Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream Hostname into operator-rs #494

Merged
merged 9 commits into from
Oct 14, 2024
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,19 @@ All notable changes to this project will be documented in this file.

- Active Directory's `samAccountName` generation can now be customized ([#454]).

### Changed

- Refactored hostname validation ([#494]).
- BREAKING: Hostname validation is now somewhat stricter.
- BREAKING: Hostname validation is now enforced in CRD.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, we had some discussions around RFC 1123 and renamed it accordingly to the RFC (at least we hope ^^), before it gaines widespread adoption. We would have involved you but you where on vacation and we did not want to further delay the PR, but please feel free to veto, happy to discuss with @Techassi!


### Fixed

- Fixed Kerberos keytab provisioning reusing its credential cache ([#490]).

[#454]: https://github.com/stackabletech/secret-operator/pull/454
[#490]: https://github.com/stackabletech/secret-operator/pull/490
[#494]: https://github.com/stackabletech/secret-operator/pull/494

## [24.7.0] - 2024-07-24

Expand Down
7 changes: 3 additions & 4 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 7 additions & 11 deletions Cargo.nix

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ serde_json = "1.0"
serde_yaml = "0.9"
snafu = "0.8"
socket2 = { version = "0.5", features = ["all"] }
stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.73.0", features = ["time"] }
stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.74.0", features = ["time"] }
strum = { version = "0.26", features = ["derive"] }
sys-mount = { version = "3.0", default-features = false }
tempfile = "3.12"
Expand All @@ -54,5 +54,6 @@ yasna = "0.5"
h2 = { git = "https://github.com/stackabletech/h2.git", branch = "feature/grpc-uds-/0.4.5" }

[patch."https://github.com/stackabletech/operator-rs.git"]
# stackable-operator = { path = "../operator-rs" }
# stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feature/validation-hostname" }
4 changes: 2 additions & 2 deletions crate-hashes.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions deploy/helm/secret-operator/crds/crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,7 @@ spec:
type: object
ldapServer:
description: An AD LDAP server, such as the AD Domain Controller. This must match the server’s FQDN, or GSSAPI authentication will fail.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
ldapTlsCaSecret:
description: Reference (name and namespace) to a Kubernetes Secret object containing the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against.
Expand Down Expand Up @@ -179,6 +180,7 @@ spec:
properties:
kadminServer:
description: The hostname of the Kerberos Admin Server. This should be provided by the Kerberos administrator.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- kadminServer
Expand All @@ -202,9 +204,11 @@ spec:
type: string
kdc:
description: The hostname of the Kerberos Key Distribution Center (KDC). This should be provided by the Kerberos administrator.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
realmName:
description: The name of the Kerberos realm. This should be provided by the Kerberos administrator.
pattern: ^[-.a-zA-Z0-9]+$
type: string
required:
- admin
Expand Down
12 changes: 8 additions & 4 deletions rust/operator-binary/src/backend/kerberos_keytab.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,11 @@ use stackable_krb5_provision_keytab::{
self as provision,
provision_keytab,
};
use stackable_operator::{k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef};
use stackable_operator::{
commons::networking::{Hostname, KerberosRealmName},
k8s_openapi::api::core::v1::Secret,
kube::runtime::reflector::ObjectRef,
};
use stackable_secret_operator_crd_utils::SecretReference;
use tempfile::tempdir;
use tokio::{
Expand All @@ -15,8 +19,8 @@ use tokio::{

use crate::{
crd::{
ActiveDirectorySamAccountNameRules, Hostname, InvalidKerberosPrincipal,
KerberosKeytabBackendAdmin, KerberosPrincipal,
ActiveDirectorySamAccountNameRules, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin,
KerberosPrincipal,
},
format::{well_known, SecretData, WellKnownSecretData},
utils::Unloggable,
Expand Down Expand Up @@ -82,7 +86,7 @@ impl SecretBackendError for Error {

#[derive(Debug)]
pub struct KerberosProfile {
pub realm_name: Hostname,
pub realm_name: KerberosRealmName,
pub kdc: Hostname,
pub admin: KerberosKeytabBackendAdmin,
}
Expand Down
46 changes: 2 additions & 44 deletions rust/operator-binary/src/crd.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ use std::{fmt::Display, ops::Deref};
use serde::{Deserialize, Serialize};
use snafu::Snafu;
use stackable_operator::{
commons::networking::{Hostname, KerberosRealmName},
kube::CustomResource,
schemars::{self, JsonSchema},
time::Duration,
Expand Down Expand Up @@ -125,7 +126,7 @@ impl AutoTlsCa {
#[serde(rename_all = "camelCase")]
pub struct KerberosKeytabBackend {
/// The name of the Kerberos realm. This should be provided by the Kerberos administrator.
pub realm_name: Hostname,
pub realm_name: KerberosRealmName,

/// The hostname of the Kerberos Key Distribution Center (KDC).
/// This should be provided by the Kerberos administrator.
Expand Down Expand Up @@ -205,49 +206,6 @@ impl ActiveDirectorySamAccountNameRules {
}
}

#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
#[serde(try_from = "String", into = "String")]
pub struct Hostname(String);
#[derive(Debug, Snafu)]
#[snafu(module)]
pub enum InvalidHostname {
#[snafu(display("hostname contains illegal characters (allowed: alphanumeric, -, and .)"))]
IllegalCharacter,

#[snafu(display("hostname may not start with a dash"))]
StartWithDash,
}
impl TryFrom<String> for Hostname {
type Error = InvalidHostname;

fn try_from(value: String) -> Result<Self, Self::Error> {
if value.starts_with('-') {
invalid_hostname::StartWithDashSnafu.fail()
} else if value.contains(|chr: char| !chr.is_alphanumeric() && chr != '.' && chr != '-') {
invalid_hostname::IllegalCharacterSnafu.fail()
} else {
Ok(Hostname(value))
}
}
}
impl From<Hostname> for String {
fn from(value: Hostname) -> Self {
value.0
}
}
impl Display for Hostname {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
f.write_str(&self.0)
}
}
impl Deref for Hostname {
type Target = str;

fn deref(&self) -> &Self::Target {
&self.0
}
}

#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
#[serde(try_from = "String", into = "String")]
pub struct KerberosPrincipal(String);
Expand Down
Loading