Upstream Hostname into operator-rs

CHANGELOG.md

@@ -9,18 +9,22 @@ All notable changes to this project will be documented in this file.
 - Active Directory's `samAccountName` generation can now be customized ([#454]).
 - Added experimental cert-manager backend ([#482]).
 
+### Changed
+
+- Refactored hostname validation ([#494]).
+  - BREAKING: Hostname validation is now somewhat stricter.
+  - BREAKING: Hostname validation is now enforced in CRD.
+- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]).
+
 ### Fixed
 
 - Fixed Kerberos keytab provisioning reusing its credential cache ([#490]).
 - Fixed listener volumes missing a required permission to inspect manually provisioned listeners ([#497]).
 
-### Changed
-
-- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]).
-
 [#454]: https://github.com/stackabletech/secret-operator/pull/454
 [#482]: https://github.com/stackabletech/secret-operator/pull/482
 [#490]: https://github.com/stackabletech/secret-operator/pull/490
+[#494]: https://github.com/stackabletech/secret-operator/pull/494
 [#495]: https://github.com/stackabletech/secret-operator/pull/495
 [#497]: https://github.com/stackabletech/secret-operator/pull/497
 
@@ -35,9 +39,9 @@ All notable changes to this project will be documented in this file.
 
 - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]).
   - Existing users can either migrate by either:
-      - (Recommended) Copying the CA into the new location
-        (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
-      - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
+    - (Recommended) Copying the CA into the new location
+      (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
+    - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
 - Reduce CA default lifetime to one year ([#403])
 - Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner
   in the Helm values to v4.0.1 ([#440]).
@@ -80,7 +84,6 @@ All notable changes to this project will be documented in this file.
 [#357]: https://github.com/stackabletech/secret-operator/pull/357
 [#361]: https://github.com/stackabletech/secret-operator/pull/361
 
-
 ## [23.11.0] - 2023-11-24
 
 ### Added

Cargo.toml

@@ -50,5 +50,5 @@ uuid = { version = "1.10.0", features = ["v4"] }
 yasna = "0.5"
 
 [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { path = "../operator-rs" }
+# stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
 # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }

deploy/helm/secret-operator/crds/crds.yaml

@@ -244,6 +244,7 @@ spec:
                           type: string
                         realmName:
                           description: The name of the Kerberos realm. This should be provided by the Kerberos administrator.
+                          pattern: ^[-.a-zA-Z0-9]+$
                           type: string
                       required:
                         - admin

rust/operator-binary/src/backend/kerberos_keytab.rs

@@ -5,7 +5,11 @@ use stackable_krb5_provision_keytab::{
     self as provision,
     provision_keytab,
 };
-use stackable_operator::{k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef};
+use stackable_operator::{
+    commons::networking::{HostName, KerberosRealmName},
+    k8s_openapi::api::core::v1::Secret,
+    kube::runtime::reflector::ObjectRef,
+};
 use stackable_secret_operator_crd_utils::SecretReference;
 use tempfile::tempdir;
 use tokio::{
@@ -15,8 +19,8 @@ use tokio::{
 
 use crate::{
     crd::{
-        ActiveDirectorySamAccountNameRules, Hostname, InvalidKerberosPrincipal,
-        KerberosKeytabBackendAdmin, KerberosPrincipal,
+        ActiveDirectorySamAccountNameRules, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin,
+        KerberosPrincipal,
     },
     format::{well_known, SecretData, WellKnownSecretData},
     utils::Unloggable,
@@ -82,8 +86,8 @@ impl SecretBackendError for Error {
 
 #[derive(Debug)]
 pub struct KerberosProfile {
-    pub realm_name: Hostname,
-    pub kdc: Hostname,
+    pub realm_name: KerberosRealmName,
+    pub kdc: HostName,
     pub admin: KerberosKeytabBackendAdmin,
 }
 

rust/operator-binary/src/crd.rs

@@ -3,6 +3,7 @@ use std::{fmt::Display, ops::Deref};
 use serde::{Deserialize, Serialize};
 use snafu::Snafu;
 use stackable_operator::{
+    commons::networking::{HostName, KerberosRealmName},
     kube::CustomResource,
     schemars::{self, JsonSchema},
     time::Duration,
@@ -175,11 +176,11 @@ pub enum CertManagerIssuerKind {
 #[serde(rename_all = "camelCase")]
 pub struct KerberosKeytabBackend {
     /// The name of the Kerberos realm. This should be provided by the Kerberos administrator.
-    pub realm_name: Hostname,
+    pub realm_name: KerberosRealmName,
 
     /// The hostname of the Kerberos Key Distribution Center (KDC).
     /// This should be provided by the Kerberos administrator.
-    pub kdc: Hostname,
+    pub kdc: HostName,
 
     /// Kerberos admin configuration settings.
     pub admin: KerberosKeytabBackendAdmin,
@@ -200,15 +201,15 @@ pub enum KerberosKeytabBackendAdmin {
     Mit {
         /// The hostname of the Kerberos Admin Server.
         /// This should be provided by the Kerberos administrator.
-        kadmin_server: Hostname,
+        kadmin_server: HostName,
     },
 
     /// Credentials should be provisioned in a Microsoft Active Directory domain.
     #[serde(rename_all = "camelCase")]
     ActiveDirectory {
         /// An AD LDAP server, such as the AD Domain Controller.
         /// This must match the server’s FQDN, or GSSAPI authentication will fail.
-        ldap_server: Hostname,
+        ldap_server: HostName,
 
         /// Reference (name and namespace) to a Kubernetes Secret object containing
         /// the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against.
@@ -255,49 +256,6 @@ impl ActiveDirectorySamAccountNameRules {
     }
 }
 
-#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
-#[serde(try_from = "String", into = "String")]
-pub struct Hostname(String);
-#[derive(Debug, Snafu)]
-#[snafu(module)]
-pub enum InvalidHostname {
-    #[snafu(display("hostname contains illegal characters (allowed: alphanumeric, -, and .)"))]
-    IllegalCharacter,
-
-    #[snafu(display("hostname may not start with a dash"))]
-    StartWithDash,
-}
-impl TryFrom<String> for Hostname {
-    type Error = InvalidHostname;
-
-    fn try_from(value: String) -> Result<Self, Self::Error> {
-        if value.starts_with('-') {
-            invalid_hostname::StartWithDashSnafu.fail()
-        } else if value.contains(|chr: char| !chr.is_alphanumeric() && chr != '.' && chr != '-') {
-            invalid_hostname::IllegalCharacterSnafu.fail()
-        } else {
-            Ok(Hostname(value))
-        }
-    }
-}
-impl From<Hostname> for String {
-    fn from(value: Hostname) -> Self {
-        value.0
-    }
-}
-impl Display for Hostname {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_str(&self.0)
-    }
-}
-impl Deref for Hostname {
-    type Target = str;
-
-    fn deref(&self) -> &Self::Target {
-        &self.0
-    }
-}
-
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
 #[serde(try_from = "String", into = "String")]
 pub struct KerberosPrincipal(String);