Skip to content

feat: pool CEL validation, tenant DNS limits, KMS alignment, and tooling #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
GatewayJ merged 1 commit into from
Mar 29, 2026
+161 −220
Merged

feat: pool CEL validation, tenant DNS limits, KMS alignment, and tooling #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- **Tenant name length**: [`validate_dns1035_label`](src/types/v1alpha1/tenant.rs) now caps `metadata.name` at **55** characters so derived names like `{name}-console` remain valid Kubernetes DNS labels (≤ 63).

- **Encryption validation on reconcile**: [`validate_kms_secret`](src/context.rs) now runs whenever `spec.encryption.enabled` is true (previously skipped when `kmsSecret` was unset).

### Changed

- **Tenant `spec.encryption.vault`**: Removed `tlsSkipVerify` and `customCertificates` (they were never wired to `rustfs-kms`). Vault TLS should rely on system-trusted CAs or TLS upstream. The project is still pre-production; if you have old YAML with these keys, remove them before apply.

- **KMS pod environment** ([`tenant/workloads.rs`](src/types/v1alpha1/tenant/workloads.rs)): Align variable names with the RustFS server and `rustfs-kms` (`RUSTFS_KMS_ENABLE`, `RUSTFS_KMS_VAULT_ADDRESS`, KV mount and key prefix, local `RUSTFS_KMS_KEY_DIR` / `RUSTFS_KMS_DEFAULT_KEY_ID`, etc.); remove Vault TLS certificate volume mounts; `ping_seconds` remains documented as reserved (not injected).

- **Local KMS** ([`context.rs`](src/context.rs)): Validate absolute `keyDirectory` and require a single server replica across pools (multi-replica tenants need Vault or shared storage).

- **Deploy scripts** ([`scripts/deploy/deploy-rustfs.sh`](scripts/deploy/deploy-rustfs.sh), [`deploy-rustfs-4node.sh`](scripts/deploy/deploy-rustfs-4node.sh)): Docker builds use **layer cache by default** (`docker_build_cached`); set `RUSTFS_DOCKER_NO_CACHE=true` for a full rebuild. Documented in [`scripts/README.md`](scripts/README.md).
- **4-node deploy**: Help text moved to an early heredoc (avoids trailing `case`/parse issues); see script header.
- **4-node cleanup** ([`cleanup-rustfs-4node.sh`](scripts/cleanup/cleanup-rustfs-4node.sh)): Host storage dirs under `/tmp/rustfs-storage-*` may require `sudo rm -rf` after Kind (root-owned bind mounts).
Expand Down
44 changes: 3 additions & 41 deletions console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,6 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
namespace: "",
prefix: "",
authType: "token",
tlsSkipVerify: false,
customCertificates: false,
})
const [encAppRole, setEncAppRole] = useState({
engine: "",
Expand Down Expand Up @@ -380,8 +378,6 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
namespace: data.vault.namespace || "",
prefix: data.vault.prefix || "",
authType: data.vault.authType || "token",
tlsSkipVerify: data.vault.tlsSkipVerify || false,
customCertificates: data.vault.customCertificates || false,
})
if (data.vault.appRole) {
setEncAppRole({
Expand Down Expand Up @@ -428,8 +424,6 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
namespace: encVault.namespace || undefined,
prefix: encVault.prefix || undefined,
authType: encVault.authType || undefined,
tlsSkipVerify: encVault.tlsSkipVerify || undefined,
customCertificates: encVault.customCertificates || undefined,
}
if (encVault.authType === "approle") {
body.vault.appRole = {
Expand Down Expand Up @@ -951,32 +945,6 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
/>
</div>
</div>
<div className="flex items-center gap-6">
<div className="flex items-center gap-3">
<label htmlFor="vault-tls-skip" className="text-sm">
{t("Skip TLS Verification")}
</label>
<input
id="vault-tls-skip"
type="checkbox"
checked={encVault.tlsSkipVerify}
onChange={(e) => setEncVault((v) => ({ ...v, tlsSkipVerify: e.target.checked }))}
className="h-4 w-4 rounded border-border"
/>
</div>
<div className="flex items-center gap-3">
<label htmlFor="vault-custom-certs" className="text-sm">
{t("Custom Certificates")}
</label>
<input
id="vault-custom-certs"
type="checkbox"
checked={encVault.customCertificates}
onChange={(e) => setEncVault((v) => ({ ...v, customCertificates: e.target.checked }))}
className="h-4 w-4 rounded border-border"
/>
</div>
</div>

{/* Auth type selector */}
<div className="space-y-2 pt-2">
Expand Down Expand Up @@ -1093,21 +1061,15 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
<div className="space-y-2">
<Label>{t("KMS Secret Name")}</Label>
<Input
placeholder={`${t("Optional")} – ${t("Secret containing vault-token and TLS certs")}`}
placeholder={`${t("Optional")} – ${t("Secret containing vault-token")}`}
value={encKmsSecretName}
onChange={(e) => setEncKmsSecretName(e.target.value)}
/>
<p className="text-xs text-muted-foreground">
{encBackend === "vault"
? encVault.authType === "approle"
? t("Secret must contain 'vault-approle-id' and 'vault-approle-secret'.") +
(encVault.customCertificates
? " " + t("Plus TLS certs: vault-ca-cert, vault-client-cert, vault-client-key.")
: "")
: t("Secret must contain key 'vault-token'.") +
(encVault.customCertificates
? " " + t("Plus TLS certs: vault-ca-cert, vault-client-cert, vault-client-key.")
: "")
? t("Secret must contain 'vault-approle-id' and 'vault-approle-secret'.")
: t("Secret must contain key 'vault-token'.")
: t("Not required for Local backend.")}
</p>
</div>
Expand Down
4 changes: 0 additions & 4 deletions console-web/types/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,8 +271,6 @@ export interface VaultInfo {
prefix: string | null
authType: string | null
appRole: AppRoleInfo | null
tlsSkipVerify: boolean | null
customCertificates: boolean | null
}

export interface LocalKmsInfo {
Expand Down Expand Up @@ -310,8 +308,6 @@ export interface UpdateEncryptionRequest {
engine?: string
retrySeconds?: number
}
tlsSkipVerify?: boolean
customCertificates?: boolean
}
local?: {
keyDirectory?: string
Expand Down
29 changes: 9 additions & 20 deletions deploy/rustfs-operator/crds/tenant-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ spec:
kmsSecret:
description: |-
Reference to a Secret containing sensitive KMS credentials
(Vault token or AppRole credentials, TLS certificates).
(Vault token or AppRole credentials).
nullable: true
properties:
name:
Expand All @@ -80,19 +80,20 @@ spec:
nullable: true
properties:
keyDirectory:
description: 'Directory for key files inside the container (default: `/data/kms-keys`).'
description: |-
Absolute directory for KMS key files inside the container (default: `/data/kms-keys`).
Must be absolute; RustFS validates this for the local backend.
nullable: true
type: string
masterKeyId:
description: 'Master key identifier (default: `default-master-key`).'
description: Default KMS key id for SSE (maps to `RUSTFS_KMS_DEFAULT_KEY_ID` in the RustFS binary).
nullable: true
type: string
type: object
pingSeconds:
description: |-
Interval in seconds for KMS health-check pings (default: disabled).
When set, the operator stores the value; the in-process KMS library
picks it up from `RUSTFS_KMS_PING_SECONDS`.
Reserved for future KMS health-check tuning. Not injected into pods: the current RustFS
release does not read `RUSTFS_KMS_PING_SECONDS` in the server startup path.
format: int32
nullable: true
type: integer
Expand Down Expand Up @@ -125,33 +126,21 @@ spec:
- null
nullable: true
type: string
customCertificates:
description: |-
Enable custom TLS certificates for the Vault connection.
When `true`, the operator mounts TLS certificate files from the KMS Secret
and configures the corresponding environment variables.
The Secret must contain: `vault-ca-cert`, `vault-client-cert`, `vault-client-key`.
nullable: true
type: boolean
endpoint:
description: Vault server endpoint (e.g. `https://vault.example.com:8200`).
type: string
engine:
description: 'Vault KV2 engine mount path (default: `kv`).'
description: KV secrets engine mount path (maps to `RUSTFS_KMS_VAULT_KV_MOUNT` in rustfs-kms; e.g. `secret`, `kv`).
nullable: true
type: string
namespace:
description: Vault namespace (Enterprise feature).
nullable: true
type: string
prefix:
description: Key prefix inside the engine.
description: Key prefix inside the KV engine (maps to `RUSTFS_KMS_VAULT_KEY_PREFIX`).
nullable: true
type: string
tlsSkipVerify:
description: Skip TLS certificate verification for Vault connection.
nullable: true
type: boolean
required:
- endpoint
type: object
Expand Down
29 changes: 9 additions & 20 deletions deploy/rustfs-operator/crds/tenant.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ spec:
kmsSecret:
description: |-
Reference to a Secret containing sensitive KMS credentials
(Vault token or AppRole credentials, TLS certificates).
(Vault token or AppRole credentials).
nullable: true
properties:
name:
Expand All @@ -80,19 +80,20 @@ spec:
nullable: true
properties:
keyDirectory:
description: 'Directory for key files inside the container (default: `/data/kms-keys`).'
description: |-
Absolute directory for KMS key files inside the container (default: `/data/kms-keys`).
Must be absolute; RustFS validates this for the local backend.
nullable: true
type: string
masterKeyId:
description: 'Master key identifier (default: `default-master-key`).'
description: Default KMS key id for SSE (maps to `RUSTFS_KMS_DEFAULT_KEY_ID` in the RustFS binary).
nullable: true
type: string
type: object
pingSeconds:
description: |-
Interval in seconds for KMS health-check pings (default: disabled).
When set, the operator stores the value; the in-process KMS library
picks it up from `RUSTFS_KMS_PING_SECONDS`.
Reserved for future KMS health-check tuning. Not injected into pods: the current RustFS
release does not read `RUSTFS_KMS_PING_SECONDS` in the server startup path.
format: int32
nullable: true
type: integer
Expand Down Expand Up @@ -125,33 +126,21 @@ spec:
- null
nullable: true
type: string
customCertificates:
description: |-
Enable custom TLS certificates for the Vault connection.
When `true`, the operator mounts TLS certificate files from the KMS Secret
and configures the corresponding environment variables.
The Secret must contain: `vault-ca-cert`, `vault-client-cert`, `vault-client-key`.
nullable: true
type: boolean
endpoint:
description: Vault server endpoint (e.g. `https://vault.example.com:8200`).
type: string
engine:
description: 'Vault KV2 engine mount path (default: `kv`).'
description: KV secrets engine mount path (maps to `RUSTFS_KMS_VAULT_KV_MOUNT` in rustfs-kms; e.g. `secret`, `kv`).
nullable: true
type: string
namespace:
description: Vault namespace (Enterprise feature).
nullable: true
type: string
prefix:
description: Key prefix inside the engine.
description: Key prefix inside the KV engine (maps to `RUSTFS_KMS_VAULT_KEY_PREFIX`).
nullable: true
type: string
tlsSkipVerify:
description: Skip TLS certificate verification for Vault connection.
nullable: true
type: boolean
required:
- endpoint
type: object
Expand Down
4 changes: 0 additions & 4 deletions src/console/handlers/encryption.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,6 @@ pub async fn get_encryption(
engine: ar.engine.clone(),
retry_seconds: ar.retry_seconds,
}),
tls_skip_verify: v.tls_skip_verify,
custom_certificates: v.custom_certificates,
}),
local: enc.local.as_ref().map(|l| LocalInfo {
key_directory: l.key_directory.clone(),
Expand Down Expand Up @@ -152,8 +150,6 @@ pub async fn update_encryption(
engine: ar.engine,
retry_seconds: ar.retry_seconds,
}),
tls_skip_verify: v.tls_skip_verify,
custom_certificates: v.custom_certificates,
})
} else {
None
Expand Down
4 changes: 0 additions & 4 deletions src/console/models/encryption.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,6 @@ pub struct VaultInfo {
pub prefix: Option<String>,
pub auth_type: Option<String>,
pub app_role: Option<AppRoleInfo>,
pub tls_skip_verify: Option<bool>,
pub custom_certificates: Option<bool>,
}

/// AppRole non-sensitive fields.
Expand Down Expand Up @@ -90,8 +88,6 @@ pub struct UpdateVaultRequest {
pub prefix: Option<String>,
pub auth_type: Option<String>,
pub app_role: Option<UpdateAppRoleRequest>,
pub tls_skip_verify: Option<bool>,
pub custom_certificates: Option<bool>,
}

#[derive(Debug, Deserialize, ToSchema)]
Expand Down
Loading
Loading