append secrets and volumes from storage spec to init-job volumes (#282)

nikitka · web-flow · commit c3f7de5a7578 · 2025-01-29T16:18:16.000+01:00
* apend secrets and volumes from storage spec to init-job volumes

* wip

* rename grpcTLSVolumeName to GRPCTLSVolumeName

* remove one test

* add changie

* fix test
diff --git a/.changes/unreleased/Fixed-20250129-134226.yaml b/.changes/unreleased/Fixed-20250129-134226.yaml
@@ -0,0 +1,3 @@
+kind: Fixed
+body: Passing additional secret volumes to blobstorage-init. The init container can now use them without issues.
+time: 2025-01-29T13:42:26.145577+01:00
diff --git a/internal/resources/database_statefulset.go b/internal/resources/database_statefulset.go
@@ -192,7 +192,7 @@ func (b *DatabaseStatefulSetBuilder) buildVolumes() []corev1.Volume {
 	}
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
-		volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
+		volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
 	}
 
 	if b.Spec.Service.Interconnect.TLSConfiguration.Enabled {
@@ -314,7 +314,7 @@ func (b *DatabaseStatefulSetBuilder) buildCaStorePatchingInitContainerVolumeMoun
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
@@ -482,7 +482,7 @@ func (b *DatabaseStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
diff --git a/internal/resources/resource.go b/internal/resources/resource.go
@@ -35,7 +35,7 @@ const (
 	StatusServiceNameFormat       = "%s-status"
 	DatastreamsServiceNameFormat  = "%s-datastreams"
 
-	grpcTLSVolumeName         = "grpc-tls-volume"
+	GRPCTLSVolumeName         = "grpc-tls-volume"
 	interconnectTLSVolumeName = "interconnect-tls-volume"
 	datastreamsTLSVolumeName  = "datastreams-tls-volume"
 	statusTLSVolumeName       = "status-tls-volume"
diff --git a/internal/resources/storage_init_job.go b/internal/resources/storage_init_job.go
@@ -75,6 +75,7 @@ func (b *StorageInitJobBuilder) buildInitJobPodTemplateSpec() corev1.PodTemplate
 			DNSConfig: &corev1.PodDNSConfig{
 				Searches: dnsConfigSearches,
 			},
+			InitContainers: b.Spec.InitContainers,
 		},
 	}
 
@@ -92,8 +93,7 @@ func (b *StorageInitJobBuilder) buildInitJobPodTemplateSpec() corev1.PodTemplate
 		}
 	}
 
-	// InitContainer only needed for CaBundle manipulation for now,
-	// may be probably used for other stuff later
+	// append an init container for updating the ca.crt if we have any certificates
 	if b.AnyCertificatesAdded() {
 		podTemplate.Spec.InitContainers = append(
 			[]corev1.Container{b.buildCaStorePatchingInitContainer()},
@@ -137,7 +137,7 @@ func (b *StorageInitJobBuilder) buildInitJobVolumes() []corev1.Volume {
 	}
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
-		volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
+		volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
 	}
 
 	if b.Spec.OperatorConnection != nil {
@@ -153,6 +153,21 @@ func (b *StorageInitJobBuilder) buildInitJobVolumes() []corev1.Volume {
 			})
 	}
 
+	for _, secret := range b.Spec.Secrets {
+		volumes = append(volumes, corev1.Volume{
+			Name: secret.Name,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: secret.Name,
+				},
+			},
+		})
+	}
+
+	for _, volume := range b.Spec.Volumes {
+		volumes = append(volumes, *volume)
+	}
+
 	if b.AnyCertificatesAdded() {
 		volumes = append(volumes, corev1.Volume{
 			Name: systemCertsVolumeName,
@@ -219,7 +234,7 @@ func (b *StorageInitJobBuilder) buildJobVolumeMounts() []corev1.VolumeMount {
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
@@ -302,7 +317,7 @@ func (b *StorageInitJobBuilder) buildCaStorePatchingInitContainerVolumeMounts()
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
diff --git a/internal/resources/storage_statefulset.go b/internal/resources/storage_statefulset.go
@@ -216,7 +216,7 @@ func (b *StorageStatefulSetBuilder) buildVolumes() []corev1.Volume {
 	}
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
-		volumes = append(volumes, buildTLSVolume(grpcTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
+		volumes = append(volumes, buildTLSVolume(GRPCTLSVolumeName, b.Spec.Service.GRPC.TLSConfiguration))
 	}
 
 	if b.Spec.Service.Interconnect.TLSConfiguration.Enabled {
@@ -326,7 +326,7 @@ func (b *StorageStatefulSetBuilder) buildCaStorePatchingInitContainerVolumeMount
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
@@ -438,7 +438,7 @@ func (b *StorageStatefulSetBuilder) buildVolumeMounts() []corev1.VolumeMount {
 
 	if b.Spec.Service.GRPC.TLSConfiguration.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name:      grpcTLSVolumeName,
+			Name:      GRPCTLSVolumeName,
 			ReadOnly:  true,
 			MountPath: grpcTLSVolumeMountPath,
 		})
diff --git a/tests/e2e/smoke_test.go b/tests/e2e/smoke_test.go
@@ -768,6 +768,54 @@ var _ = Describe("Operator smoke test", func() {
 		ExecuteSimpleTableE2ETestWithSDK(databaseSample.Name, testobjects.YdbNamespace, databasePath)
 	})
 
+	It("Check init job with additional volumes and GRPCS enabled", func() {
+		By("create stls secrets...")
+		storageCert := testobjects.StorageCertificate()
+
+		secret := storageCert.DeepCopy()
+		secret.Name = "another-secret"
+
+		Expect(k8sClient.Create(ctx, storageCert)).Should(Succeed())
+		Expect(k8sClient.Create(ctx, secret)).Should(Succeed())
+
+		By("create storage...")
+		storage := testobjects.DefaultStorage(filepath.Join("..", "data", "storage-mirror-3-dc-config-tls.yaml"))
+
+		storage.Spec.Service.GRPC.TLSConfiguration = testobjects.TLSConfiguration(
+			testobjects.StorageCertificateSecretName,
+		)
+
+		storage.Spec.Secrets = []*corev1.LocalObjectReference{
+			{
+				Name: secret.Name,
+			},
+		}
+
+		mountPath := fmt.Sprintf("%s/%s", v1alpha1.AdditionalSecretsDir, secret.Name)
+
+		storage.Spec.InitContainers = []corev1.Container{
+			{
+				Name:    "init-container",
+				Image:   storage.Spec.Image.Name,
+				Command: []string{"bash", "-xc"},
+				Args:    []string{fmt.Sprintf("ls -la %s", mountPath)},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      secret.Name,
+						MountPath: mountPath,
+						ReadOnly:  true,
+					},
+				},
+			},
+		}
+
+		Expect(k8sClient.Create(ctx, storage)).Should(Succeed())
+		defer DeleteStorageSafely(ctx, k8sClient, storage)
+
+		By("waiting until Storage is ready ...")
+		WaitUntilStorageReady(ctx, k8sClient, storage.Name, testobjects.YdbNamespace)
+	})
+
 	AfterEach(func() {
 		UninstallOperatorWithHelm(testobjects.YdbNamespace)
 		Expect(k8sClient.Delete(ctx, &namespace)).Should(Succeed())

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+kind: Fixed`
	`2`	`+body: Passing additional secret volumes to blobstorage-init. The init container can now use them without issues.`
	`3`	`+time: 2025-01-29T13:42:26.145577+01:00`