Skip to content

feat: Support dynamic image repositories#141

Open
Techassi wants to merge 6 commits into
mainfrom
feat/support-dynamic-image-repositories
Open

feat: Support dynamic image repositories#141
Techassi wants to merge 6 commits into
mainfrom
feat/support-dynamic-image-repositories

Conversation

@Techassi
Copy link
Copy Markdown
Member

@Techassi Techassi commented May 12, 2026

@Techassi Techassi self-assigned this May 12, 2026
@Techassi Techassi moved this to Development: In Progress in Stackable Engineering May 12, 2026
@Techassi Techassi mentioned this pull request May 12, 2026
Open
29 tasks
@Techassi Techassi marked this pull request as ready for review May 13, 2026 14:09
@Techassi Techassi moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering May 13, 2026
@Techassi Techassi requested a review from siegfriedweber May 13, 2026 14:09
@siegfriedweber siegfriedweber moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering May 13, 2026
siegfriedweber
siegfriedweber requested changes May 13, 2026
View reviewed changes
Comment thread rust/operator-binary/src/controller/validate.rs Outdated
Comment thread rust/operator-binary/src/crd/mod.rs
Comment on lines +919 to +1052
stackable_operator::utils::yaml_from_str_singleton_map(indoc::indoc! {r#"
- image:
productVersion: 3.4.0
pullPolicy: IfNotPresent
clusterOperation:
reconciliationPaused: false
stopped: false
clusterConfig:
keystore:
- key: s3.client.default.access_key
secretKeyRef:
name: s3-credentials
key: ACCESS_KEY
- key: s3.client.default.secret_key
secretKeyRef:
name: s3-credentials
key: SECRET_KEY
security:
enabled: true
managingRoleGroup: security-coord
settings:
config:
managedBy: operator
content:
value:
_meta:
type: config
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
description: Authenticate via HTTP Basic against internal users database
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
authz: {}
internalUsers:
managedBy: API
content:
valueFrom:
secretKeyRef:
name: opensearch-security-config
key: internal_users.yml
roles:
managedBy: API
content:
valueFrom:
configMapKeyRef:
name: opensearch-security-config
key: roles.yml
rolesMapping:
managedBy: API
content:
value:
_meta:
type: rolesmapping
config_version: 2
all_access:
reserved: false
backend_roles:
- admin
tls:
serverSecretClass: tls
internalSecretClass: tls
vectorAggregatorConfigMapName: vector-aggregator-discovery
nodes:
config:
logging:
enableVectorAgent: true
gracefulShutdownTimeout: 2m
requestedSecretLifetime: 1d
envOverrides:
DISABLE_INSTALL_DEMO_CONFIG: "true"
OPENSEARCH_HOME: /stackable/opensearch
configOverrides:
opensearch.yml:
jsonMergePatch:
node.store.allow_mmap: false
cluster.routing.allocation.disk.threshold_enabled: false
roleConfig:
discoveryServiceListenerClass: external-unstable
roleGroups:
cluster-manager:
config:
discoveryServiceExposed: true
nodeRoles:
- cluster_manager
resources:
storage:
data:
capacity: 100Mi
replicas: 3
data:
config:
discoveryServiceExposed: false
nodeRoles:
- ingest
- data
- remote_cluster_client
listenerClass: cluster-internal
resources:
storage:
data:
capacity: 2Gi
configOverrides:
opensearch.yml:
jsonMergePatch:
node.attr.zone: eu-central-1a
envOverrides:
OPENSEARCH_JAVA_OPTS: -Xms1g -Xmx1g
replicas: 2
- image:
custom: oci.example.com/namespace/opensearch:3.4.0-custom
productVersion: 3.4.0
pullPolicy: Always
pullSecrets:
- name: registry-credentials
clusterConfig:
tls:
serverSecretClass: null
security:
enabled: false
nodes:
roleGroups:
default:
replicas: 1
"#})
.expect("Failed to parse OpenSearchClusterSpec YAML")
Copy link
Copy Markdown
Member

@siegfriedweber siegfriedweber May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used json! instead of indoc! in this operator. One advantage is that the compiler supports you to write valid specs. If you change the operator and try to insert parts into this huge YAML string, it is sometimes hard to get the indentation right.

But I do not insist on using json!.

In case, you want to apply it:

Suggested change
stackable_operator::utils::yaml_from_str_singleton_map(indoc::indoc! {r#"
- image:
productVersion: 3.4.0
pullPolicy: IfNotPresent
clusterOperation:
reconciliationPaused: false
stopped: false
clusterConfig:
keystore:
- key: s3.client.default.access_key
secretKeyRef:
name: s3-credentials
key: ACCESS_KEY
- key: s3.client.default.secret_key
secretKeyRef:
name: s3-credentials
key: SECRET_KEY
security:
enabled: true
managingRoleGroup: security-coord
settings:
config:
managedBy: operator
content:
value:
_meta:
type: config
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
description: Authenticate via HTTP Basic against internal users database
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
authz: {}
internalUsers:
managedBy: API
content:
valueFrom:
secretKeyRef:
name: opensearch-security-config
key: internal_users.yml
roles:
managedBy: API
content:
valueFrom:
configMapKeyRef:
name: opensearch-security-config
key: roles.yml
rolesMapping:
managedBy: API
content:
value:
_meta:
type: rolesmapping
config_version: 2
all_access:
reserved: false
backend_roles:
- admin
tls:
serverSecretClass: tls
internalSecretClass: tls
vectorAggregatorConfigMapName: vector-aggregator-discovery
nodes:
config:
logging:
enableVectorAgent: true
gracefulShutdownTimeout: 2m
requestedSecretLifetime: 1d
envOverrides:
DISABLE_INSTALL_DEMO_CONFIG: "true"
OPENSEARCH_HOME: /stackable/opensearch
configOverrides:
opensearch.yml:
jsonMergePatch:
node.store.allow_mmap: false
cluster.routing.allocation.disk.threshold_enabled: false
roleConfig:
discoveryServiceListenerClass: external-unstable
roleGroups:
cluster-manager:
config:
discoveryServiceExposed: true
nodeRoles:
- cluster_manager
resources:
storage:
data:
capacity: 100Mi
replicas: 3
data:
config:
discoveryServiceExposed: false
nodeRoles:
- ingest
- data
- remote_cluster_client
listenerClass: cluster-internal
resources:
storage:
data:
capacity: 2Gi
configOverrides:
opensearch.yml:
jsonMergePatch:
node.attr.zone: eu-central-1a
envOverrides:
OPENSEARCH_JAVA_OPTS: -Xms1g -Xmx1g
replicas: 2
- image:
custom: oci.example.com/namespace/opensearch:3.4.0-custom
productVersion: 3.4.0
pullPolicy: Always
pullSecrets:
- name: registry-credentials
clusterConfig:
tls:
serverSecretClass: null
security:
enabled: false
nodes:
roleGroups:
default:
replicas: 1
"#})
.expect("Failed to parse OpenSearchClusterSpec YAML")
serde_json::from_value(json!([
{
"image": {
"productVersion": "3.4.0",
"pullPolicy": "IfNotPresent"
},
"clusterOperation": {
"reconciliationPaused": false,
"stopped": false
},
"clusterConfig": {
"keystore": [
{
"key": "s3.client.default.access_key",
"secretKeyRef": {
"name": "s3-credentials",
"key": "ACCESS_KEY"
}
},
{
"key": "s3.client.default.secret_key",
"secretKeyRef": {
"name": "s3-credentials",
"key": "SECRET_KEY"
}
}
],
"security": {
"enabled": true,
"managingRoleGroup": "security-coord",
"settings": {
"config": {
"managedBy": "operator",
"content": {
"value": {
"_meta": {
"type": "config",
"config_version": 2
},
"config": {
"dynamic": {
"authc": {
"basic_internal_auth_domain": {
"description": "Authenticate via HTTP Basic against internal users database",
"http_enabled": true,
"transport_enabled": true,
"order": 1,
"http_authenticator": {
"type": "basic",
"challenge": true
},
"authentication_backend": {
"type": "intern"
}
}
},
"authz": {}
}
}
}
}
},
"internalUsers": {
"managedBy": "API",
"content": {
"valueFrom": {
"secretKeyRef": {
"name": "opensearch-security-config",
"key": "internal_users.yml"
}
}
}
},
"roles": {
"managedBy": "API",
"content": {
"valueFrom": {
"configMapKeyRef": {
"name": "opensearch-security-config",
"key": "roles.yml"
}
}
}
},
"rolesMapping": {
"managedBy": "API",
"content": {
"value": {
"_meta": {
"type": "rolesmapping",
"config_version": 2
},
"all_access": {
"reserved": false,
"backend_roles": ["admin"]
}
}
}
}
}
},
"tls": {
"serverSecretClass": "tls",
"internalSecretClass": "tls"
},
"vectorAggregatorConfigMapName": "vector-aggregator-discovery"
},
"nodes": {
"config": {
"logging": {
"enableVectorAgent": true
},
"gracefulShutdownTimeout": "2m",
"requestedSecretLifetime": "1d"
},
"envOverrides": {
"DISABLE_INSTALL_DEMO_CONFIG": "true",
"OPENSEARCH_HOME": "/stackable/opensearch"
},
"configOverrides": {
"opensearch.yml": {
"jsonMergePatch": {
"node.store.allow_mmap": false,
"cluster.routing.allocation.disk.threshold_enabled": false
}
}
},
"roleConfig": {
"discoveryServiceListenerClass": "external-unstable"
},
"roleGroups": {
"cluster-manager": {
"config": {
"discoveryServiceExposed": true,
"nodeRoles": ["cluster_manager"],
"resources": {
"storage": {
"data": {
"capacity": "100Mi"
}
}
}
},
"replicas": 3
},
"data": {
"config": {
"discoveryServiceExposed": false,
"nodeRoles": ["ingest", "data", "remote_cluster_client"],
"listenerClass": "cluster-internal",
"resources": {
"storage": {
"data": {
"capacity": "2Gi"
}
}
}
},
"configOverrides": {
"opensearch.yml": {
"jsonMergePatch": {
"node.attr.zone": "eu-central-1a"
}
}
},
"envOverrides": {
"OPENSEARCH_JAVA_OPTS": "-Xms1g -Xmx1g"
},
"replicas": 2
}
}
}
},
{
"image": {
"custom": "oci.example.com/namespace/opensearch:3.4.0-custom",
"productVersion": "3.4.0",
"pullPolicy": "Always",
"pullSecrets": [
{
"name": "registry-credentials"
}
]
},
"clusterConfig": {
"tls": {
"serverSecretClass": null
},
"security": {
"enabled": false
}
},
"nodes": {
"roleGroups": {
"default": {
"replicas": 1
}
}
}
}
])).expect("should be deserializable as an array of OpenSearchClusterSpecs")

Alternatively, the YAML file could be stored outside the code and included with include_str!.

Copy link
Copy Markdown
Member Author

@Techassi Techassi May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you take a look at this @sbernauer?

Copy link
Copy Markdown
Member

@sbernauer sbernauer May 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having it as YAML has the benefit you can copy/paste parts from many different kuttl tests or getting started guides into this YAML.
It's "your" operator, I let you decide. From my perspective feel free to push any preferred variant to this PR directly.

However, I was annoyed by include_str indirection in the past - for this big YAML it's absolutely fine, but it would be inconsistent if we only do that here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbernauer sbernauer sbernauer left review comments

@siegfriedweber siegfriedweber siegfriedweber requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@Techassi Techassi

Labels

scheduled-for/26.7.0

Projects

Stackable Engineering
Status: Development: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Techassi @siegfriedweber @sbernauer