feat(provisioning): support custom user credential Secret references#187
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2622b1d00f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| /// Optional credentials Secret reference. Defaults to a Secret named after the user. | ||
| #[serde(default, skip_serializing_if = "Option::is_none")] | ||
| pub creds_secret: Option<UserCredentialsSecretRef>, |
There was a problem hiding this comment.
Reject duplicate credential Secret references
When two spec.users entries set the same credsSecret.name, the CRD still only enforces uniqueness on the logical user.name, but reconciliation loads the same Secret for both entries and calls set_user_policy(&credentials.access_key, ...). That means both entries operate on the same RustFS account and the later entry can replace the policy mapping while both logical users report Ready; please validate that resolved credential Secret names (or loaded access keys) are unique per Tenant before accepting/applying them.
Useful? React with 👍 / 👎.
| "labels": { | ||
| "rustfs.tenant": null, | ||
| }, |
There was a problem hiding this comment.
Preserve labels for Secrets still referenced by Tenant
If a Secret was previously used as a provisioning user Secret but remains referenced elsewhere by the same Tenant, such as spec.rpcSecret.name or spec.credsSecret.name, this cleanup removes the shared rustfs.tenant label only because it is absent from the current user Secret set. The controller's Secret mapper uses that label to enqueue Tenants on external Secret changes, so future rotations of the still-referenced Secret can stop reconciling this Tenant until another event occurs; include all current Tenant Secret refs before treating this label as stale, or avoid removing labels that are not tracked as user-only.
Useful? React with 👍 / 👎.
Type of Change
Related Issues
Closes #174
Summary of Changes
spec.users[].credsSecret.namereferences for provisioning user credentials.credsSecretis omitted.accesskeycollides before any RustFS user mutation.Checklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](N/A: this repository currently has no CHANGELOG.md)Impact
Verification
Additional Notes
Helm does not upgrade CRDs from the chart
crds/directory. Apply the updated Tenant CRD and wait for the new operator rollout before usingusers[].credsSecret.Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.