datastreamsTLSVolumeName = "datastreams-tls-volume" statusTLSVolumeName = "status-tls-volume" diff --git a/internal/resources/storage_init_job.go b/internal/resources/storage_init_job.go index 871ab535..4308e29b 100644 --- a/internal/resources/storage_init_job.go +++ b/internal/resources/storage_init_job.go @@ -75,6 +75,7 @@ func (b *StorageInitJobBuilder) buildInitJobPodTemplateSpec() corev1.PodTemplate DNSConfig: &corev1.PodDNSConfig{ Searches: dnsConfigSearches, }, + InitContainers: b.Spec.InitContainers, }, } @@ -92,8 +93,7 @@ func (b *StorageInitJobBuilder) buildInitJobPodTemplateSpec() corev1.PodTemplate } } - // InitContainer only needed for CaBundle manipulation for now, - // may be probably used for other stuff later + // append an init container for updating the ca.crt if we have any certificates if b.AnyCertificatesAdded() { podTemplate.Spec.InitContainers = append( []corev1.Container{b.buildCaStorePatchingInitContainer()}, @@ -137,7 +137,7 @@ func (b *StorageInitJobBuilder) buildInitJobVolumes() []corev1.Volume { } if b.Spec.Service.GRPC.TLSConfiguration.Enabled { - volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) + volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) } if b.Spec.OperatorConnection != nil { @@ -153,6 +153,21 @@ func (b *StorageInitJobBuilder) buildInitJobVolumes() []corev1.Volume { }) } + for _, secret := range b.Spec.Secrets { + volumes = append(volumes, corev1.Volume{ + Name: secret.Name, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: secret.Name, + }, + }, + }) + } + + for _, volume := range b.Spec.Volumes { + volumes = append(volumes, *volume) + } + if b.AnyCertificatesAdded() { volumes = append(volumes, corev1.Volume{ Name: systemCertsVolumeName, @@ -219,7 +234,7 @@ func (b *StorageInitJobBuilder) buildJobVolumeMounts() []corev1.VolumeMount { if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) @@ -302,7 +317,7 @@ func (b *StorageInitJobBuilder) buildCaStorePatchingInitContainerVolumeMounts() if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) diff --git a/internal/resources/storage_statefulset.go b/internal/resources/storage_statefulset.go index 9c74dcb5..5fb87671 100644 --- a/internal/resources/storage_statefulset.go +++ b/internal/resources/storage_statefulset.go @@ -216,7 +216,7 @@ func (b *StorageStatefulSetBuilder) buildVolumes() []corev1.Volume { } if b.Spec.Service.GRPC.TLSConfiguration.Enabled { - volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) + volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration)) } if b.Spec.Service.Interconnect.TLSConfiguration.Enabled { @@ -326,7 +326,7 @@ func (b *StorageStatefulSetBuilder) buildCaStorePatchingInitContainerVolumeMount if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) @@ -438,7 +438,7 @@ func (b *StorageStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount { if b.Spec.Service.GRPC.TLSConfiguration.Enabled { volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: grpcTLSVolumeName, + Name: GRPCTLSVolumeName, ReadOnly: true, MountPath: grpcTLSVolumeMountPath, }) diff --git a/tests/e2e/smoke_test.go b/tests/e2e/smoke_test.go index 3562e913..59e51c10 100644 --- a/tests/e2e/smoke_test.go +++ b/tests/e2e/smoke_test.go @@ -768,6 +768,54 @@ var _ = Describe("Operator smoke test", func() { ExecuteSimpleTableE2ETestWithSDK(databaseSample.Name, testobjects.YdbNamespace, databasePath) }) + It("Check init job with additional volumes and GRPCS enabled", func() { + By("create stls secrets...") + storageCert := testobjects.StorageCertificate() + + secret := storageCert.DeepCopy() + secret.Name = "another-secret" + + Expect(k8sClient.Create(ctx, storageCert)).Should(Succeed()) + Expect(k8sClient.Create(ctx, secret)).Should(Succeed()) + + By("create storage...") + storage := testobjects.DefaultStorage(filepath.Join("..", "data", "storage-mirror-3-dc-config-tls.yaml")) + + storage.Spec.Service.GRPC.TLSConfiguration = testobjects.TLSConfiguration( + testobjects.StorageCertificateSecretName, + ) + + storage.Spec.Secrets = []*corev1.LocalObjectReference{ + { + Name: secret.Name, + }, + } + + mountPath := fmt.Sprintf("%s/%s", v1alpha1.AdditionalSecretsDir, secret.Name) + + storage.Spec.InitContainers = []corev1.Container{ + { + Name: "init-container", + Image: storage.Spec.Image.Name, + Command: []string{"bash", "-xc"}, + Args: []string{fmt.Sprintf("ls -la %s", mountPath)}, + VolumeMounts: []corev1.VolumeMount{ + { + Name: secret.Name, + MountPath: mountPath, + ReadOnly: true, + }, + }, + }, + } + + Expect(k8sClient.Create(ctx, storage)).Should(Succeed()) + defer DeleteStorageSafely(ctx, k8sClient, storage) + + By("waiting until Storage is ready ...") + WaitUntilStorageReady(ctx, k8sClient, storage.Name, testobjects.YdbNamespace) + }) + AfterEach(func() { UninstallOperatorWithHelm(testobjects.YdbNamespace) Expect(k8sClient.Delete(ctx, &namespace)).Should(Succeed())