add tenant provisioning

[GatewayJ]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other: N/A

Related Issues

N/A

Summary of Changes

Adds Tenant-driven bucket/user/policy provisioning for RustFS Operator.

This PR extends the Tenant CRD with spec.policies, spec.users, and spec.buckets, plus per-item status.provisioning and a ProvisioningReady condition. The controller reconciles policies, users, and buckets after workloads are ready, using MinIO-aligned bucket semantics while keeping RustFS-specific policy ownership and explicit user policy mapping rules.

Main changes:

• Add provisioning spec/status types, CRD schema validation, and regenerated Tenant CRDs.
• Add RustFS admin/S3 client helpers for canned policy listing/apply, user create/info, direct policy mapping, CreateBucket, and object lock verification.
• Add provisioning reconcile flow with policy hash/conflict checks, MinIO-compatible user Secret key handling, authoritative user policy set, bucket objectLock conflict handling, and Retain status for removed spec items.
• Watch referenced Secrets and ConfigMaps through rustfs.tenant label or Tenant ownerReference.
• Expose provisioning fields through Console API/OpenAPI and show provisioning status in the Console tenant detail view.

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
• Added/updated necessary tests
• Documentation updated (if needed)
• CHANGELOG.md updated under [Unreleased] (if user-visible change)
• CI/CD passed (if applicable)

Impact

• Breaking change (CRD/API compatibility)
• Requires doc/config/deployment update
• Other impact: Tenants that declare provisioning resources wait for ProvisioningReady=True before final Ready.

Verification

cargo fmt --all --check
cargo clippy --all-features -- -D warnings
cargo test --all
cd console-web && ./node_modules/.bin/eslint .
cd console-web && ./node_modules/.bin/prettier --check "app/**/*.{ts,tsx}" "lib/**/*.{ts,tsx}" "types/**/*.{ts,tsx}"
make pre-commit

Additional Notes

• CHANGELOG update is N/A for this draft until maintainers decide the release-note wording.
• CI/CD is pending on the draft PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: df178257bc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use the RustFS policy mapping endpoint

For tenants that declare users, set_user_policy now signs PUTs to /rustfs/admin/v3/set-policy, but the RustFS/MinIO admin API path used for this operation is /rustfs/admin/v3/set-user-or-group-policy with these query parameters. Against a live RustFS server this returns an unexpected status, so user provisioning fails after creating the user and the requested policies are never attached.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Rotate managed users when their Secret changes

When a provisioned user's Secret is updated after initial creation with the same access key but a new secret key, this branch skips add_user for existing users and then records the new Secret resourceVersion as Ready. RustFS still has the old secret key, so clients using the updated Kubernetes Secret fail authentication while status says the user is configured; update managed users when the observed Secret changes, or avoid marking the new Secret version as applied.

Useful? React with 👍 / 👎.