Skip to content

feat(operator): support dedicated RPC secrets#184

Draft
GatewayJ wants to merge 1 commit into
rustfs:mainfrom
GatewayJ:fix/rpc-secret-configuration
Draft

feat(operator): support dedicated RPC secrets#184
GatewayJ wants to merge 1 commit into
rustfs:mainfrom
GatewayJ:fix/rpc-secret-configuration

Conversation

@GatewayJ

Copy link
Copy Markdown
Member

Type of Change

  • New Feature
  • Bug Fix
  • Documentation
  • Performance Improvement
  • Test/CI
  • Refactor
  • Other: N/A

Related Issues

Closes #153

Summary of Changes

Add an optional spec.rpcSecret Secret key reference for RustFS internode RPC authentication. When configured, the operator injects the selected key as RUSTFS_RPC_SECRET and prevents the generic environment list from overriding that operator-managed value. When omitted, the operator does not inject the variable, so RustFS retains its existing credential-derived fallback behavior.

This separates internode RPC authentication from administrator credentials for tenants that opt in, allowing spec.credsSecret rotation without changing the shared RPC identity. Existing tenants that set RUSTFS_RPC_SECRET directly through spec.env remain compatible when spec.rpcSecret is absent.

The generated Tenant CRDs, schema coverage, workload rendering tests, rollout detection tests, and Helm documentation are updated with the new configuration.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (N/A: this repository does not contain CHANGELOG.md)
  • CI/CD passed (pending)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: Existing behavior is unchanged unless spec.rpcSecret is configured.

Verification

NPM_CONFIG_REGISTRY=https://registry.npmmirror.com PNPM_CONFIG_REGISTRY=https://registry.npmmirror.com NPM_CONFIG_FETCH_TIMEOUT=300000 PNPM_CONFIG_FETCH_TIMEOUT=300000 PNPM_CONFIG_DANGEROUSLY_ALLOW_ALL_BUILDS=true make pre-commit

Additional Notes

The RPC Secret should remain stable during administrator credential rotation. Adding or changing it on an existing tenant is an RPC credential transition and requires coordinated pod restart planning.


Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FATAL] Server encountered an error and is shutting down: store init failed to load formats after 10 retries: erasure read quorum

1 participant