feat: support use service account to auth azblob (#613)

* feat: support use service account to auth azblob

Signed-off-by: arkbriar <arkbriar@gmail.com>

* Fix webhook and CRD

Signed-off-by: arkbriar <arkbriar@gmail.com>

---------

Signed-off-by: arkbriar <arkbriar@gmail.com>

apis/risingwave/v1alpha1/risingwave_state_store_backend.go

@@ -146,7 +146,7 @@ type RisingWaveStateStoreBackendGCS struct {
 // RisingWaveAzureBlobCredentials is the reference and keys selector to the AzureBlob access credentials stored in a local secret.
 type RisingWaveAzureBlobCredentials struct {
 	// The name of the secret in the pod's namespace to select from.
-	SecretName string `json:"secretName"`
+	SecretName string `json:"secretName,omitempty"`
 
 	// AccountNameKeyRef is the key of the secret to be the account name. Must be a valid secret key.
 	// Defaults to "AccountName".
@@ -157,6 +157,11 @@ type RisingWaveAzureBlobCredentials struct {
 	// Defaults to "AccountKey".
 	// +kubebuilder:default=AccountKey
 	AccountKeyRef string `json:"accountKeyRef,omitempty"`
+
+	// UseServiceAccount indicates whether to use the service account token mounted in the pod.
+	// If this is enabled, secret and keys are ignored. Defaults to false.
+	// +optional
+	UseServiceAccount *bool `json:"useServiceAccount,omitempty"`
 }
 
 // RisingWaveAliyunOSSCredentials is the reference and keys selector to the AliyunOSS access credentials stored in a local secret.

config/crd/bases/risingwave.risingwavelabs.com_risingwaves.yaml

@@ -29087,8 +29087,11 @@ spec:
                             description: The name of the secret in the pod's namespace
                               to select from.
                             type: string
-                        required:
-                        - secretName
+                          useServiceAccount:
+                            description: |-
+                              UseServiceAccount indicates whether to use the service account token mounted in the pod.
+                              If this is enabled, secret and keys are ignored. Defaults to false.
+                            type: boolean
                         type: object
                       endpoint:
                         description: |-

config/risingwave-operator-test.yaml

@@ -29104,8 +29104,11 @@ spec:
                             description: The name of the secret in the pod's namespace
                               to select from.
                             type: string
-                        required:
-                        - secretName
+                          useServiceAccount:
+                            description: |-
+                              UseServiceAccount indicates whether to use the service account token mounted in the pod.
+                              If this is enabled, secret and keys are ignored. Defaults to false.
+                            type: boolean
                         type: object
                       endpoint:
                         description: |-

config/risingwave-operator.yaml

@@ -29104,8 +29104,11 @@ spec:
                             description: The name of the secret in the pod's namespace
                               to select from.
                             type: string
-                        required:
-                        - secretName
+                          useServiceAccount:
+                            description: |-
+                              UseServiceAccount indicates whether to use the service account token mounted in the pod.
+                              If this is enabled, secret and keys are ignored. Defaults to false.
+                            type: boolean
                         type: object
                       endpoint:
                         description: |-

docs/general/api.md

@@ -791,6 +791,19 @@ string
 Defaults to &ldquo;AccountKey&rdquo;.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>useServiceAccount</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>UseServiceAccount indicates whether to use the service account token mounted in the pod.
+If this is enabled, secret and keys are ignored. Defaults to false.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="risingwave.risingwavelabs.com/v1alpha1.RisingWaveComponent">RisingWaveComponent

pkg/factory/risingwave_object_factory.go

@@ -886,34 +886,40 @@ func (f *RisingWaveObjectFactory) envsForAliyunOSS() []corev1.EnvVar {
 func (f *RisingWaveObjectFactory) envsForAzureBlob() []corev1.EnvVar {
 	stateStore := &f.risingwave.Spec.StateStore
 	credentials := stateStore.AzureBlob.RisingWaveAzureBlobCredentials
-	secretRef := corev1.LocalObjectReference{
-		Name: credentials.SecretName,
+	envVars := []corev1.EnvVar{
+		{
+			Name:  envs.AzureBlobEndpoint,
+			Value: stateStore.AzureBlob.Endpoint,
+		},
 	}
-	return []corev1.EnvVar{
 
-		{
-			Name: envs.AzureBlobAccountName,
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: secretRef,
-					Key:                  credentials.AccountNameRef,
+	if !ptr.Deref(credentials.UseServiceAccount, false) {
+		secretRef := corev1.LocalObjectReference{
+			Name: credentials.SecretName,
+		}
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name: envs.AzureBlobAccountName,
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: secretRef,
+						Key:                  credentials.AccountNameRef,
+					},
 				},
 			},
-		},
-		{
-			Name: envs.AzureBlobAccountKey,
-			ValueFrom: &corev1.EnvVarSource{
-				SecretKeyRef: &corev1.SecretKeySelector{
-					LocalObjectReference: secretRef,
-					Key:                  credentials.AccountKeyRef,
+			{
+				Name: envs.AzureBlobAccountKey,
+				ValueFrom: &corev1.EnvVarSource{
+					SecretKeyRef: &corev1.SecretKeySelector{
+						LocalObjectReference: secretRef,
+						Key:                  credentials.AccountKeyRef,
+					},
 				},
 			},
-		},
-		{
-			Name:  envs.AzureBlobEndpoint,
-			Value: stateStore.AzureBlob.Endpoint,
-		},
+		}...)
 	}
+
+	return envVars
 }
 
 func (f *RisingWaveObjectFactory) envsForHDFS() []corev1.EnvVar {

pkg/factory/risingwave_object_factory_testcases_test.go

@@ -3401,6 +3401,29 @@ func stateStoreTestCases() map[string]stateStoresTestCase {
 				},
 			},
 		},
+		"azure-blob-use-sa": {
+			stateStore: risingwavev1alpha1.RisingWaveStateStoreBackend{
+				AzureBlob: &risingwavev1alpha1.RisingWaveStateStoreBackendAzureBlob{
+					Container: "azure-blob-hummock01",
+					Root:      "/azure-blob-root",
+					Endpoint:  "https://accountName.blob.core.windows.net",
+					RisingWaveAzureBlobCredentials: risingwavev1alpha1.RisingWaveAzureBlobCredentials{
+						SecretName:        "azure-blob-creds",
+						UseServiceAccount: ptr.To(true),
+					},
+				},
+			},
+			envs: []corev1.EnvVar{
+				{
+					Name:  "RW_STATE_STORE",
+					Value: "hummock+azblob://azure-blob-hummock01@/azure-blob-root",
+				},
+				{
+					Name:  "AZBLOB_ENDPOINT",
+					Value: "https://accountName.blob.core.windows.net",
+				},
+			},
+		},
 		"hdfs": {
 			stateStore: risingwavev1alpha1.RisingWaveStateStoreBackend{
 				HDFS: &risingwavev1alpha1.RisingWaveStateStoreBackendHDFS{

pkg/webhook/risingwave_validating_webhook.go

@@ -202,6 +202,13 @@ func (v *RisingWaveValidatingWebhook) validateMetaStoreAndStateStore(path *field
 		}
 	}
 
+	if isStateAzureBlob {
+		if !ptr.Deref(stateStore.AzureBlob.UseServiceAccount, false) &&
+			stateStore.AzureBlob.RisingWaveAzureBlobCredentials.SecretName == "" {
+			fieldErrs = append(fieldErrs, field.Invalid(path.Child("stateStore", "azureBlob", "credentials"), stateStore.S3.SecretName, "either secretName or useServiceAccount must be specified"))
+		}
+	}
+
 	if isStateGCS {
 		if !ptr.Deref(stateStore.GCS.UseWorkloadIdentity, false) && (stateStore.GCS.RisingWaveGCSCredentials.SecretName == "") {
 			fieldErrs = append(fieldErrs, field.Invalid(path.Child("stateStore", "gcs", "credentials"), stateStore.GCS.RisingWaveGCSCredentials.SecretName, "either secretName or useWorkloadIdentity must be specified"))