@@ -1093,21 +1061,15 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
diff --git a/console-web/types/api.ts b/console-web/types/api.ts
index e350a25..008b5f6 100644
--- a/console-web/types/api.ts
+++ b/console-web/types/api.ts
@@ -271,8 +271,6 @@ export interface VaultInfo {
prefix: string | null
authType: string | null
appRole: AppRoleInfo | null
- tlsSkipVerify: boolean | null
- customCertificates: boolean | null
}
export interface LocalKmsInfo {
@@ -310,8 +308,6 @@ export interface UpdateEncryptionRequest {
engine?: string
retrySeconds?: number
}
- tlsSkipVerify?: boolean
- customCertificates?: boolean
}
local?: {
keyDirectory?: string
diff --git a/deploy/rustfs-operator/crds/tenant-crd.yaml b/deploy/rustfs-operator/crds/tenant-crd.yaml
index b6db5da..fcd8740 100644
--- a/deploy/rustfs-operator/crds/tenant-crd.yaml
+++ b/deploy/rustfs-operator/crds/tenant-crd.yaml
@@ -66,7 +66,7 @@ spec:
kmsSecret:
description: |-
Reference to a Secret containing sensitive KMS credentials
- (Vault token or AppRole credentials, TLS certificates).
+ (Vault token or AppRole credentials).
nullable: true
properties:
name:
@@ -80,19 +80,20 @@ spec:
nullable: true
properties:
keyDirectory:
- description: 'Directory for key files inside the container (default: `/data/kms-keys`).'
+ description: |-
+ Absolute directory for KMS key files inside the container (default: `/data/kms-keys`).
+ Must be absolute; RustFS validates this for the local backend.
nullable: true
type: string
masterKeyId:
- description: 'Master key identifier (default: `default-master-key`).'
+ description: Default KMS key id for SSE (maps to `RUSTFS_KMS_DEFAULT_KEY_ID` in the RustFS binary).
nullable: true
type: string
type: object
pingSeconds:
description: |-
- Interval in seconds for KMS health-check pings (default: disabled).
- When set, the operator stores the value; the in-process KMS library
- picks it up from `RUSTFS_KMS_PING_SECONDS`.
+ Reserved for future KMS health-check tuning. Not injected into pods: the current RustFS
+ release does not read `RUSTFS_KMS_PING_SECONDS` in the server startup path.
format: int32
nullable: true
type: integer
@@ -125,19 +126,11 @@ spec:
- null
nullable: true
type: string
- customCertificates:
- description: |-
- Enable custom TLS certificates for the Vault connection.
- When `true`, the operator mounts TLS certificate files from the KMS Secret
- and configures the corresponding environment variables.
- The Secret must contain: `vault-ca-cert`, `vault-client-cert`, `vault-client-key`.
- nullable: true
- type: boolean
endpoint:
description: Vault server endpoint (e.g. `https://vault.example.com:8200`).
type: string
engine:
- description: 'Vault KV2 engine mount path (default: `kv`).'
+ description: KV secrets engine mount path (maps to `RUSTFS_KMS_VAULT_KV_MOUNT` in rustfs-kms; e.g. `secret`, `kv`).
nullable: true
type: string
namespace:
@@ -145,13 +138,9 @@ spec:
nullable: true
type: string
prefix:
- description: Key prefix inside the engine.
+ description: Key prefix inside the KV engine (maps to `RUSTFS_KMS_VAULT_KEY_PREFIX`).
nullable: true
type: string
- tlsSkipVerify:
- description: Skip TLS certificate verification for Vault connection.
- nullable: true
- type: boolean
required:
- endpoint
type: object
diff --git a/deploy/rustfs-operator/crds/tenant.yaml b/deploy/rustfs-operator/crds/tenant.yaml
index b6db5da..fcd8740 100755
--- a/deploy/rustfs-operator/crds/tenant.yaml
+++ b/deploy/rustfs-operator/crds/tenant.yaml
@@ -66,7 +66,7 @@ spec:
kmsSecret:
description: |-
Reference to a Secret containing sensitive KMS credentials
- (Vault token or AppRole credentials, TLS certificates).
+ (Vault token or AppRole credentials).
nullable: true
properties:
name:
@@ -80,19 +80,20 @@ spec:
nullable: true
properties:
keyDirectory:
- description: 'Directory for key files inside the container (default: `/data/kms-keys`).'
+ description: |-
+ Absolute directory for KMS key files inside the container (default: `/data/kms-keys`).
+ Must be absolute; RustFS validates this for the local backend.
nullable: true
type: string
masterKeyId:
- description: 'Master key identifier (default: `default-master-key`).'
+ description: Default KMS key id for SSE (maps to `RUSTFS_KMS_DEFAULT_KEY_ID` in the RustFS binary).
nullable: true
type: string
type: object
pingSeconds:
description: |-
- Interval in seconds for KMS health-check pings (default: disabled).
- When set, the operator stores the value; the in-process KMS library
- picks it up from `RUSTFS_KMS_PING_SECONDS`.
+ Reserved for future KMS health-check tuning. Not injected into pods: the current RustFS
+ release does not read `RUSTFS_KMS_PING_SECONDS` in the server startup path.
format: int32
nullable: true
type: integer
@@ -125,19 +126,11 @@ spec:
- null
nullable: true
type: string
- customCertificates:
- description: |-
- Enable custom TLS certificates for the Vault connection.
- When `true`, the operator mounts TLS certificate files from the KMS Secret
- and configures the corresponding environment variables.
- The Secret must contain: `vault-ca-cert`, `vault-client-cert`, `vault-client-key`.
- nullable: true
- type: boolean
endpoint:
description: Vault server endpoint (e.g. `https://vault.example.com:8200`).
type: string
engine:
- description: 'Vault KV2 engine mount path (default: `kv`).'
+ description: KV secrets engine mount path (maps to `RUSTFS_KMS_VAULT_KV_MOUNT` in rustfs-kms; e.g. `secret`, `kv`).
nullable: true
type: string
namespace:
@@ -145,13 +138,9 @@ spec:
nullable: true
type: string
prefix:
- description: Key prefix inside the engine.
+ description: Key prefix inside the KV engine (maps to `RUSTFS_KMS_VAULT_KEY_PREFIX`).
nullable: true
type: string
- tlsSkipVerify:
- description: Skip TLS certificate verification for Vault connection.
- nullable: true
- type: boolean
required:
- endpoint
type: object
diff --git a/src/console/handlers/encryption.rs b/src/console/handlers/encryption.rs
index 52d1d0e..98b9b9e 100644
--- a/src/console/handlers/encryption.rs
+++ b/src/console/handlers/encryption.rs
@@ -55,8 +55,6 @@ pub async fn get_encryption(
engine: ar.engine.clone(),
retry_seconds: ar.retry_seconds,
}),
- tls_skip_verify: v.tls_skip_verify,
- custom_certificates: v.custom_certificates,
}),
local: enc.local.as_ref().map(|l| LocalInfo {
key_directory: l.key_directory.clone(),
@@ -152,8 +150,6 @@ pub async fn update_encryption(
engine: ar.engine,
retry_seconds: ar.retry_seconds,
}),
- tls_skip_verify: v.tls_skip_verify,
- custom_certificates: v.custom_certificates,
})
} else {
None
diff --git a/src/console/models/encryption.rs b/src/console/models/encryption.rs
index 6a5c7a2..1717eaa 100644
--- a/src/console/models/encryption.rs
+++ b/src/console/models/encryption.rs
@@ -38,8 +38,6 @@ pub struct VaultInfo {
pub prefix: Option
,
pub auth_type: Option,
pub app_role: Option,
- pub tls_skip_verify: Option,
- pub custom_certificates: Option,
}
/// AppRole non-sensitive fields.
@@ -90,8 +88,6 @@ pub struct UpdateVaultRequest {
pub prefix: Option,
pub auth_type: Option,
pub app_role: Option,
- pub tls_skip_verify: Option,
- pub custom_certificates: Option,
}
#[derive(Debug, Deserialize, ToSchema)]
diff --git a/src/context.rs b/src/context.rs
index 238c39f..69e0606 100755
--- a/src/context.rs
+++ b/src/context.rs
@@ -75,6 +75,31 @@ pub enum Error {
Serde { source: serde_json::Error },
}
+/// Validates Local KMS: absolute `keyDirectory` and at most one server replica across pools.
+fn validate_local_kms_tenant(
+ local: Option<&types::v1alpha1::encryption::LocalKmsConfig>,
+ pools: &[types::v1alpha1::pool::Pool],
+) -> Result<(), Error> {
+ let key_dir = local
+ .and_then(|l| l.key_directory.as_deref())
+ .unwrap_or("/data/kms-keys");
+ if !key_dir.starts_with('/') {
+ return Err(Error::KmsConfigInvalid {
+ message: format!(
+ "Local KMS keyDirectory must be an absolute path (got \"{}\")",
+ key_dir
+ ),
+ });
+ }
+ let total_servers: i32 = pools.iter().map(|p| p.servers).sum();
+ if total_servers > 1 {
+ return Err(Error::KmsConfigInvalid {
+ message: "Local KMS is only supported when the tenant has a single RustFS server replica (sum of pool servers must be 1). For multiple servers use Vault KMS, or use a single-server pool.".to_string(),
+ });
+ }
+ Ok(())
+}
+
pub struct Context {
pub(crate) client: kube::Client,
pub(crate) recorder: Recorder,
@@ -303,8 +328,9 @@ impl Context {
/// Validates encryption configuration and the KMS Secret.
///
/// Checks:
- /// 1. Vault endpoint is non-empty when backend is Vault.
- /// 2. KMS Secret exists and contains the correct keys for the auth type.
+ /// 1. Local KMS: absolute key directory and single replica (sum of pool servers).
+ /// 2. Vault endpoint is non-empty when backend is Vault.
+ /// 3. KMS Secret exists and contains the correct keys for the auth type.
pub async fn validate_kms_secret(&self, tenant: &Tenant) -> Result<(), Error> {
use crate::types::v1alpha1::encryption::{KmsBackendType, VaultAuthType};
@@ -315,6 +341,12 @@ impl Context {
return Ok(());
}
+ // Local KMS: RustFS requires an absolute key directory; multi-replica tenants need Vault
+ // (or a shared filesystem) because each Pod would otherwise have its own key files.
+ if enc.backend == KmsBackendType::Local {
+ validate_local_kms_tenant(enc.local.as_ref(), &tenant.spec.pools)?;
+ }
+
// Validate Vault endpoint is non-empty and kms_secret is required for Vault
if enc.backend == KmsBackendType::Vault {
let endpoint_empty = enc
@@ -468,3 +500,46 @@ impl Context {
Ok((status.current_revision, status.update_revision))
}
}
+
+#[cfg(test)]
+mod validate_local_kms_tests {
+ use super::Error;
+ use super::validate_local_kms_tenant;
+ use crate::types::v1alpha1::encryption::LocalKmsConfig;
+ use crate::types::v1alpha1::persistence::PersistenceConfig;
+ use crate::types::v1alpha1::pool::Pool;
+
+ fn pool(servers: i32) -> Pool {
+ Pool {
+ name: "p".to_string(),
+ servers,
+ persistence: PersistenceConfig {
+ volumes_per_server: 4,
+ ..Default::default()
+ },
+ scheduling: Default::default(),
+ }
+ }
+
+ #[test]
+ fn local_kms_default_key_dir_ok_single_replica() {
+ validate_local_kms_tenant(None, &[pool(1)]).unwrap();
+ }
+
+ #[test]
+ fn local_kms_rejects_relative_key_dir() {
+ let local = LocalKmsConfig {
+ key_directory: Some("data/kms".to_string()),
+ ..Default::default()
+ };
+ let err = validate_local_kms_tenant(Some(&local), &[pool(1)]).unwrap_err();
+ assert!(matches!(err, Error::KmsConfigInvalid { .. }));
+ }
+
+ #[test]
+ fn local_kms_rejects_multi_pool_multi_replica() {
+ let local = LocalKmsConfig::default();
+ let err = validate_local_kms_tenant(Some(&local), &[pool(2), pool(2)]).unwrap_err();
+ assert!(matches!(err, Error::KmsConfigInvalid { .. }));
+ }
+}
diff --git a/src/reconcile.rs b/src/reconcile.rs
index 2627bac..529e524 100755
--- a/src/reconcile.rs
+++ b/src/reconcile.rs
@@ -79,10 +79,11 @@ pub async fn reconcile_rustfs(tenant: Arc, ctx: Arc) -> Result<
return Err(e.into());
}
- // Validate KMS Secret if encryption is configured
+ // Validate encryption / KMS: Vault requires endpoint + kmsSecret (and correct keys);
+ // must run whenever encryption is enabled — not only when kmsSecret is set, or Vault
+ // without a Secret reference would skip validation entirely.
if let Some(ref enc) = latest_tenant.spec.encryption
&& enc.enabled
- && enc.kms_secret.is_some()
&& let Err(e) = ctx.validate_kms_secret(&latest_tenant).await
{
let _ = ctx
diff --git a/src/types/v1alpha1/encryption.rs b/src/types/v1alpha1/encryption.rs
index e5e8ba0..3da37b8 100644
--- a/src/types/v1alpha1/encryption.rs
+++ b/src/types/v1alpha1/encryption.rs
@@ -65,7 +65,7 @@ impl std::fmt::Display for VaultAuthType {
/// Vault-specific KMS configuration.
///
/// Maps to `VaultConfig` in the `rustfs-kms` crate.
-/// Sensitive fields (token, TLS keys) are stored in the Secret referenced
+/// Sensitive fields (Vault token or AppRole credentials) are stored in the Secret referenced
/// by `EncryptionConfig::kms_secret`.
#[derive(Deserialize, Serialize, Clone, Debug, KubeSchema, Default)]
#[serde(rename_all = "camelCase")]
@@ -73,7 +73,7 @@ pub struct VaultKmsConfig {
/// Vault server endpoint (e.g. `https://vault.example.com:8200`).
pub endpoint: String,
- /// Vault KV2 engine mount path (default: `kv`).
+ /// KV secrets engine mount path (maps to `RUSTFS_KMS_VAULT_KV_MOUNT` in rustfs-kms; e.g. `secret`, `kv`).
#[serde(default, skip_serializing_if = "Option::is_none")]
pub engine: Option,
@@ -81,7 +81,7 @@ pub struct VaultKmsConfig {
#[serde(default, skip_serializing_if = "Option::is_none")]
pub namespace: Option,
- /// Key prefix inside the engine.
+ /// Key prefix inside the KV engine (maps to `RUSTFS_KMS_VAULT_KEY_PREFIX`).
#[serde(default, skip_serializing_if = "Option::is_none")]
pub prefix: Option,
@@ -94,17 +94,6 @@ pub struct VaultKmsConfig {
/// under keys `vault-approle-id` and `vault-approle-secret`.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub app_role: Option,
-
- /// Skip TLS certificate verification for Vault connection.
- #[serde(default, skip_serializing_if = "Option::is_none")]
- pub tls_skip_verify: Option,
-
- /// Enable custom TLS certificates for the Vault connection.
- /// When `true`, the operator mounts TLS certificate files from the KMS Secret
- /// and configures the corresponding environment variables.
- /// The Secret must contain: `vault-ca-cert`, `vault-client-cert`, `vault-client-key`.
- #[serde(default, skip_serializing_if = "Option::is_none")]
- pub custom_certificates: Option,
}
/// Vault AppRole authentication settings.
@@ -132,23 +121,28 @@ pub struct VaultAppRoleConfig {
///
/// Maps to `LocalConfig` in the `rustfs-kms` crate.
/// Keys are stored as JSON files in the specified directory.
+///
+/// **RustFS binary alignment**: `key_directory` is injected as `RUSTFS_KMS_KEY_DIR` (required by
+/// `rustfs` server startup). `master_key_id` maps to `RUSTFS_KMS_DEFAULT_KEY_ID` (default SSE key id),
+/// not to a "master encryption passphrase" (`RUSTFS_KMS_LOCAL_MASTER_KEY` is separate in rustfs-kms).
#[derive(Deserialize, Serialize, Clone, Debug, KubeSchema, Default)]
#[serde(rename_all = "camelCase")]
pub struct LocalKmsConfig {
- /// Directory for key files inside the container (default: `/data/kms-keys`).
+ /// Absolute directory for KMS key files inside the container (default: `/data/kms-keys`).
+ /// Must be absolute; RustFS validates this for the local backend.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub key_directory: Option,
- /// Master key identifier (default: `default-master-key`).
+ /// Default KMS key id for SSE (maps to `RUSTFS_KMS_DEFAULT_KEY_ID` in the RustFS binary).
#[serde(default, skip_serializing_if = "Option::is_none")]
pub master_key_id: Option,
}
/// Encryption / KMS configuration for a Tenant.
///
-/// When enabled, the operator injects KMS environment variables and mounts
-/// the referenced Secret into all RustFS pods so that the in-process
-/// `rustfs-kms` library picks them up on startup.
+/// When enabled, the operator injects environment variables matching the **RustFS server**
+/// (`rustfs` CLI / `init_kms_system`) and `rustfs_kms::KmsConfig::from_env()` where applicable.
+/// See `Tenant::configure_kms` in `tenant/workloads.rs` for the exact variable names.
///
/// Example YAML:
/// ```yaml
@@ -161,7 +155,6 @@ pub struct LocalKmsConfig {
/// engine: "kv"
/// namespace: "tenant1"
/// prefix: "rustfs"
-/// customCertificates: true
/// kmsSecret:
/// name: "my-tenant-kms-secret"
/// ```
@@ -175,11 +168,6 @@ pub struct LocalKmsConfig {
/// - `vault-approle-id` (required): AppRole role ID
/// - `vault-approle-secret` (required): AppRole secret ID
///
-/// **Vault TLS (when `customCertificates: true`):**
-/// - `vault-ca-cert`: PEM-encoded CA certificate
-/// - `vault-client-cert`: PEM-encoded client certificate for mTLS
-/// - `vault-client-key`: PEM-encoded client private key for mTLS
-///
/// **Local backend:**
/// No secret keys required (keys are stored on disk).
#[derive(Deserialize, Serialize, Clone, Debug, KubeSchema, Default)]
@@ -202,13 +190,12 @@ pub struct EncryptionConfig {
pub local: Option,
/// Reference to a Secret containing sensitive KMS credentials
- /// (Vault token or AppRole credentials, TLS certificates).
+ /// (Vault token or AppRole credentials).
#[serde(default, skip_serializing_if = "Option::is_none")]
pub kms_secret: Option,
- /// Interval in seconds for KMS health-check pings (default: disabled).
- /// When set, the operator stores the value; the in-process KMS library
- /// picks it up from `RUSTFS_KMS_PING_SECONDS`.
+ /// Reserved for future KMS health-check tuning. Not injected into pods: the current RustFS
+ /// release does not read `RUSTFS_KMS_PING_SECONDS` in the server startup path.
#[serde(default, skip_serializing_if = "Option::is_none")]
pub ping_seconds: Option,
}
diff --git a/src/types/v1alpha1/tenant/workloads.rs b/src/types/v1alpha1/tenant/workloads.rs
index a5db7dd..a3546c8 100755
--- a/src/types/v1alpha1/tenant/workloads.rs
+++ b/src/types/v1alpha1/tenant/workloads.rs
@@ -25,9 +25,6 @@ const DEFAULT_RUN_AS_USER: i64 = 10001;
const DEFAULT_RUN_AS_GROUP: i64 = 10001;
const DEFAULT_FS_GROUP: i64 = 10001;
-const KMS_CERT_VOLUME_NAME: &str = "kms-tls";
-const KMS_CERT_MOUNT_PATH: &str = "/etc/rustfs/kms/tls";
-
fn volume_claim_template_name(shard: i32) -> String {
format!("{VOLUME_CLAIM_TEMPLATE_PREFIX}-{shard}")
}
@@ -222,6 +219,11 @@ impl Tenant {
/// Build KMS-related environment variables, pod volumes and container volume mounts
/// based on `spec.encryption`.
///
+ /// Names align with the RustFS server (`rustfs/src/init.rs`, `rustfs/src/config/cli.rs`) and
+ /// `rustfs_kms::KmsConfig::from_env()` (`rustfs/crates/kms/src/config.rs`) for forward compatibility.
+ /// The server currently reads `RUSTFS_KMS_ENABLE`, `RUSTFS_KMS_BACKEND`, `RUSTFS_KMS_KEY_DIR`,
+ /// `RUSTFS_KMS_DEFAULT_KEY_ID`, `RUSTFS_KMS_VAULT_ADDRESS`, and `RUSTFS_KMS_VAULT_TOKEN` on startup.
+ ///
/// Returns `(env_vars, pod_volumes, volume_mounts)`.
fn configure_kms(
&self,
@@ -238,17 +240,17 @@ impl Tenant {
}
let mut env = Vec::new();
- let mut volumes = Vec::new();
- let mut mounts = Vec::new();
+ let volumes: Vec = vec![];
+ let mounts: Vec = vec![];
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_BACKEND".to_owned(),
- value: Some(enc.backend.to_string()),
+ name: "RUSTFS_KMS_ENABLE".to_owned(),
+ value: Some("true".to_owned()),
..Default::default()
});
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_AUTO_START".to_owned(),
- value: Some("true".to_owned()),
+ name: "RUSTFS_KMS_BACKEND".to_owned(),
+ value: Some(enc.backend.to_string()),
..Default::default()
});
@@ -256,17 +258,10 @@ impl Tenant {
KmsBackendType::Vault => {
if let Some(ref vault) = enc.vault {
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_ENDPOINT".to_owned(),
+ name: "RUSTFS_KMS_VAULT_ADDRESS".to_owned(),
value: Some(vault.endpoint.clone()),
..Default::default()
});
- if let Some(ref engine) = vault.engine {
- env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_ENGINE".to_owned(),
- value: Some(engine.clone()),
- ..Default::default()
- });
- }
if let Some(ref ns) = vault.namespace {
env.push(corev1::EnvVar {
name: "RUSTFS_KMS_VAULT_NAMESPACE".to_owned(),
@@ -274,17 +269,23 @@ impl Tenant {
..Default::default()
});
}
- if let Some(ref prefix) = vault.prefix {
+ // Transit secrets engine mount (rustfs-kms default: `transit`).
+ env.push(corev1::EnvVar {
+ name: "RUSTFS_KMS_VAULT_MOUNT_PATH".to_owned(),
+ value: Some("transit".to_owned()),
+ ..Default::default()
+ });
+ if let Some(ref kv_mount) = vault.engine {
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_PREFIX".to_owned(),
- value: Some(prefix.clone()),
+ name: "RUSTFS_KMS_VAULT_KV_MOUNT".to_owned(),
+ value: Some(kv_mount.clone()),
..Default::default()
});
}
- if vault.tls_skip_verify == Some(true) {
+ if let Some(ref prefix) = vault.prefix {
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_TLS_SKIP_VERIFY".to_owned(),
- value: Some("true".to_owned()),
+ name: "RUSTFS_KMS_VAULT_KEY_PREFIX".to_owned(),
+ value: Some(prefix.clone()),
..Default::default()
});
}
@@ -306,10 +307,10 @@ impl Tenant {
});
if let Some(ar) = enc.vault.as_ref().and_then(|v| v.app_role.as_ref()) {
- if let Some(ref engine) = ar.engine {
+ if let Some(ref approle_engine) = ar.engine {
env.push(corev1::EnvVar {
name: "RUSTFS_KMS_VAULT_APPROLE_ENGINE".to_owned(),
- value: Some(engine.clone()),
+ value: Some(approle_engine.clone()),
..Default::default()
});
}
@@ -365,64 +366,6 @@ impl Tenant {
..Default::default()
});
}
-
- // Only mount TLS certificates when explicitly enabled
- let custom_certs = enc
- .vault
- .as_ref()
- .and_then(|v| v.custom_certificates)
- .unwrap_or(false);
-
- if custom_certs {
- volumes.push(corev1::Volume {
- name: KMS_CERT_VOLUME_NAME.to_string(),
- secret: Some(corev1::SecretVolumeSource {
- secret_name: Some(secret_ref.name.clone()),
- items: Some(vec![
- corev1::KeyToPath {
- key: "vault-ca-cert".to_string(),
- path: "ca.crt".to_string(),
- ..Default::default()
- },
- corev1::KeyToPath {
- key: "vault-client-cert".to_string(),
- path: "client.crt".to_string(),
- ..Default::default()
- },
- corev1::KeyToPath {
- key: "vault-client-key".to_string(),
- path: "client.key".to_string(),
- ..Default::default()
- },
- ]),
- optional: Some(true),
- ..Default::default()
- }),
- ..Default::default()
- });
- mounts.push(corev1::VolumeMount {
- name: KMS_CERT_VOLUME_NAME.to_string(),
- mount_path: KMS_CERT_MOUNT_PATH.to_string(),
- read_only: Some(true),
- ..Default::default()
- });
-
- env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_TLS_CA".to_owned(),
- value: Some(format!("{KMS_CERT_MOUNT_PATH}/ca.crt")),
- ..Default::default()
- });
- env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_TLS_CERT".to_owned(),
- value: Some(format!("{KMS_CERT_MOUNT_PATH}/client.crt")),
- ..Default::default()
- });
- env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_VAULT_TLS_KEY".to_owned(),
- value: Some(format!("{KMS_CERT_MOUNT_PATH}/client.key")),
- ..Default::default()
- });
- }
}
}
KmsBackendType::Local => {
@@ -430,31 +373,30 @@ impl Tenant {
let key_dir = local_cfg
.and_then(|l| l.key_directory.as_deref())
.unwrap_or("/data/kms-keys");
- let master_key_id = local_cfg
+ let default_key_id = local_cfg
.and_then(|l| l.master_key_id.as_deref())
.unwrap_or("default-master-key");
+ // `rustfs` server reads `RUSTFS_KMS_KEY_DIR` (see `build_local_kms_config`).
+ env.push(corev1::EnvVar {
+ name: "RUSTFS_KMS_KEY_DIR".to_owned(),
+ value: Some(key_dir.to_string()),
+ ..Default::default()
+ });
+ // Duplicate for `rustfs_kms::KmsConfig::from_env()` which uses `RUSTFS_KMS_LOCAL_KEY_DIR`.
env.push(corev1::EnvVar {
name: "RUSTFS_KMS_LOCAL_KEY_DIR".to_owned(),
value: Some(key_dir.to_string()),
..Default::default()
});
env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_LOCAL_MASTER_KEY_ID".to_owned(),
- value: Some(master_key_id.to_string()),
+ name: "RUSTFS_KMS_DEFAULT_KEY_ID".to_owned(),
+ value: Some(default_key_id.to_string()),
..Default::default()
});
}
}
- if let Some(ping) = enc.ping_seconds {
- env.push(corev1::EnvVar {
- name: "RUSTFS_KMS_PING_SECONDS".to_owned(),
- value: Some(ping.to_string()),
- ..Default::default()
- });
- }
-
(env, volumes, mounts)
}
From f0efb53c04a6cef6a9013420c43d819af6da1628 Mon Sep 17 00:00:00 2001
From: GatewayJ <835269233@qq.com>
Date: Sun, 29 Mar 2026 23:11:30 +0800
Subject: [PATCH 2/3] feat(console): tenant events SSE stream and scoped
aggregation
Made-with: Cursor
---
CHANGELOG.md | 2 +
Cargo.lock | 13 +
Cargo.toml | 1 +
.../[name]/tenant-detail-client.tsx | 48 +++-
console-web/lib/api.ts | 20 +-
src/console/error.rs | 9 +-
src/console/handlers/events.rs | 159 +++++++++----
src/console/mod.rs | 1 +
src/console/openapi.rs | 8 +-
src/console/routes/mod.rs | 6 +-
src/console/tenant_event_scope.rs | 224 ++++++++++++++++++
11 files changed, 424 insertions(+), 67 deletions(-)
create mode 100644 src/console/tenant_event_scope.rs
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39a0b09..6da2d0e 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
+- **Console Tenant Events (breaking)**: Removed `GET /api/v1/namespaces/{namespace}/tenants/{tenant}/events`. Events are delivered via **SSE** `GET .../tenants/{tenant}/events/stream` (`text/event-stream`; each `data:` line is JSON `EventListResponse`). The tenant detail **Events** tab uses `EventSource` with the same session cookie as other API calls. Aggregates `core/v1` Events for the Tenant CR, Pods, StatefulSets, and PVCs scoped with `rustfs.tenant` / pool naming (see PRD); Tenant rows require `involvedObject.kind=Tenant` and matching name.
+
- **Tenant `spec.encryption.vault`**: Removed `tlsSkipVerify` and `customCertificates` (they were never wired to `rustfs-kms`). Vault TLS should rely on system-trusted CAs or TLS upstream. The project is still pre-production; if you have old YAML with these keys, remove them before apply.
- **KMS pod environment** ([`tenant/workloads.rs`](src/types/v1alpha1/tenant/workloads.rs)): Align variable names with the RustFS server and `rustfs-kms` (`RUSTFS_KMS_ENABLE`, `RUSTFS_KMS_VAULT_ADDRESS`, KV mount and key prefix, local `RUSTFS_KMS_KEY_DIR` / `RUSTFS_KMS_DEFAULT_KEY_ID`, etc.); remove Vault TLS certificate volume mounts; `ping_seconds` remains documented as reserved (not injected).
diff --git a/Cargo.lock b/Cargo.lock
index 2014f34..257c8b6 100755
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1548,6 +1548,7 @@ dependencies = [
"snafu",
"strum",
"tokio",
+ "tokio-stream",
"tokio-util",
"tower",
"tower-http",
@@ -2406,6 +2407,18 @@ dependencies = [
"tokio",
]
+[[package]]
+name = "tokio-stream"
+version = "0.1.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32da49809aab5c3bc678af03902d4ccddea2a87d028d86392a4b1560c6906c70"
+dependencies = [
+ "futures-core",
+ "pin-project-lite",
+ "tokio",
+ "tokio-util",
+]
+
[[package]]
name = "tokio-util"
version = "0.7.17"
diff --git a/Cargo.toml b/Cargo.toml
index a7e2bec..6d0606f 100755
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,6 +12,7 @@ chrono = { version = "0.4", features = ["serde"] }
const-str = "1.0.0"
serde = { version = "1.0.228", features = ["derive"] }
tokio = { version = "1.49.0", features = ["rt", "rt-multi-thread", "macros", "fs", "io-std", "io-util"] }
+tokio-stream = { version = "0.1", features = ["sync"] }
tokio-util = { version = "0.7", features = ["io", "compat"] }
futures = "0.3.31"
tracing = "0.1.44"
diff --git a/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx b/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
index 84947e9..67bf2e2 100644
--- a/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
+++ b/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
@@ -28,6 +28,7 @@ import type {
PoolDetails,
PodListItem,
EventItem,
+ EventListResponse,
AddPoolRequest,
EncryptionInfoResponse,
UpdateEncryptionRequest,
@@ -72,6 +73,7 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
const [pools, setPools] = useState([])
const [pods, setPods] = useState([])
const [events, setEvents] = useState([])
+ const [eventsLoading, setEventsLoading] = useState(false)
const [loading, setLoading] = useState(true)
const [deleting, setDeleting] = useState(false)
const [addPoolOpen, setAddPoolOpen] = useState(false)
@@ -132,26 +134,20 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
})
const loadTenant = async () => {
- const [detailResult, poolResult, podResult, eventResult] = await Promise.allSettled([
+ const [detailResult, poolResult, podResult] = await Promise.allSettled([
api.getTenant(namespace, name),
api.listPools(namespace, name),
api.listPods(namespace, name),
- api.listTenantEvents(namespace, name),
])
const detailOk = detailResult.status === "fulfilled"
const poolOk = poolResult.status === "fulfilled"
const podOk = podResult.status === "fulfilled"
- const eventOk = eventResult.status === "fulfilled"
if (detailOk && poolOk && podOk) {
setTenant(detailResult.value)
setPools(poolResult.value.pools)
setPods(podResult.value.pods)
- setEvents(eventOk ? eventResult.value.events : [])
- if (!eventOk) {
- toast.error(t("Events could not be loaded"))
- }
} else {
const err = !detailOk
? (detailResult as PromiseRejectedResult).reason
@@ -182,6 +178,36 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
loadTenant()
}, [namespace, name]) // eslint-disable-line react-hooks/exhaustive-deps -- reload when route params change
+ useEffect(() => {
+ setEvents([])
+ }, [namespace, name])
+
+ useEffect(() => {
+ if (tab !== "events") return
+ setEventsLoading(true)
+ let cleaned = false
+ const url = api.getTenantEventsStreamUrl(namespace, name)
+ const es = new EventSource(url, { withCredentials: true })
+ es.onmessage = (ev) => {
+ try {
+ const data = JSON.parse(ev.data) as EventListResponse
+ setEvents(data.events ?? [])
+ } catch {
+ /* ignore malformed chunk */
+ }
+ setEventsLoading(false)
+ }
+ es.onerror = () => {
+ if (cleaned) return
+ toast.error(t("Events stream could not be loaded"))
+ setEventsLoading(false)
+ }
+ return () => {
+ cleaned = true
+ es.close()
+ }
+ }, [tab, namespace, name, t])
+
useEffect(() => {
setTenantYaml("")
setTenantYamlSnapshot("")
@@ -1181,7 +1207,13 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
- {events.length === 0 ? (
+ {eventsLoading && events.length === 0 ? (
+
+
+
+
+
+ ) : events.length === 0 ? (
{t("No events")}
diff --git a/console-web/lib/api.ts b/console-web/lib/api.ts
index 2443a03..d1c24dd 100644
--- a/console-web/lib/api.ts
+++ b/console-web/lib/api.ts
@@ -13,7 +13,6 @@ import type {
PodListResponse,
PodDetails,
DeletePodResponse,
- EventListResponse,
NodeListResponse,
NamespaceListResponse,
ClusterResourcesResponse,
@@ -28,6 +27,7 @@ import type {
SecurityContextUpdateResponse,
} from "@/types/api"
import type { TopologyOverviewResponse } from "@/types/topology"
+import { getApiBaseUrl } from "@/lib/config"
const ns = (namespace: string) => `/namespaces/${encodeURIComponent(namespace)}`
const tenant = (namespace: string, name: string) => `${ns(namespace)}/tenants/${encodeURIComponent(name)}`
@@ -37,8 +37,6 @@ const pool = (namespace: string, name: string, poolName: string) =>
const pods = (namespace: string, name: string) => `${tenant(namespace, name)}/pods`
const pod = (namespace: string, name: string, podName: string) =>
`${pods(namespace, name)}/${encodeURIComponent(podName)}`
-const events = (namespace: string, tenantName: string) =>
- `${ns(namespace)}/tenants/${encodeURIComponent(tenantName)}/events`
const tenantYaml = (namespace: string, name: string) => `${tenant(namespace, name)}/yaml`
const tenantStateCounts = "/tenants/state-counts"
const tenantStateCountsByNs = (namespace: string) => `${ns(namespace)}/tenants/state-counts`
@@ -190,9 +188,19 @@ export async function updateSecurityContext(
return apiClient.put(securityContext(namespace, name), body)
}
-// ----- Events -----
-export async function listTenantEvents(namespace: string, tenantName: string): Promise {
- return apiClient.get(events(namespace, tenantName))
+// ----- Events (SSE) -----
+/** Absolute URL for `EventSource` (cookie session + `withCredentials`). */
+export function getTenantEventsStreamUrl(namespace: string, tenantName: string): string {
+ const path = `${ns(namespace)}/tenants/${encodeURIComponent(tenantName)}/events/stream`
+ if (typeof window === "undefined") {
+ return path
+ }
+ const base = getApiBaseUrl()
+ if (base.startsWith("http://") || base.startsWith("https://")) {
+ return `${base.replace(/\/$/, "")}${path}`
+ }
+ const baseNorm = base.startsWith("/") ? base : `/${base}`
+ return `${window.location.origin}${baseNorm}${path}`
}
// ----- Cluster -----
diff --git a/src/console/error.rs b/src/console/error.rs
index 5a33d47..497b3d3 100755
--- a/src/console/error.rs
+++ b/src/console/error.rs
@@ -52,9 +52,16 @@ pub enum Error {
Json { source: serde_json::Error },
}
-/// Map `kube::Error` to a console error (404 -> NotFound, 409 -> Conflict).
+/// Map `kube::Error` to a console error (403 -> Forbidden, 404 -> NotFound, 409 -> Conflict).
pub fn map_kube_error(e: kube::Error, not_found_resource: impl Into) -> Error {
match &e {
+ kube::Error::Api(ae) if ae.code == 403 => Error::Forbidden {
+ message: if ae.message.is_empty() {
+ "Kubernetes API access denied".to_string()
+ } else {
+ ae.message.clone()
+ },
+ },
kube::Error::Api(ae) if ae.code == 404 => Error::NotFound {
resource: not_found_resource.into(),
},
diff --git a/src/console/handlers/events.rs b/src/console/handlers/events.rs
index 5a88eb7..fa96737 100755
--- a/src/console/handlers/events.rs
+++ b/src/console/handlers/events.rs
@@ -12,65 +12,134 @@
// See the License for the specific language governing permissions and
// limitations under the License.
+use std::convert::Infallible;
+use std::result::Result as StdResult;
+use std::time::Duration;
+
use crate::console::{
- error::{Error, Result},
+ error::{self, Error, Result},
models::event::{EventItem, EventListResponse},
state::Claims,
+ tenant_event_scope::{discover_tenant_event_scope, merge_namespace_events},
+};
+use axum::{
+ Extension,
+ extract::Path,
+ response::sse::{Event, KeepAlive, Sse},
};
-use axum::{Extension, Json, extract::Path};
+use futures::StreamExt;
use k8s_openapi::api::core::v1 as corev1;
-use kube::{Api, Client, api::ListParams};
+use kube::{
+ Api, Client,
+ api::ListParams,
+ runtime::{WatchStreamExt, watcher},
+};
+use tokio_stream::wrappers::ReceiverStream;
-/// List Kubernetes events for objects named like the tenant.
+/// SSE stream of merged tenant-scoped Kubernetes events (PRD §5.1).
///
-/// On list failure (RBAC, field selector, etc.) returns an empty list and logs a warning so the
-/// tenant detail page does not 500.
-pub async fn list_tenant_events(
+/// Uses the same `session` cookie JWT as other console routes. Payload each tick is JSON
+/// `EventListResponse` (full snapshot, max [`tenant_event_scope::MAX_EVENTS_SNAPSHOT`]).
+pub async fn stream_tenant_events(
Path((namespace, tenant)): Path<(String, String)>,
Extension(claims): Extension,
-) -> Result> {
- let client = match create_client(&claims).await {
- Ok(c) => c,
- Err(e) => return Err(e),
- };
- let api: Api = Api::namespaced(client, &namespace);
+) -> Result>>> {
+ let client = create_client(&claims).await?;
+ // Preflight: fail the HTTP request if snapshot cannot be built (avoids 200 + empty SSE).
+ let first_json = build_snapshot_json(&client, &namespace, &tenant).await?;
+ let (tx, rx) = tokio::sync::mpsc::channel::>(16);
+ let ns = namespace.clone();
+ let tenant_name = tenant.clone();
- let field_selector = format!("involvedObject.name={}", tenant);
- let events = match api
- .list(&ListParams::default().fields(&field_selector))
+ tokio::spawn(async move {
+ if let Err(e) = run_event_sse_loop(client, ns, tenant_name, tx, first_json).await {
+ tracing::warn!("Tenant events SSE ended with error: {}", e);
+ }
+ });
+
+ let stream = ReceiverStream::new(rx);
+ Ok(Sse::new(stream).keep_alive(
+ KeepAlive::new()
+ .interval(Duration::from_secs(15))
+ .text("ping"),
+ ))
+}
+
+async fn run_event_sse_loop(
+ client: Client,
+ namespace: String,
+ tenant: String,
+ tx: tokio::sync::mpsc::Sender>,
+ first_json: String,
+) -> Result<()> {
+ if tx
+ .send(Ok(Event::default().data(first_json)))
.await
+ .is_err()
{
- Ok(ev) => ev,
- Err(e) => {
- tracing::warn!(
- "List events for tenant {}/{} failed (returning empty): {}",
- namespace,
- tenant,
- e
- );
- return Ok(Json(EventListResponse { events: vec![] }));
- }
- };
+ return Ok(());
+ }
+
+ let event_api: Api = Api::namespaced(client.clone(), &namespace);
+ let mut watch = watcher(event_api, watcher::Config::default())
+ .default_backoff()
+ .boxed();
+ let mut scope_tick = tokio::time::interval(Duration::from_secs(30));
+ scope_tick.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
- let items: Vec = events
- .items
- .into_iter()
- .map(|e| EventItem {
- event_type: e.type_.unwrap_or_default(),
- reason: e.reason.unwrap_or_default(),
- message: e.message.unwrap_or_default(),
- involved_object: format!(
- "{}/{}",
- e.involved_object.kind.unwrap_or_default(),
- e.involved_object.name.unwrap_or_default()
- ),
- first_timestamp: e.first_timestamp.map(|ts| ts.0.to_rfc3339()),
- last_timestamp: e.last_timestamp.map(|ts| ts.0.to_rfc3339()),
- count: e.count.unwrap_or(0),
- })
- .collect();
+ loop {
+ tokio::select! {
+ _ = scope_tick.tick() => {
+ let json = match build_snapshot_json(&client, &namespace, &tenant).await {
+ Ok(j) => j,
+ Err(e) => {
+ tracing::warn!("tenant events snapshot failed: {}", e);
+ continue;
+ }
+ };
+ if tx.send(Ok(Event::default().data(json))).await.is_err() {
+ return Ok(());
+ }
+ }
+ ev = watch.next() => {
+ match ev {
+ Some(Ok(_)) => {
+ let json = match build_snapshot_json(&client, &namespace, &tenant).await {
+ Ok(j) => j,
+ Err(e) => {
+ tracing::warn!("tenant events snapshot failed: {}", e);
+ continue;
+ }
+ };
+ if tx.send(Ok(Event::default().data(json))).await.is_err() {
+ return Ok(());
+ }
+ }
+ Some(Err(e)) => {
+ tracing::warn!("Kubernetes Event watch error: {}", e);
+ }
+ None => return Ok(()),
+ }
+ }
+ }
+ }
+}
- Ok(Json(EventListResponse { events: items }))
+async fn build_snapshot_json(client: &Client, namespace: &str, tenant: &str) -> Result {
+ let scope = discover_tenant_event_scope(client, namespace, tenant).await?;
+ let api: Api = Api::namespaced(client.clone(), namespace);
+ let list = api.list(&ListParams::default()).await.map_err(|e| {
+ tracing::warn!(
+ "List events for tenant {}/{} failed: {}",
+ namespace,
+ tenant,
+ e
+ );
+ error::map_kube_error(e, format!("Events for tenant '{}'", tenant))
+ })?;
+ let items: Vec = merge_namespace_events(&scope, list.items);
+ let body = EventListResponse { events: items };
+ serde_json::to_string(&body).map_err(|e| Error::Json { source: e })
}
/// Build a client impersonating the session token.
diff --git a/src/console/mod.rs b/src/console/mod.rs
index c46315e..f0ee932 100755
--- a/src/console/mod.rs
+++ b/src/console/mod.rs
@@ -25,3 +25,4 @@ pub mod openapi;
pub mod routes;
pub mod server;
pub mod state;
+pub mod tenant_event_scope;
diff --git a/src/console/openapi.rs b/src/console/openapi.rs
index a58944f..c92d070 100644
--- a/src/console/openapi.rs
+++ b/src/console/openapi.rs
@@ -69,7 +69,7 @@ use crate::console::models::topology::{
api_delete_pod,
api_restart_pod,
api_get_pod_logs,
- api_list_events,
+ api_stream_tenant_events,
api_list_nodes,
api_get_cluster_resources,
api_list_namespaces,
@@ -268,9 +268,9 @@ fn api_restart_pod(_body: Json) -> Json {
#[utoipa::path(get, path = "/api/v1/namespaces/{namespace}/tenants/{name}/pods/{pod}/logs", params(("namespace" = String, Path), ("name" = String, Path), ("pod" = String, Path), ("container" = Option, Query), ("tail_lines" = Option, Query), ("timestamps" = Option, Query)), responses((status = 200, description = "Plain text log output", content_type = "text/plain")), tag = "pods")]
fn api_get_pod_logs() {}
-// --- Events ---
-#[utoipa::path(get, path = "/api/v1/namespaces/{namespace}/tenants/{tenant}/events", params(("namespace" = String, Path), ("tenant" = String, Path)), responses((status = 200, body = EventListResponse)), tag = "events")]
-fn api_list_events() -> Json {
+// --- Events (SSE) ---
+#[utoipa::path(get, path = "/api/v1/namespaces/{namespace}/tenants/{tenant}/events/stream", params(("namespace" = String, Path), ("tenant" = String, Path)), responses((status = 200, description = "text/event-stream; each `data:` payload is JSON EventListResponse", body = EventListResponse, content_type = "application/json")), tag = "events")]
+fn api_stream_tenant_events() {
unimplemented!("Documentation only")
}
diff --git a/src/console/routes/mod.rs b/src/console/routes/mod.rs
index 20f8432..38facc2 100755
--- a/src/console/routes/mod.rs
+++ b/src/console/routes/mod.rs
@@ -124,11 +124,11 @@ pub fn pod_routes() -> Router {
)
}
-/// Kubernetes events for a tenant
+/// Kubernetes events for a tenant (SSE)
pub fn event_routes() -> Router {
Router::new().route(
- "/namespaces/:namespace/tenants/:tenant/events",
- get(handlers::events::list_tenant_events),
+ "/namespaces/:namespace/tenants/:tenant/events/stream",
+ get(handlers::events::stream_tenant_events),
)
}
diff --git a/src/console/tenant_event_scope.rs b/src/console/tenant_event_scope.rs
new file mode 100644
index 0000000..6cd5dc7
--- /dev/null
+++ b/src/console/tenant_event_scope.rs
@@ -0,0 +1,224 @@
+// Copyright 2025 RustFS Team
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Discover which `(involvedObject.kind, involvedObject.name)` pairs belong to a Tenant for event aggregation (PRD §4.1).
+
+use std::cmp::Reverse;
+use std::collections::{HashMap, HashSet};
+
+use k8s_openapi::api::core::v1 as corev1;
+use kube::{Api, Client, ResourceExt, api::ListParams};
+
+use crate::console::{
+ error::{self, Result},
+ models::event::EventItem,
+};
+use crate::types::v1alpha1::tenant::Tenant;
+
+/// `involvedObject.kind` for the Tenant CR (matches CRD `names.kind`).
+pub const TENANT_CR_KIND: &str = "Tenant";
+
+/// Default max events per SSE snapshot (PRD §5.1).
+pub const MAX_EVENTS_SNAPSHOT: usize = 200;
+
+/// Label selector `rustfs.tenant=` — must match [`crate::console::handlers::pods::list_pods`].
+pub fn tenant_label_selector(tenant: &str) -> String {
+ format!("rustfs.tenant={}", tenant)
+}
+
+/// Allowed `(kind, name)` pairs for `Event.involvedObject` in this tenant scope.
+#[derive(Debug, Clone)]
+pub struct TenantEventScope {
+ /// Tenant name (scope metadata; filtering uses [`Self::involved`]).
+ #[allow(dead_code)]
+ pub tenant_name: String,
+ /// `(involvedObject.kind, involvedObject.name)` using API kind strings.
+ pub involved: HashSet<(String, String)>,
+}
+
+impl TenantEventScope {
+ /// Returns true if this event's regarding object is in scope.
+ pub fn matches_involved(&self, ev: &corev1::Event) -> bool {
+ let obj = &ev.involved_object;
+ let kind = obj.kind.clone().unwrap_or_default();
+ let name = obj.name.clone().unwrap_or_default();
+ if kind.is_empty() || name.is_empty() {
+ return false;
+ }
+ self.involved.contains(&(kind, name))
+ }
+}
+
+/// Load Pod / StatefulSet / PVC names and Tenant CR row — same discovery rules as `list_pods` / `list_pools`.
+pub async fn discover_tenant_event_scope(
+ client: &Client,
+ namespace: &str,
+ tenant: &str,
+) -> Result {
+ let tenant_api: Api = Api::namespaced(client.clone(), namespace);
+ let t = tenant_api
+ .get(tenant)
+ .await
+ .map_err(|e| error::map_kube_error(e, format!("Tenant '{}'", tenant)))?;
+
+ let mut involved: HashSet<(String, String)> = HashSet::new();
+ involved.insert((TENANT_CR_KIND.to_string(), tenant.to_string()));
+
+ for pool in &t.spec.pools {
+ let ss_name = format!("{}-{}", tenant, pool.name);
+ involved.insert(("StatefulSet".to_string(), ss_name));
+ }
+
+ let pod_api: Api = Api::namespaced(client.clone(), namespace);
+ let pods = pod_api
+ .list(&ListParams::default().labels(&tenant_label_selector(tenant)))
+ .await
+ .map_err(|e| error::map_kube_error(e, format!("Pods for tenant '{}'", tenant)))?;
+ for p in pods.items {
+ involved.insert(("Pod".to_string(), p.name_any()));
+ }
+
+ let pvc_api: Api = Api::namespaced(client.clone(), namespace);
+ let pvcs = pvc_api
+ .list(&ListParams::default().labels(&tenant_label_selector(tenant)))
+ .await
+ .map_err(|e| {
+ error::map_kube_error(e, format!("PersistentVolumeClaims for tenant '{}'", tenant))
+ })?;
+ for pvc in pvcs.items {
+ involved.insert(("PersistentVolumeClaim".to_string(), pvc.name_any()));
+ }
+
+ Ok(TenantEventScope {
+ tenant_name: tenant.to_string(),
+ involved,
+ })
+}
+
+/// Filter namespace events to scope, dedupe, sort newest first, cap at [`MAX_EVENTS_SNAPSHOT`].
+pub fn merge_namespace_events(scope: &TenantEventScope, raw: Vec) -> Vec {
+ let filtered: Vec = raw
+ .into_iter()
+ .filter(|e| scope.matches_involved(e))
+ .collect();
+
+ // Dedupe by uid
+ let mut by_uid: HashMap = HashMap::new();
+ let mut no_uid: Vec = Vec::new();
+ for e in filtered {
+ if let Some(uid) = e.metadata.uid.clone() {
+ by_uid.insert(uid, e);
+ } else {
+ no_uid.push(e);
+ }
+ }
+ let mut merged: Vec = by_uid.into_values().collect();
+
+ // Weak dedupe for events without uid
+ let mut seen_weak: HashSet<(String, String, String, String, String)> = HashSet::new();
+ for e in no_uid {
+ let weak = weak_dedup_key(&e);
+ if seen_weak.insert(weak) {
+ merged.push(e);
+ }
+ }
+
+ merged.sort_by_key(|b| Reverse(event_sort_key(b)));
+ merged.truncate(MAX_EVENTS_SNAPSHOT);
+ merged.into_iter().map(core_event_to_item).collect()
+}
+
+fn weak_dedup_key(e: &corev1::Event) -> (String, String, String, String, String) {
+ let kind = e.involved_object.kind.clone().unwrap_or_default();
+ let name = e.involved_object.name.clone().unwrap_or_default();
+ let reason = e.reason.clone().unwrap_or_default();
+ let first = e
+ .first_timestamp
+ .as_ref()
+ .map(|t| t.0.to_rfc3339())
+ .unwrap_or_default();
+ let msg = e.message.clone().unwrap_or_default();
+ (kind, name, reason, first, msg)
+}
+
+fn event_sort_key(e: &corev1::Event) -> chrono::DateTime {
+ if let Some(ref et) = e.event_time {
+ return et.0;
+ }
+ if let Some(ref lt) = e.last_timestamp {
+ return lt.0;
+ }
+ if let Some(ref ft) = e.first_timestamp {
+ return ft.0;
+ }
+ chrono::DateTime::from_timestamp(0, 0).unwrap_or_else(chrono::Utc::now)
+}
+
+fn core_event_to_item(e: corev1::Event) -> EventItem {
+ EventItem {
+ event_type: e.type_.unwrap_or_default(),
+ reason: e.reason.unwrap_or_default(),
+ message: e.message.unwrap_or_default(),
+ involved_object: format!(
+ "{}/{}",
+ e.involved_object.kind.unwrap_or_default(),
+ e.involved_object.name.unwrap_or_default()
+ ),
+ first_timestamp: e.first_timestamp.map(|ts| ts.0.to_rfc3339()),
+ last_timestamp: e.last_timestamp.map(|ts| ts.0.to_rfc3339()),
+ count: e.count.unwrap_or(0),
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use k8s_openapi::apimachinery::pkg::apis::meta::v1::ObjectMeta;
+
+ fn mk_event(kind: &str, name: &str, uid: Option<&str>) -> corev1::Event {
+ corev1::Event {
+ involved_object: corev1::ObjectReference {
+ kind: Some(kind.to_string()),
+ name: Some(name.to_string()),
+ ..Default::default()
+ },
+ metadata: ObjectMeta {
+ uid: uid.map(String::from),
+ ..Default::default()
+ },
+ ..Default::default()
+ }
+ }
+
+ #[test]
+ fn tenant_kind_required_for_tenant_name() {
+ let scope = TenantEventScope {
+ tenant_name: "t1".to_string(),
+ involved: HashSet::from([
+ (TENANT_CR_KIND.to_string(), "t1".to_string()),
+ ("Pod".to_string(), "p1".to_string()),
+ ]),
+ };
+ let raw = vec![
+ mk_event("Pod", "other", Some("a")),
+ mk_event("ConfigMap", "t1", Some("b")),
+ mk_event(TENANT_CR_KIND, "t1", Some("c")),
+ ];
+ let items = merge_namespace_events(&scope, raw);
+ let objs: Vec<&str> = items.iter().map(|i| i.involved_object.as_str()).collect();
+ assert!(objs.contains(&"Tenant/t1"));
+ assert!(!objs.iter().any(|s| *s == "Pod/other"));
+ assert!(!objs.iter().any(|s| *s == "ConfigMap/t1"));
+ }
+}
From 68de4d643cd0a760048c9d2522c104501ee24ade Mon Sep 17 00:00:00 2001
From: GatewayJ <835269233@qq.com>
Date: Mon, 30 Mar 2026 12:51:57 +0800
Subject: [PATCH 3/3] feat: tenant events on events.k8s.io, KMS CRD alignment,
RBAC
Made-with: Cursor
---
CHANGELOG.md | 10 +-
.../[name]/tenant-detail-client.tsx | 198 +++------------
console-web/i18n/locales/en-US.json | 31 ++-
console-web/i18n/locales/zh-CN.json | 11 +-
console-web/types/api.ts | 24 +-
deploy/k8s-dev/console-rbac.yaml | 3 +
deploy/k8s-dev/operator-rbac.yaml | 7 +
deploy/rustfs-operator/crds/tenant-crd.yaml | 72 +-----
deploy/rustfs-operator/crds/tenant.yaml | 72 +-----
.../templates/clusterrole.yaml | 10 +-
.../templates/console-clusterrole.yaml | 3 +
docs/prd-tenant-events-sse.md | 127 ++++++++++
docs/tech-design-tenant-events-sse.md | 239 ++++++++++++++++++
src/console/handlers/encryption.rs | 31 +--
src/console/handlers/events.rs | 80 +++---
src/console/models/encryption.rs | 37 +--
src/console/openapi.rs | 2 +-
src/console/tenant_event_scope.rs | 174 ++++++++-----
src/context.rs | 43 +---
src/types/v1alpha1/encryption.rs | 153 ++---------
src/types/v1alpha1/tenant/workloads.rs | 154 +++--------
21 files changed, 735 insertions(+), 746 deletions(-)
create mode 100644 docs/prd-tenant-events-sse.md
create mode 100644 docs/tech-design-tenant-events-sse.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6da2d0e..61d60b7 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
+- **Console RBAC**: `ClusterRole` for the console (Helm [`deploy/rustfs-operator/templates/console-clusterrole.yaml`](deploy/rustfs-operator/templates/console-clusterrole.yaml) and [`deploy/k8s-dev/console-rbac.yaml`](deploy/k8s-dev/console-rbac.yaml)) now includes `get` / `list` / `watch` on **`events.k8s.io` `events`**, required for Tenant Events aggregation (in addition to `""` `events`).
+
+- **Operator RBAC**: `ClusterRole` for the operator ([`deploy/rustfs-operator/templates/clusterrole.yaml`](deploy/rustfs-operator/templates/clusterrole.yaml) and [`deploy/k8s-dev/operator-rbac.yaml`](deploy/k8s-dev/operator-rbac.yaml)) now includes **`events.k8s.io` `events`** (`get` / `list` / `watch` / `create` / `patch`). Dev scripts (e.g. [`scripts/deploy/deploy-rustfs-4node.sh`](scripts/deploy/deploy-rustfs-4node.sh)) often use `kubectl create token rustfs-operator` for Console login; that identity must be able to list **events.k8s.io** Events for Tenant Events SSE.
+
+- **Operator RBAC**: `ClusterRole` for the operator ServiceAccount now includes `get` / `list` / `watch` on `persistentvolumeclaims` (Helm [`deploy/rustfs-operator/templates/clusterrole.yaml`](deploy/rustfs-operator/templates/clusterrole.yaml) and [`deploy/k8s-dev/operator-rbac.yaml`](deploy/k8s-dev/operator-rbac.yaml)). Tenant event scope discovery lists PVCs labeled for the tenant; without this rule, the API returned `Forbidden` when the request identity was `rustfs-system:rustfs-operator`.
+
- **`console-web` / `make pre-commit`**: `npm run lint` now runs `eslint .` (bare `eslint` only printed CLI help). Added `format` / `format:check` scripts; [`Makefile`](Makefile) `console-fmt` and `console-fmt-check` call them so Prettier resolves from `node_modules` after `npm install` in `console-web/`.
- **Tenant `Pool` CRD validation (CEL)**: Match the operator console API — require `servers × volumesPerServer >= 4` for every pool, and `>= 6` total volumes when `servers == 3` (fixes the previous 3-server rule using `< 4` in CEL). Regenerated [`deploy/rustfs-operator/crds/tenant-crd.yaml`](deploy/rustfs-operator/crds/tenant-crd.yaml) and [`tenant.yaml`](deploy/rustfs-operator/crds/tenant.yaml). Added [`validate_pool_total_volumes`](src/types/v1alpha1/pool.rs) as the shared Rust implementation used by [`src/console/handlers/pools.rs`](src/console/handlers/pools.rs).
@@ -28,11 +34,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
-- **Console Tenant Events (breaking)**: Removed `GET /api/v1/namespaces/{namespace}/tenants/{tenant}/events`. Events are delivered via **SSE** `GET .../tenants/{tenant}/events/stream` (`text/event-stream`; each `data:` line is JSON `EventListResponse`). The tenant detail **Events** tab uses `EventSource` with the same session cookie as other API calls. Aggregates `core/v1` Events for the Tenant CR, Pods, StatefulSets, and PVCs scoped with `rustfs.tenant` / pool naming (see PRD); Tenant rows require `involvedObject.kind=Tenant` and matching name.
+- **Console Tenant Events (breaking)**: Removed `GET /api/v1/namespaces/{namespace}/tenants/{tenant}/events`. Events are delivered via **SSE** `GET .../tenants/{tenant}/events/stream` (`text/event-stream`). Payloads use named events: `snapshot` (JSON `EventListResponse`) and `stream_error` (JSON `{ "message" }` on watch/snapshot failures). Listing uses **`events.k8s.io/v1`** with per-resource field selectors `regarding.kind` + `regarding.name` (bounded concurrency) instead of listing all namespace events. The **Events** tab uses `EventSource` (`withCredentials`) and listens for `snapshot` / `stream_error`; transport `error` toasts are deduplicated until `onopen`. Aggregates events for the Tenant CR, Pods, StatefulSets, and PVCs per PRD scope; legacy **`core/v1` Events** not mirrored to `events.k8s.io` may be absent.
- **Tenant `spec.encryption.vault`**: Removed `tlsSkipVerify` and `customCertificates` (they were never wired to `rustfs-kms`). Vault TLS should rely on system-trusted CAs or TLS upstream. The project is still pre-production; if you have old YAML with these keys, remove them before apply.
-- **KMS pod environment** ([`tenant/workloads.rs`](src/types/v1alpha1/tenant/workloads.rs)): Align variable names with the RustFS server and `rustfs-kms` (`RUSTFS_KMS_ENABLE`, `RUSTFS_KMS_VAULT_ADDRESS`, KV mount and key prefix, local `RUSTFS_KMS_KEY_DIR` / `RUSTFS_KMS_DEFAULT_KEY_ID`, etc.); remove Vault TLS certificate volume mounts; `ping_seconds` remains documented as reserved (not injected).
+- **Tenant `spec.encryption` (breaking)**: CRD and Console API now match **RustFS server startup** (`rustfs/src/init.rs` / `config/cli.rs`) only. `vault` retains **`endpoint`**; `local` retains **`keyDirectory`**; optional **`defaultKeyId`** maps to `RUSTFS_KMS_DEFAULT_KEY_ID`. Removed `pingSeconds`, Vault `engine` / `namespace` / `prefix` / `authType` / `appRole`, and `local.masterKeyId`. Injected pod env vars are only those the RustFS binary reads (no unused `RUSTFS_KMS_VAULT_*` tuning). Regenerated [`deploy/rustfs-operator/crds/tenant-crd.yaml`](deploy/rustfs-operator/crds/tenant-crd.yaml) and [`tenant.yaml`](deploy/rustfs-operator/crds/tenant.yaml).
- **Local KMS** ([`context.rs`](src/context.rs)): Validate absolute `keyDirectory` and require a single server replica across pools (multi-replica tenants need Vault or shared storage).
diff --git a/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx b/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
index 67bf2e2..6b3b183 100644
--- a/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
+++ b/console-web/app/(dashboard)/tenants/[namespace]/[name]/tenant-detail-client.tsx
@@ -2,7 +2,7 @@
import { useRouter } from "next/navigation"
import Link from "next/link"
-import { useEffect, useState } from "react"
+import { useEffect, useRef, useState } from "react"
import { useTranslation } from "react-i18next"
import { toast } from "sonner"
import {
@@ -74,6 +74,8 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
const [pods, setPods] = useState([])
const [events, setEvents] = useState([])
const [eventsLoading, setEventsLoading] = useState(false)
+ /** Suppress repeated EventSource `error` toasts until a successful reconnect (`onopen`). */
+ const eventsStreamTransportErrorToastRef = useRef(false)
const [loading, setLoading] = useState(true)
const [deleting, setDeleting] = useState(false)
const [addPoolOpen, setAddPoolOpen] = useState(false)
@@ -106,21 +108,12 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
const [encBackend, setEncBackend] = useState<"local" | "vault">("local")
const [encVault, setEncVault] = useState({
endpoint: "",
- engine: "",
- namespace: "",
- prefix: "",
- authType: "token",
- })
- const [encAppRole, setEncAppRole] = useState({
- engine: "",
- retrySeconds: "",
})
const [encLocal, setEncLocal] = useState({
keyDirectory: "",
- masterKeyId: "",
})
+ const [encDefaultKeyId, setEncDefaultKeyId] = useState("")
const [encKmsSecretName, setEncKmsSecretName] = useState("")
- const [encPingSeconds, setEncPingSeconds] = useState("")
// Security tab state
const [secCtxLoaded, setSecCtxLoaded] = useState(false)
@@ -185,20 +178,35 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
useEffect(() => {
if (tab !== "events") return
setEventsLoading(true)
+ eventsStreamTransportErrorToastRef.current = false
let cleaned = false
const url = api.getTenantEventsStreamUrl(namespace, name)
const es = new EventSource(url, { withCredentials: true })
- es.onmessage = (ev) => {
+ es.onopen = () => {
+ eventsStreamTransportErrorToastRef.current = false
+ }
+ es.addEventListener("snapshot", (ev: MessageEvent) => {
try {
const data = JSON.parse(ev.data) as EventListResponse
setEvents(data.events ?? [])
} catch {
- /* ignore malformed chunk */
+ toast.error(t("Events data could not be parsed"))
}
setEventsLoading(false)
- }
+ })
+ es.addEventListener("stream_error", (ev: MessageEvent) => {
+ try {
+ const j = JSON.parse(ev.data) as { message?: string }
+ toast.error(j.message?.trim() || t("Events stream error"))
+ } catch {
+ toast.error(t("Events stream error"))
+ }
+ setEventsLoading(false)
+ })
es.onerror = () => {
if (cleaned) return
+ if (eventsStreamTransportErrorToastRef.current) return
+ eventsStreamTransportErrorToastRef.current = true
toast.error(t("Events stream could not be loaded"))
setEventsLoading(false)
}
@@ -400,26 +408,15 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
if (data.vault) {
setEncVault({
endpoint: data.vault.endpoint || "",
- engine: data.vault.engine || "",
- namespace: data.vault.namespace || "",
- prefix: data.vault.prefix || "",
- authType: data.vault.authType || "token",
})
- if (data.vault.appRole) {
- setEncAppRole({
- engine: data.vault.appRole.engine || "",
- retrySeconds: data.vault.appRole.retrySeconds?.toString() || "",
- })
- }
}
if (data.local) {
setEncLocal({
keyDirectory: data.local.keyDirectory || "",
- masterKeyId: data.local.masterKeyId || "",
})
}
+ setEncDefaultKeyId(data.defaultKeyId || "")
setEncKmsSecretName(data.kmsSecretName || "")
- setEncPingSeconds(data.pingSeconds?.toString() || "")
} catch (e) {
const err = e as ApiError
toast.error(err.message || t("Failed to load encryption config"))
@@ -441,26 +438,15 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
enabled: encEnabled,
backend: encBackend,
kmsSecretName: encKmsSecretName || undefined,
- pingSeconds: encPingSeconds ? parseInt(encPingSeconds, 10) : undefined,
+ defaultKeyId: encDefaultKeyId.trim() || undefined,
}
if (encBackend === "vault") {
body.vault = {
endpoint: encVault.endpoint,
- engine: encVault.engine || undefined,
- namespace: encVault.namespace || undefined,
- prefix: encVault.prefix || undefined,
- authType: encVault.authType || undefined,
- }
- if (encVault.authType === "approle") {
- body.vault.appRole = {
- engine: encAppRole.engine || undefined,
- retrySeconds: encAppRole.retrySeconds ? parseInt(encAppRole.retrySeconds, 10) : undefined,
- }
}
} else {
body.local = {
keyDirectory: encLocal.keyDirectory || undefined,
- masterKeyId: encLocal.masterKeyId || undefined,
}
}
const res = await api.updateEncryption(namespace, name, body)
@@ -878,7 +864,9 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
{t("Encryption")}
- {t("Configure server-side encryption (SSE) with a KMS backend. RustFS supports Local and Vault.")}
+ {t(
+ "Configure SSE KMS to match the RustFS server: Local (single-server tenant) or Vault (token in Secret). Vault path layout is fixed in RustFS.",
+ )}
@@ -937,7 +925,7 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
{t("Vault Configuration")}
-
-
- {/* Auth type selector */}
-
-
- {/* AppRole section */}
- {encVault.authType === "approle" && (
-
-
-
App Role
-
- {t("Not yet implemented in backend")}
-
-
-
-
- {t(
- "AppRole ID and Secret are stored in the KMS Secret (keys: vault-approle-id, vault-approle-secret).",
- )}
-
-
- )}
+
+ {t("RustFS uses fixed Transit/KV paths; only address and token are configurable.")}
+
)}
@@ -1050,38 +954,18 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
onChange={(e) => setEncLocal((l) => ({ ...l, keyDirectory: e.target.value }))}
/>
-
-
- setEncLocal((l) => ({ ...l, masterKeyId: e.target.value }))}
- />
-
@@ -1093,9 +977,7 @@ export function TenantDetailClient({ namespace, name, initialTab, initialYamlEdi
/>
{encBackend === "vault"
- ? encVault.authType === "approle"
- ? t("Secret must contain 'vault-approle-id' and 'vault-approle-secret'.")
- : t("Secret must contain key 'vault-token'.")
+ ? t("Required for Vault: Secret must contain key 'vault-token'.")
: t("Not required for Local backend.")}