feat(api): combined-image mode + imagePullSecrets passthrough on DocumentDBSpec#374
Open
xgerman wants to merge 4 commits intodocumentdb:mainfrom
Open
feat(api): combined-image mode + imagePullSecrets passthrough on DocumentDBSpec#374xgerman wants to merge 4 commits intodocumentdb:mainfrom
xgerman wants to merge 4 commits intodocumentdb:mainfrom
Conversation
Adds optional fields to DocumentDBSpec for deployments that bake PostgreSQL extensions into a single combined image rather than mounting them via OCI ImageVolume: - postgresUID / postgresGID: UID/GID overrides for postgres in the image - preloadLibraries: shared_preload_libraries override - postInitSQL: CNPG PostInitSQL override Default behaviour (all fields unset) is byte-identical to the previous behaviour. Combined-image mode is triggered by leaving spec.documentDBImage empty. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: German <geeichbe@microsoft.com>
When spec.documentDBImage is empty, the operator now produces a CNPG
Cluster spec that:
- Uses spec.postgresImage directly as cluster.spec.imageName
- Skips the Extensions ImageVolumeSource block
- Skips documentdb-specific AdditionalLibraries / Parameters in favour
of optional spec.preloadLibraries
- Honours optional spec.postgresUID / spec.postgresGID
- Honours optional spec.postInitSQL for the InitDB phase
The default ImageVolume path is unchanged when spec.documentDBImage is
set, preserving existing behaviour for all current users. A small
isCombinedImageMode helper makes the gating explicit at every call
site, and PostgresConfiguration assembly is split out into
buildPostgresConfiguration for readability.
Adds unit tests covering both the default ImageVolume path and the
combined-image path: Extensions/AdditionalLibraries/Parameters
shape, PostInitSQL default + override, PreloadLibraries
propagation, and PostgresUID/GID propagation.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: German <geeichbe@microsoft.com>
…e fields Re-run of `make manifests generate` after rebasing onto upstream/main. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: German <geeichbe@microsoft.com>
Forwards spec.imagePullSecrets directly to the underlying CNPG ClusterSpec.ImagePullSecrets. The cluster-level field applies to every container scheduled into the cluster's pods (PG, gateway sidecar, any plugin-injected sidecars), so a single field at the DocumentDB CR level covers every image the operator schedules. Required for deployments backed by private registries (e.g., a token-protected ACR). The field uses the standard Kubernetes corev1.LocalObjectReference contract that users already know from Pod/Deployment specs and is translated to the structurally-equivalent CNPG type at the boundary. Includes generated CRD/deepcopy updates plus gofmt alignment fixes for constants/comments touched in earlier combined-image commits. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: German <geeichbe@microsoft.com>
xgerman
requested review from
WentingWu666666,
alaye-ms and
hossain-rayhan
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the DocumentDB Custom Resource to support more deployment scenarios by adding (1) a combined-image mode concept (to avoid ImageVolume-based extension wiring) and (2) imagePullSecrets passthrough to the underlying CNPG ClusterSpec, along with a few related knobs for preload libraries, post-init SQL, and Postgres UID/GID overrides.
Changes:
- Add
postgresUID/postgresGID,preloadLibraries,postInitSQL, andimagePullSecretstoDocumentDBSpecand regenerate CRDs / DeepCopy. - Refactor CNPG cluster spec generation to support a combined-image branch (skipping ImageVolume extensions plumbing) and to forward
imagePullSecrets. - Add/adjust Ginkgo tests for the new wiring and behaviors.
Reviewed changes
Copilot reviewed 7 out of 10 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| operator/src/internal/utils/pv_recovery.go | Formatting-only constant alignment. |
| operator/src/internal/utils/constants.go | Formatting-only constant alignment. |
| operator/src/internal/controller/documentdb_controller.go | Removes a stray blank line. |
| operator/src/internal/cnpg/cnpg_sync.go | Formatting-only alignment in JSON patch construction. |
| operator/src/internal/cnpg/cnpg_cluster.go | Implements combined-image branching, refactors PostgresConfiguration building, adds UID/GID + imagePullSecrets plumbing, and adds post-init SQL override support. |
| operator/src/internal/cnpg/cnpg_cluster_test.go | Adds/updates test contexts for combined-image mode, default mode behavior, postInitSQL override, and imagePullSecrets propagation. |
| operator/src/config/crd/bases/documentdb.io_dbs.yaml | Regenerated CRD with new fields and validations (currently contains an invalid CEL quote issue). |
| operator/documentdb-helm-chart/crds/documentdb.io_dbs.yaml | Helm CRD copy updated to match regenerated CRD (currently contains an invalid CEL quote issue). |
| operator/src/api/preview/zz_generated.deepcopy.go | Regenerated deepcopy code for new spec fields. |
| operator/src/api/preview/documentdb_types.go | Adds new DocumentDBSpec fields and updates bootstrap recovery XValidation (currently contains an invalid CEL quote issue). |
Comment on lines
+24
to
+30
| // isCombinedImageMode returns true when the DocumentDB CR opts into the | ||
| // combined-image path (single OCI image carrying both postgres binaries and | ||
| // extensions, no separate ImageVolume mount). Triggered by leaving | ||
| // spec.documentDBImage unset/empty. | ||
| func isCombinedImageMode(documentdb *dbpreview.DocumentDB) bool { | ||
| return strings.TrimSpace(documentdb.Spec.DocumentDBImage) == "" | ||
| } |
|
|
||
| // RecoveryConfiguration defines recovery settings for bootstrapping a DocumentDB cluster. | ||
| // +kubebuilder:validation:XValidation:rule="!(has(self.backup) && self.backup.name != '' && has(self.persistentVolume) && self.persistentVolume.name != '')",message="cannot specify both backup and persistentVolume recovery at the same time" | ||
| // +kubebuilder:validation:XValidation:rule="!(has(self.backup) && self.backup.name != ” && has(self.persistentVolume) && self.persistentVolume.name != ”)",message="cannot specify both backup and persistentVolume recovery at the same time" |
Comment on lines
+1087
to
+1088
| rule: '!(has(self.backup) && self.backup.name != ” && has(self.persistentVolume) | ||
| && self.persistentVolume.name != ”)' |
Comment on lines
+1087
to
+1088
| rule: '!(has(self.backup) && self.backup.name != ” && has(self.persistentVolume) | ||
| && self.persistentVolume.name != ”)' |
Comment on lines
+143
to
+153
| // PostgresUID is the UID under which CloudNative-PG launches PostgreSQL inside | ||
| // the postgresImage container. Default behaviour (unset) uses the CNPG default | ||
| // for the chosen image. Set this when using a combined image whose postgres | ||
| // user has a non-default UID. Must be set together with PostgresGID. | ||
| // +optional | ||
| PostgresUID *int32 `json:"postgresUID,omitempty"` | ||
|
|
||
| // PostgresGID is the GID under which CloudNative-PG launches PostgreSQL. | ||
| // See PostgresUID. Must be set together with PostgresUID. | ||
| // +optional | ||
| PostgresGID *int32 `json:"postgresGID,omitempty"` |
|
🤖 Auto-triaged by documentdb-triage-tool. Applied: Reasoningcomponent from path globs (controllers, api, manifests, test); effort from diff stats (547+65 LOC, 10 files); LLM: Adds multiple new optional fields to DocumentDBSpec (combined-image mode, imagePullSecrets, postgresUID/GID, preloadLibraries, postInitSQL) with CRD regeneration, controller logic changes, and new test coverage across multiple files. If a label is wrong, remove it manually and ping |
documentdb-triage-tool
Bot
added
enhancement
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two narrow, opt-in extensions to
DocumentDBSpecthat broaden where the operator can deploy without changing default behaviour:ImageVolume. Triggered by leavingspec.documentDBImageempty; no change for any existing CR.spec.imagePullSecrets— standardcorev1.LocalObjectReferencelist, forwarded verbatim to the underlying CNPGClusterSpec.ImagePullSecrets. Lets users pullpostgresImage,gatewayImage, and any plugin-injected sidecar image from a private registry (e.g., a token-protected ACR) with one field.Both features are mode-agnostic: existing
documentDBImageusers see byte-identical output unless they opt in.What's new on
DocumentDBSpecpostgresUID/postgresGID(*int32)preloadLibraries([]string)shared_preload_librariesset. Honoured even in default mode for users with custom build setups.postInitSQL([]string)CREATE EXTENSION documentdb CASCADE+ role setup).imagePullSecrets([]corev1.LocalObjectReference)Behaviour matrix
documentDBImageset?preloadLibraries/postInitSQLverbatim; propagatepostgresUID/GIDto CNPG.Test coverage
operator/src/internal/cnpg/cnpg_cluster_test.go— new GinkgoContexts:combined-image mode— extension list, libraries, post-init SQL, UID/GID propagation, defaults preserved.default ImageVolume mode preserves prior behaviour— proves the existing path is byte-identical.imagePullSecrets propagation— single ref, multiple refs (order-preserving), unset-stays-nil.make manifests generateregenerates the CRD + DeepCopy; both helm-chart andconfig/crd/bases/copies are updated.Compatibility
Clusterspec as before.DocumentDBSpec.imagePullSecretsis a no-op when empty/unset; no change to image-pull semantics for existing CRs.Files
operator/src/api/preview/documentdb_types.go— new fieldsoperator/src/internal/cnpg/cnpg_cluster.go— wiring (combined-image branches + image-pull-secrets passthrough)operator/src/internal/cnpg/cnpg_cluster_test.go— new test contextszz_generated.deepcopy.go,config/crd/bases/documentdb.io_dbs.yaml,documentdb-helm-chart/crds/documentdb.io_dbs.yaml