diff --git a/Cargo.lock b/Cargo.lock index 045bb94..9bd2f0d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1881,8 +1881,8 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.58.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=0.58.0#f9a13a41b5637cb87b270600790b7b8604371d0a" +version = "0.58.1" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=0.58.1#ab309d577e1937834f2adcbcd647822aa9c2ae43" dependencies = [ "chrono", "clap", @@ -1919,8 +1919,8 @@ dependencies = [ [[package]] name = "stackable-operator-derive" -version = "0.58.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=0.58.0#f9a13a41b5637cb87b270600790b7b8604371d0a" +version = "0.58.1" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=0.58.1#ab309d577e1937834f2adcbcd647822aa9c2ae43" dependencies = [ "darling", "proc-macro2", diff --git a/Cargo.toml b/Cargo.toml index e8d89fe..5381c22 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -16,7 +16,7 @@ futures = { version = "0.3", features = ["compat"] } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" snafu = "0.7" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.58.0" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.58.1" } strum = { version = "0.25", features = ["derive"] } tokio = { version = "1.29", features = ["full"] } tracing = "0.1" diff --git a/deploy/helm/commons-operator/crds/crds.yaml b/deploy/helm/commons-operator/crds/crds.yaml index 731ed07..8da56c9 100644 --- a/deploy/helm/commons-operator/crds/crds.yaml +++ b/deploy/helm/commons-operator/crds/crds.yaml @@ -22,9 +22,10 @@ spec: description: Auto-generated derived type for AuthenticationClassSpec via `CustomResource` properties: spec: + description: The Stackable Platform uses the AuthenticationClass as a central mechanism to handle user authentication across supported products. The authentication mechanism needs to be configured only in the AuthenticationClass which is then referenced in the product. Multiple different authentication providers are supported. Learn more in the [authentication concept documentation](https://docs.stackable.tech/home/nightly/concepts/authentication) and the [Authentication with OpenLDAP tutorial](https://docs.stackable.tech/home/nightly/tutorials/authentication_with_openldap). properties: provider: - description: Provider used for authentication like LDAP or Kerberos + description: Provider used for authentication like LDAP or Kerberos. oneOf: - required: - static @@ -36,35 +37,39 @@ spec: - tls properties: ldap: + description: The [LDAP provider](https://docs.stackable.tech/home/nightly/concepts/authentication#_ldap). There is also the ["Authentication with LDAP" tutorial](https://docs.stackable.tech/home/nightly/tutorials/authentication_with_openldap) where you can learn to configure Superset and Trino with OpenLDAP. properties: bindCredentials: - description: In case you need a special account for searching the LDAP server you can specify it here + description: In case you need a special account for searching the LDAP server you can specify it here. nullable: true properties: scope: - description: '[Scope](https://docs.stackable.tech/secret-operator/scope.html) of the [SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html)' + description: '[Scope](https://docs.stackable.tech/home/nightly/secret-operator/scope) of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).' nullable: true properties: node: default: false + description: The node scope is resolved to the name of the Kubernetes Node object that the Pod is running on. This will typically be the DNS name of the node. type: boolean pod: default: false + description: The pod scope is resolved to the name of the Kubernetes Pod. This allows the secret to differentiate between StatefulSet replicas. type: boolean services: default: [] + description: The service scope allows Pod objects to specify custom scopes. This should typically correspond to Service objects that the Pod participates in. items: type: string type: array type: object secretClass: - description: '[SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) containing the LDAP bind credentials' + description: '[SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) containing the LDAP bind credentials.' type: string required: - secretClass type: object hostname: - description: Hostname of the LDAP server + description: 'Hostname of the LDAP server, for example: `my.ldap.server`.' type: string ldapFieldNames: default: @@ -73,7 +78,7 @@ spec: givenName: givenName surname: sn email: mail - description: The name of the LDAP object fields + description: The name of the LDAP object fields. properties: email: default: mail @@ -97,25 +102,25 @@ spec: type: string type: object port: - description: Port of the LDAP server. If TLS is used defaults to 636 otherwise to 389 + description: Port of the LDAP server. If TLS is used defaults to 636 otherwise to 389. format: uint16 minimum: 0.0 nullable: true type: integer searchBase: default: '' - description: LDAP search base + description: 'LDAP search base, for example: `ou=users,dc=example,dc=org`.' type: string searchFilter: default: '' - description: LDAP query to filter users + description: 'LDAP query to filter users, for example: `(memberOf=cn=myTeam,ou=teams,dc=example,dc=org)`.' type: string tls: - description: Use a TLS connection. If not specified no TLS will be used + description: Use a TLS connection. If not specified no TLS will be used. nullable: true properties: verification: - description: The verification method used to verify the certificates of the server and/or the client + description: The verification method used to verify the certificates of the server and/or the client. oneOf: - required: - none @@ -123,13 +128,13 @@ spec: - server properties: none: - description: Use TLS but don't verify certificates + description: Use TLS but don't verify certificates. type: object server: - description: Use TLS and ca certificate to verify the server + description: Use TLS and a CA certificate to verify the server. properties: caCert: - description: Ca cert to verify the server + description: CA cert to verify the server. oneOf: - required: - webPki @@ -137,10 +142,10 @@ spec: - secretClass properties: secretClass: - description: Name of the SecretClass which will provide the ca cert. Note that a SecretClass does not need to have a key but can also work with just a ca cert. So if you got provided with a ca cert but don't have access to the key you can still use this method. + description: Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate. Note that a SecretClass does not need to have a key but can also work with just a CA certificate, so if you got provided with a CA cert but don't have access to the key you can still use this method. type: string webPki: - description: Use TLS and the ca certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. + description: Use TLS and the CA certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. type: object type: object required: @@ -154,13 +159,13 @@ spec: - hostname type: object oidc: - description: This struct contains configuration values to configure an OpenID Connect (OIDC) authentication class. Required fields are the identity provider (IdP) `hostname` and the TLS configuration. The `port` is selected automatically if not configured otherwise. The `rootPath` defaults to `/`. + description: The OIDC provider can be used to configure OpenID Connect. properties: hostname: description: Hostname of the identity provider, e.g. `my.keycloak.corp`. type: string port: - description: Port of the identity provider. If TLS is used defaults to `443`, otherwise to `80`. + description: Port of the identity provider. If TLS is used defaults to 443, otherwise to 80. format: uint16 minimum: 0.0 nullable: true @@ -174,7 +179,7 @@ spec: We don't provide any default value, as there is no correct way of doing it that works in all setups. Most demos will probably use `preferred_username`, although `sub` being more desirable, but technically impossible with the current behavior of the products. type: string providerHint: - description: This is a hint about which identity provider is used by the [`AuthenticationClass`]. Operators *can* opt to use this value to enable known quirks around OIDC / OAuth authentication. [`None`] means there is no hint and OIDC should be used as it is intended to be used (via the `.well-known` discovery). + description: This is a hint about which identity provider is used by the AuthenticationClass. Operators *can* opt to use this value to enable known quirks around OIDC / OAuth authentication. Not providing a hint means there is no hint and OIDC should be used as it is intended to be used (via the `.well-known` discovery). enum: - Keycloak nullable: true @@ -189,11 +194,11 @@ spec: type: string type: array tls: - description: Use a TLS connection. If not specified no TLS will be used + description: Use a TLS connection. If not specified no TLS will be used. nullable: true properties: verification: - description: The verification method used to verify the certificates of the server and/or the client + description: The verification method used to verify the certificates of the server and/or the client. oneOf: - required: - none @@ -201,13 +206,13 @@ spec: - server properties: none: - description: Use TLS but don't verify certificates + description: Use TLS but don't verify certificates. type: object server: - description: Use TLS and ca certificate to verify the server + description: Use TLS and a CA certificate to verify the server. properties: caCert: - description: Ca cert to verify the server + description: CA cert to verify the server. oneOf: - required: - webPki @@ -215,10 +220,10 @@ spec: - secretClass properties: secretClass: - description: Name of the SecretClass which will provide the ca cert. Note that a SecretClass does not need to have a key but can also work with just a ca cert. So if you got provided with a ca cert but don't have access to the key you can still use this method. + description: Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate. Note that a SecretClass does not need to have a key but can also work with just a CA certificate, so if you got provided with a CA cert but don't have access to the key you can still use this method. type: string webPki: - description: Use TLS and the ca certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. + description: Use TLS and the CA certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. type: object type: object required: @@ -234,12 +239,13 @@ spec: - scopes type: object static: + description: The [static provider](https://https://docs.stackable.tech/home/nightly/concepts/authentication#_static) is used to configure a static set of users, identified by username and password. properties: userCredentialsSecret: - description: Secret providing the usernames and password. The secret must contain an entry for every user, with the key being the username and the value the password in plain text. It must be located in the same namespace as the product using it. + description: Secret providing the usernames and passwords. The Secret must contain an entry for every user, with the key being the username and the value the password in plain text. It must be located in the same namespace as the product using it. properties: name: - description: Name of the secret + description: Name of the Secret. type: string required: - name @@ -248,9 +254,10 @@ spec: - userCredentialsSecret type: object tls: + description: The [TLS provider](https://docs.stackable.tech/home/nightly/concepts/authentication#_tls). The TLS AuthenticationClass is used when users should authenticate themselves with a TLS certificate. properties: clientCertSecretClass: - description: See ``. If `client_cert_secret_class` is not set, the TLS settings may also be used for client authentication. If `client_cert_secret_class` is set, the [SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) will be used to provision client certificates. + description: 'See [ADR017: TLS authentication](https://docs.stackable.tech/home/nightly/contributor/adr/adr017-tls_authentication). If `client_cert_secret_class` is not set, the TLS settings may also be used for client authentication. If `client_cert_secret_class` is set, the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) will be used to provision client certificates.' nullable: true type: string type: object @@ -289,7 +296,7 @@ spec: description: Auto-generated derived type for S3ConnectionSpec via `CustomResource` properties: spec: - description: S3 connection definition as CRD. + description: S3 connection definition as a resource. Learn more on the [S3 concept documentation](https://docs.stackable.tech/home/nightly/concepts/s3). properties: accessStyle: description: Which access style to use. Defaults to virtual hosted-style as most of the data products out there. Have a look at the [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html). @@ -299,27 +306,30 @@ spec: nullable: true type: string credentials: - description: If the S3 uses authentication you have to specify you S3 credentials. In the most cases a SecretClass providing `accessKey` and `secretKey` is sufficient. + description: If the S3 uses authentication you have to specify you S3 credentials. In the most cases a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) providing `accessKey` and `secretKey` is sufficient. nullable: true properties: scope: - description: '[Scope](https://docs.stackable.tech/secret-operator/scope.html) of the [SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html)' + description: '[Scope](https://docs.stackable.tech/home/nightly/secret-operator/scope) of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).' nullable: true properties: node: default: false + description: The node scope is resolved to the name of the Kubernetes Node object that the Pod is running on. This will typically be the DNS name of the node. type: boolean pod: default: false + description: The pod scope is resolved to the name of the Kubernetes Pod. This allows the secret to differentiate between StatefulSet replicas. type: boolean services: default: [] + description: The service scope allows Pod objects to specify custom scopes. This should typically correspond to Service objects that the Pod participates in. items: type: string type: array type: object secretClass: - description: '[SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) containing the LDAP bind credentials' + description: '[SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) containing the LDAP bind credentials.' type: string required: - secretClass @@ -339,7 +349,7 @@ spec: nullable: true properties: verification: - description: The verification method used to verify the certificates of the server and/or the client + description: The verification method used to verify the certificates of the server and/or the client. oneOf: - required: - none @@ -347,13 +357,13 @@ spec: - server properties: none: - description: Use TLS but don't verify certificates + description: Use TLS but don't verify certificates. type: object server: - description: Use TLS and ca certificate to verify the server + description: Use TLS and a CA certificate to verify the server. properties: caCert: - description: Ca cert to verify the server + description: CA cert to verify the server. oneOf: - required: - webPki @@ -361,10 +371,10 @@ spec: - secretClass properties: secretClass: - description: Name of the SecretClass which will provide the ca cert. Note that a SecretClass does not need to have a key but can also work with just a ca cert. So if you got provided with a ca cert but don't have access to the key you can still use this method. + description: Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate. Note that a SecretClass does not need to have a key but can also work with just a CA certificate, so if you got provided with a CA cert but don't have access to the key you can still use this method. type: string webPki: - description: Use TLS and the ca certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. + description: Use TLS and the CA certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. type: object type: object required: @@ -406,7 +416,7 @@ spec: description: Auto-generated derived type for S3BucketSpec via `CustomResource` properties: spec: - description: S3 bucket specification containing only the bucket name and an inlined or referenced connection specification. + description: S3 bucket specification containing the bucket name and an inlined or referenced connection specification. Learn more on the [S3 concept documentation](https://docs.stackable.tech/home/nightly/concepts/s3). properties: bucketName: description: The name of the S3 bucket. @@ -432,27 +442,30 @@ spec: nullable: true type: string credentials: - description: If the S3 uses authentication you have to specify you S3 credentials. In the most cases a SecretClass providing `accessKey` and `secretKey` is sufficient. + description: If the S3 uses authentication you have to specify you S3 credentials. In the most cases a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) providing `accessKey` and `secretKey` is sufficient. nullable: true properties: scope: - description: '[Scope](https://docs.stackable.tech/secret-operator/scope.html) of the [SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html)' + description: '[Scope](https://docs.stackable.tech/home/nightly/secret-operator/scope) of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass).' nullable: true properties: node: default: false + description: The node scope is resolved to the name of the Kubernetes Node object that the Pod is running on. This will typically be the DNS name of the node. type: boolean pod: default: false + description: The pod scope is resolved to the name of the Kubernetes Pod. This allows the secret to differentiate between StatefulSet replicas. type: boolean services: default: [] + description: The service scope allows Pod objects to specify custom scopes. This should typically correspond to Service objects that the Pod participates in. items: type: string type: array type: object secretClass: - description: '[SecretClass](https://docs.stackable.tech/secret-operator/secretclass.html) containing the LDAP bind credentials' + description: '[SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) containing the LDAP bind credentials.' type: string required: - secretClass @@ -472,7 +485,7 @@ spec: nullable: true properties: verification: - description: The verification method used to verify the certificates of the server and/or the client + description: The verification method used to verify the certificates of the server and/or the client. oneOf: - required: - none @@ -480,13 +493,13 @@ spec: - server properties: none: - description: Use TLS but don't verify certificates + description: Use TLS but don't verify certificates. type: object server: - description: Use TLS and ca certificate to verify the server + description: Use TLS and a CA certificate to verify the server. properties: caCert: - description: Ca cert to verify the server + description: CA cert to verify the server. oneOf: - required: - webPki @@ -494,10 +507,10 @@ spec: - secretClass properties: secretClass: - description: Name of the SecretClass which will provide the ca cert. Note that a SecretClass does not need to have a key but can also work with just a ca cert. So if you got provided with a ca cert but don't have access to the key you can still use this method. + description: Name of the [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) which will provide the CA certificate. Note that a SecretClass does not need to have a key but can also work with just a CA certificate, so if you got provided with a CA cert but don't have access to the key you can still use this method. type: string webPki: - description: Use TLS and the ca certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. + description: Use TLS and the CA certificates trusted by the common web browsers to verify the server. This can be useful when you e.g. use public AWS S3 or other public available services. type: object type: object required: