chore: support updating TLS certificates (#8850)

apis/apps/v1/types.go

@@ -593,8 +593,14 @@ const (
 	IssuerUserProvided IssuerName = "UserProvided"
 )
 
-// TLSSecretRef defines Secret contains Tls certs
+// TLSSecretRef defines the Secret that contains TLS certs.
 type TLSSecretRef struct {
+	// The namespace where the secret is located.
+	// If not provided, the secret is assumed to be in the same namespace as the Cluster object.
+	//
+	// +optional
+	Namespace string `json:"namespace"`
+
 	// Name of the Secret that contains user-provided certificates.
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`

config/crd/bases/apps.kubeblocks.io_clusters.yaml

@@ -3782,6 +3782,11 @@ spec:
                               description: Name of the Secret that contains user-provided
                                 certificates.
                               type: string
+                            namespace:
+                              description: |-
+                                The namespace where the secret is located.
+                                If not provided, the secret is assumed to be in the same namespace as the Cluster object.
+                              type: string
                           required:
                           - ca
                           - cert
@@ -12530,6 +12535,11 @@ spec:
                                   description: Name of the Secret that contains user-provided
                                     certificates.
                                   type: string
+                                namespace:
+                                  description: |-
+                                    The namespace where the secret is located.
+                                    If not provided, the secret is assumed to be in the same namespace as the Cluster object.
+                                  type: string
                               required:
                               - ca
                               - cert

config/crd/bases/apps.kubeblocks.io_components.yaml

@@ -5661,6 +5661,11 @@ spec:
                             description: Name of the Secret that contains user-provided
                               certificates.
                             type: string
+                          namespace:
+                            description: |-
+                              The namespace where the secret is located.
+                              If not provided, the secret is assumed to be in the same namespace as the Cluster object.
+                            type: string
                         required:
                         - ca
                         - cert

controllers/apps/cluster/transformer_cluster_sharding_tls.go

@@ -137,7 +137,7 @@ func (t *clusterShardingTLSTransformer) buildTLSSecret(transCtx *clusterTransfor
 		Name:        sharding.Name,
 	}
 	secret := t.newTLSSecret(transCtx, sharding, compDef)
-	return plan.ComposeTLSSecret(compDef, synthesizedComp, secret)
+	return plan.ComposeTLSCertsWithSecret(compDef, synthesizedComp, secret)
 }
 
 func (t *clusterShardingTLSTransformer) newTLSSecret(transCtx *clusterTransformContext,
@@ -157,7 +157,7 @@ func (t *clusterShardingTLSTransformer) newTLSSecret(transCtx *clusterTransformC
 		AddLabelsInMap(compDef.Spec.Labels).
 		AddAnnotationsInMap(sharding.Template.Annotations).
 		AddAnnotationsInMap(compDef.Spec.Annotations).
-		SetStringData(map[string]string{}).
+		SetData(map[string][]byte{}).
 		GetObject()
 }
 
@@ -166,7 +166,8 @@ func (t *clusterShardingTLSTransformer) rewriteTLSConfig(
 	sharding.Template.Issuer = &appsv1.Issuer{
 		Name: appsv1.IssuerUserProvided,
 		SecretRef: &appsv1.TLSSecretRef{
-			Name: shardingTLSSecretName(transCtx.Cluster.Name, sharding.Name),
+			Namespace: transCtx.Cluster.Namespace,
+			Name:      shardingTLSSecretName(transCtx.Cluster.Name, sharding.Name),
 		},
 	}
 	tls := compDef.Spec.TLS

controllers/apps/component/component_controller.go

@@ -155,7 +155,7 @@ func (r *ComponentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			// handle component system accounts
 			&componentAccountTransformer{},
 			// handle the TLS configuration
-			&componentTLSTransformer{Client: r.Client},
+			&componentTLSTransformer{},
 			// rerender parameters after v-scale and h-scale
 			&componentRelatedParametersTransformer{Client: r.Client},
 			// resolve and build vars for template and Env

controllers/apps/component/component_controller_test.go

@@ -48,7 +48,6 @@ import (
 	"github.com/apecloud/kubeblocks/pkg/constant"
 	"github.com/apecloud/kubeblocks/pkg/controller/builder"
 	"github.com/apecloud/kubeblocks/pkg/controller/component"
-	"github.com/apecloud/kubeblocks/pkg/controller/plan"
 	intctrlutil "github.com/apecloud/kubeblocks/pkg/controllerutil"
 	"github.com/apecloud/kubeblocks/pkg/generics"
 	kbacli "github.com/apecloud/kubeblocks/pkg/kbagent/client"
@@ -1154,7 +1153,7 @@ var _ = Describe("Component Controller", func() {
 		By("check TLS secret")
 		secretKey := types.NamespacedName{
 			Namespace: compObj.Namespace,
-			Name:      plan.GenerateTLSSecretName(clusterKey.Name, compName),
+			Name:      tlsSecretName(clusterKey.Name, compName),
 		}
 		Eventually(testapps.CheckObj(&testCtx, secretKey, func(g Gomega, secret *corev1.Secret) {
 			g.Expect(secret.Data).Should(HaveKey(*tls.CAFile))
@@ -1167,12 +1166,7 @@ var _ = Describe("Component Controller", func() {
 			Name: tls.VolumeName,
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: secretKey.Name,
-					Items: []corev1.KeyToPath{
-						{Key: *tls.CAFile, Path: *tls.CAFile},
-						{Key: *tls.CertFile, Path: *tls.CertFile},
-						{Key: *tls.KeyFile, Path: *tls.KeyFile},
-					},
+					SecretName:  secretKey.Name,
 					Optional:    ptr.To(false),
 					DefaultMode: tls.DefaultMode,
 				},