Split out MIT into separate SecretClass CRD section (#257)

# Description

This should help prepare for making AD integration (#254) a non-breaking change.



Co-authored-by: Natalie <[email protected]>

Author: nightkr

CHANGELOG.md

@@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ### Added
 
-- Added `kerberosKeytab` provisioner backend ([#99]).
+- Added `kerberosKeytab` provisioner backend using MIT Kerberos ([#99], [#257]).
 - Added experimental unprivileged mode ([#252]).
 
 ### Changed
@@ -22,6 +22,7 @@ All notable changes to this project will be documented in this file.
 [#231]: https://github.com/stackabletech/secret-operator/pull/231
 [#232]: https://github.com/stackabletech/secret-operator/pull/232
 [#252]: https://github.com/stackabletech/secret-operator/pull/252
+[#257]: https://github.com/stackabletech/secret-operator/pull/257
 
 ## [23.1.0] - 2023-01-23
 

deploy/helm/secret-operator/crds/crds.yaml

@@ -75,6 +75,19 @@ spec:
                       type: object
                     kerberosKeytab:
                       properties:
+                        admin:
+                          oneOf:
+                            - required:
+                                - mit
+                          properties:
+                            mit:
+                              properties:
+                                kadminServer:
+                                  type: string
+                              required:
+                                - kadminServer
+                              type: object
+                          type: object
                         adminKeytabSecret:
                           description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace
                           properties:
@@ -87,16 +100,14 @@ spec:
                           type: object
                         adminPrincipal:
                           type: string
-                        adminServer:
-                          type: string
                         kdc:
                           type: string
                         realmName:
                           type: string
                       required:
+                        - admin
                         - adminKeytabSecret
                         - adminPrincipal
-                        - adminServer
                         - kdc
                         - realmName
                       type: object

rust/operator-binary/src/backend/dynamic.rs

@@ -109,7 +109,7 @@ pub async fn from_class(
         crd::SecretClassBackend::KerberosKeytab(crd::KerberosKeytabBackend {
             realm_name,
             kdc,
-            admin_server,
+            admin,
             admin_keytab_secret,
             admin_principal,
         }) => from(
@@ -118,7 +118,9 @@ pub async fn from_class(
                 KerberosProfile {
                     realm_name,
                     kdc,
-                    admin_server,
+                    kadmin_server: match admin {
+                        crd::KerberosKeytabBackendAdmin::Mit { kadmin_server } => kadmin_server,
+                    },
                 },
                 &admin_keytab_secret,
                 admin_principal,

rust/operator-binary/src/backend/kerberos_keytab.rs

@@ -59,7 +59,7 @@ impl SecretBackendError for Error {
 pub struct KerberosProfile {
     pub realm_name: Hostname,
     pub kdc: Hostname,
-    pub admin_server: Hostname,
+    pub kadmin_server: Hostname,
 }
 
 pub struct KerberosKeytab {
@@ -123,7 +123,7 @@ impl SecretBackend for KerberosKeytab {
                 KerberosProfile {
                     realm_name,
                     kdc,
-                    admin_server,
+                    kadmin_server,
                 },
             admin_keytab,
             admin_principal,
@@ -141,7 +141,7 @@ udp_preference_limit = 1
 [realms]
 {realm_name} = {{
   kdc = {kdc}
-  admin_server = {admin_server}
+  admin_server = {kadmin_server}
 }}
 
 [domain_realm]

rust/operator-binary/src/crd.rs

@@ -65,11 +65,18 @@ pub struct AutoTlsCa {
 pub struct KerberosKeytabBackend {
     pub realm_name: Hostname,
     pub kdc: Hostname,
-    pub admin_server: Hostname,
+    pub admin: KerberosKeytabBackendAdmin,
     pub admin_keytab_secret: SecretReference,
     pub admin_principal: KerberosPrincipal,
 }
 
+#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub enum KerberosKeytabBackendAdmin {
+    #[serde(rename_all = "camelCase")]
+    Mit { kadmin_server: Hostname },
+}
+
 #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)]
 #[serde(try_from = "String", into = "String")]
 pub struct Hostname(String);

tests/templates/kuttl/kerberos/01-install-kdc.yaml

@@ -2,7 +2,7 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - script: yq eval '.spec.backend.kerberosKeytab |= (.adminKeytabSecret.namespace = strenv(NAMESPACE) | .kdc = "krb5-kdc." + strenv(NAMESPACE) + ".svc.cluster.local" | .adminServer = .kdc)' secretclass.yaml | kubectl apply -f-
+  - script: yq eval '.spec.backend.kerberosKeytab |= (.adminKeytabSecret.namespace = strenv(NAMESPACE) | .kdc = "krb5-kdc." + strenv(NAMESPACE) + ".svc.cluster.local" | .admin.mit.kadminServer = .kdc)' secretclass.yaml | kubectl apply -f-
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/kerberos/secretclass.yaml

@@ -9,7 +9,9 @@ spec:
     kerberosKeytab:
       realmName: CLUSTER.LOCAL
       kdc: krb5-kdc
-      adminServer: krb5-kdc
+      admin:
+        mit:
+          kadminServer: krb5-kdc
       adminKeytabSecret:
         # namespace: default
         name: secret-operator-keytab