feat(operator): support dedicated RPC secrets#184
Draft
GatewayJ wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
Related Issues
Closes #153
Summary of Changes
Add an optional
spec.rpcSecretSecret key reference for RustFS internode RPC authentication. When configured, the operator injects the selected key asRUSTFS_RPC_SECRETand prevents the generic environment list from overriding that operator-managed value. When omitted, the operator does not inject the variable, so RustFS retains its existing credential-derived fallback behavior.This separates internode RPC authentication from administrator credentials for tenants that opt in, allowing
spec.credsSecretrotation without changing the shared RPC identity. Existing tenants that setRUSTFS_RPC_SECRETdirectly throughspec.envremain compatible whenspec.rpcSecretis absent.The generated Tenant CRDs, schema coverage, workload rendering tests, rollout detection tests, and Helm documentation are updated with the new configuration.
Checklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](N/A: this repository does not containCHANGELOG.md)Impact
spec.rpcSecretis configured.Verification
Additional Notes
The RPC Secret should remain stable during administrator credential rotation. Adding or changing it on an existing tenant is an RPC credential transition and requires coordinated pod restart planning.
Thank you for your contribution! Please ensure your PR follows the community standards (CODE_OF_CONDUCT.md) and sign the CLA if this is your first contribution.