[Merged by Bors] - Kerberos AD backend

[nightkr]

Description

Fixes #253

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

# Author
- [ ] Changes are OpenShift compatible
- [ ] CRD changes approved
- [ ] Helm chart can be installed and deployed operator works
- [ ] Integration tests passed (for non trivial changes)

# Reviewer
- [ ] Code contains useful comments
- [ ] (Integration-)Test cases added
- [ ] Documentation added or updated
- [ ] Changelog updated
- [ ] Cargo.toml only contains references to git tags (not specific commits or branches)

# Acceptance
- [ ] Feature Tracker has been updated
- [ ] Proper release label has been added

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

[nightkr]

Note before merging this: currently this disables TLS validation, need to let users supply a trust root instead.

[sbernauer]

Successfully tested this branch against a Windows Server 2022 AD and stackabletech/hdfs-operator#334

[sbernauer]

I run into the following issue:

2023-03-28T06:46:48.462981Z  INFO stackable_krb5_provision_keytab: Creating principal principal="jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local"                                                                                                                                           
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: LdapResult { result: LdapResult { rc: 68, matched: "", text: "00002071: UpdErr: DSID-03050438
, problem 6005 (ENTRY_EXISTS), data 0\n\0", refs: [], ctrls: [] } }', rust/krb5-provision-keytab/src/main.rs:259:22                                                  
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace 

k -n kuttl-test-wired-rat get secret secret-operator-ad-passwords -o yaml
data:
  dn--hdfs-datanode-default-0.hdfs-datanode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: RU5FUDVtJzNsXzZRZFhNYS8nIVwlRkRicS1FfHZfOGd8O0xueUlZYA==
  dn--hdfs-datanode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: cV1fYHohTjRbbXQ6e2A5fklDUkU2fT03JT0lTTd6cFg+Mjkldm40RQ==
  jn--hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: KD0ueGZbNyQ0TCl6eFdLcD1GTDFiUFEnd08ySlF5bkx5UitHbTZfNA==
  nn--hdfs-namenode-default-0.hdfs-namenode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: SSx2JU89UVtmLDJqO0phTl1fdjsjVmJQMkNJWil6VnQpYUpFQ05tVQ==
  nn--hdfs-namenode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: Nl99bnV1WEY5ZS5RemIsQWNscDddWTpFKE9MeXNXU1xsNUQmJnp7Rg==

Theese are all the avaialble JN principals

You can see my AD contains users from a previous testrun but not the user jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local (only jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-clever-hog.svc.cluster.local is already in the AD)

[sbernauer]

I think I'm stupid and it actually tries to create dn/kind-control-plane, which names clash (as of the node scope)
Because the Secret containing the cashed passwords is located in the kuttl namespace it get's deleted while the AD user still existing.
What do you suggest?

1. Remove the node scope from hdfs-op?
2. Somehow fix this (haven't thought too much yet)
   a. Force creation of new user
   b. Override pw of the user and store it in the Secret
   b. Somehow read the password and put it in the Secret (I guess this is not possible)
3. Something else

Do we want to improve the error message, so that we know which user can't be created?

2023-03-28T07:08:51.977954Z  INFO stackable_krb5_provision_keytab: Creating principal principal="dn/kind-control-plane"                                              
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: LdapResult { result: LdapResult { rc: 68, matched: "", text: "00002071: UpdErr: DSID-03050438
, problem 6005 (ENTRY_EXISTS), data 0\n\0", refs: [], ctrls: [] } }', rust/krb5-provision-keytab/src/main.rs:259:22                                                  
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

[nightkr]

There might have been a race condition, it can also happen if we fail to write the password back into K8s after creating the AD user...

[sbernauer]

That sucks!
Deleting {HTTP,nn}/kind-control-plane users solved the problem for me

[sbernauer]

Did walk through the code.
Please don't forget to add a breaking changelog entry

[nightkr]

I think I'd like to get the CRD change into 23.4, which would make the rest of this PR non-breaking when it does land.

[sbernauer]

I think I'd like to get the CRD change into 23.4, which would make the rest of this PR non-breaking when it does land.

+1, was thinking the same

[sbernauer]

Regarding b25995d: Do we also want so support webpki as ca-cert validation mechanism (as we e.g. do for ldap server conections). Or would say 99% of the users run their AD behind their own pki?

[nightkr]

I would assume that private PKI is by far the norm. We can always go back and enable WebPKI support later, should the need arise.

[sbernauer]

Thanks for working on this! Only two minor comments left

[sbernauer]

Can we please also document

          ldapTlsCaSecret:
            # namespace: default
            name: secret-operator-ad-ca

Also that we will always use ldaps and the Secret needs the key ca.crt

[nightkr]

77c0c05

[sbernauer]

Do you want to disable this test by default before merging?

[nightkr]

Yes, I think that makes sense to do.

[nightkr]

723898c

[sbernauer]

LGTM % the documentation comment

[sbernauer]

Thx!

[nightkr]

bors r+

[bors]

Pull request successfully merged into main.

Build succeeded!

The publicly hosted instance of bors-ng is deprecated and will go away soon.

If you want to self-host your own instance, instructions are here.
For more help, visit the forum.

If you want to switch to GitHub's built-in merge queue, visit their help page.

• All tests passed