Add ability to mount custom certs (#54)

This provides the ability to mount any number of custom certs in the Vertica
container. Each cert will be mounted in a well defined location within the
container (/certs/<certName>/<key>). This will be available with a new
parameter called spec.certSecrets. A list of Secret names can be specified.

Here is an example of a CR that takes advantage of that:

apiVersion: vertica.com/v1beta1
kind: VerticaDB
metadata:
  name: verticadb-sample
spec:
  communal: {…}
  certSecrets:
    - name: mtls
    - name: aws-cert

It specifies two secrets: mtls and aws-cert. The keys within these Secrets will
be mounted at /certs/mtls and /certs/aws-cret respectively. If the keys of the
secret change, the mount points will be automatically updated to reflect the
new value without having to restart the pod.

.gitignore

@@ -42,7 +42,7 @@ testbin/*
 # Omit some fully generated files
 config/crd/bases/vertica.com_verticadbs.yaml
 config/rbac/role.yaml
-api/v1alpha1/zz_generated.deepcopy.go
+api/v1beta1/zz_generated.deepcopy.go
 
 # Omit generated files for helm verticadb-operator
 helm-charts/verticadb-operator/templates/*.yaml

api/v1beta1/verticadb_types.go

@@ -183,6 +183,14 @@ type VerticaDBSpec struct {
 	// accepts any valid volume type.  A unique name must be given for each
 	// volume and it cannot conflict with any of the internally generated volumes.
 	Volumes []corev1.Volume `json:"volumes,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Secrets that will be mounted in the vertica container.  The purpose of
+	// this is to allow custom certs to be available.  The full path is:
+	//   /certs/<secretName>/<key_i>
+	// Where <secretName> is the name provided in the secret and <key_i> is one
+	// of the keys in the secret.
+	CertSecrets []corev1.LocalObjectReference `json:"certSecrets,omitempty"`
 }
 
 type CommunalInitPolicy string

pkg/controllers/builder.go

@@ -89,16 +89,31 @@ func buildVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
 		})
 	}
 
+	volMnts = append(volMnts, buildCertSecretVolumeMounts(vdb)...)
+
 	return volMnts
 }
 
+// buildCertSecretVolumeMounts returns the volume mounts for any cert secrets that are in the vdb
+func buildCertSecretVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
+	mnts := []corev1.VolumeMount{}
+	for _, s := range vdb.Spec.CertSecrets {
+		mnts = append(mnts, corev1.VolumeMount{
+			Name:      s.Name,
+			MountPath: fmt.Sprintf("%s/%s", paths.CertsRoot, s.Name),
+		})
+	}
+	return mnts
+}
+
 // buildVolumes builds up a list of volumes to include in the sts
 func buildVolumes(vdb *vapi.VerticaDB) []corev1.Volume {
 	vols := []corev1.Volume{}
 	vols = append(vols, buildPodInfoVolume(vdb))
 	if vdb.Spec.LicenseSecret != "" {
 		vols = append(vols, buildLicenseVolume(vdb))
 	}
+	vols = append(vols, buildCertSecretVolumes(vdb)...)
 	vols = append(vols, vdb.Spec.Volumes...)
 	return vols
 }
@@ -187,6 +202,20 @@ func buildPodInfoVolume(vdb *vapi.VerticaDB) corev1.Volume {
 	}
 }
 
+// buildCertSecretVolumes returns a list of volumes, one for each secret in certSecrets.
+func buildCertSecretVolumes(vdb *vapi.VerticaDB) []corev1.Volume {
+	vols := []corev1.Volume{}
+	for _, s := range vdb.Spec.CertSecrets {
+		vols = append(vols, corev1.Volume{
+			Name: s.Name,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{SecretName: s.Name},
+			},
+		})
+	}
+	return vols
+}
+
 // buildPodSpec creates a PodSpec for the statefulset
 func buildPodSpec(vdb *vapi.VerticaDB, sc *vapi.Subcluster) corev1.PodSpec {
 	termGracePeriod := int64(0)

pkg/paths/paths.go

@@ -38,6 +38,7 @@ const (
 	AuthParmsFile          = "/home/dbadmin/auth_parms.conf"
 	EulaAcceptanceFile     = "/opt/vertica/config/d5415f948449e9d4c421b568f2411140.dat"
 	EulaAcceptanceScript   = "/opt/vertica/config/accept_eula.py"
+	CertsRoot              = "/certs"
 )
 
 // GenInstallerIndicatorFileName returns the name of the installer indicator file.