Note before merging this: currently this disables TLS validation, need to let users supply a trust root instead.

Successfully tested this branch against a Windows Server 2022 AD and stackabletech/hdfs-operator#334

I run into the following issue:

2023-03-28T06:46:48.462981Z  INFO stackable_krb5_provision_keytab: Creating principal principal="jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local"                                                                                                                                           
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: LdapResult { result: LdapResult { rc: 68, matched: "", text: "00002071: UpdErr: DSID-03050438
, problem 6005 (ENTRY_EXISTS), data 0\n\0", refs: [], ctrls: [] } }', rust/krb5-provision-keytab/src/main.rs:259:22                                                  
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace 

k -n kuttl-test-wired-rat get secret secret-operator-ad-passwords -o yaml
data:
  dn--hdfs-datanode-default-0.hdfs-datanode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: RU5FUDVtJzNsXzZRZFhNYS8nIVwlRkRicS1FfHZfOGd8O0xueUlZYA==
  dn--hdfs-datanode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: cV1fYHohTjRbbXQ6e2A5fklDUkU2fT03JT0lTTd6cFg+Mjkldm40RQ==
  jn--hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: KD0ueGZbNyQ0TCl6eFdLcD1GTDFiUFEnd08ySlF5bkx5UitHbTZfNA==
  nn--hdfs-namenode-default-0.hdfs-namenode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: SSx2JU89UVtmLDJqO0phTl1fdjsjVmJQMkNJWil6VnQpYUpFQ05tVQ==
  nn--hdfs-namenode-default.kuttl-test-wired-rat.svc.cluster.local--EXAMPLE.COM: Nl99bnV1WEY5ZS5RemIsQWNscDddWTpFKE9MeXNXU1xsNUQmJnp7Rg==

Theese are all the avaialble JN principals

You can see my AD contains users from a previous testrun but not the user jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-wired-rat.svc.cluster.local (only jn/hdfs-journalnode-default-0.hdfs-journalnode-default.kuttl-test-clever-hog.svc.cluster.local is already in the AD)

I think I'm stupid and it actually tries to create dn/kind-control-plane, which names clash (as of the node scope)
Because the Secret containing the cashed passwords is located in the kuttl namespace it get's deleted while the AD user still existing.
What do you suggest?

1. Remove the node scope from hdfs-op?
2. Somehow fix this (haven't thought too much yet)
   a. Force creation of new user
   b. Override pw of the user and store it in the Secret
   b. Somehow read the password and put it in the Secret (I guess this is not possible)
3. Something else

Do we want to improve the error message, so that we know which user can't be created?

2023-03-28T07:08:51.977954Z  INFO stackable_krb5_provision_keytab: Creating principal principal="dn/kind-control-plane"                                              
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: LdapResult { result: LdapResult { rc: 68, matched: "", text: "00002071: UpdErr: DSID-03050438
, problem 6005 (ENTRY_EXISTS), data 0\n\0", refs: [], ctrls: [] } }', rust/krb5-provision-keytab/src/main.rs:259:22                                                  
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

There might have been a race condition, it can also happen if we fail to write the password back into K8s after creating the AD user...

That sucks!
Deleting {HTTP,nn}/kind-control-plane users solved the problem for me

I think I'd like to get the CRD change into 23.4, which would make the rest of this PR non-breaking when it does land.

I think I'd like to get the CRD change into 23.4, which would make the rest of this PR non-breaking when it does land.

+1, was thinking the same

Regarding b25995d: Do we also want so support webpki as ca-cert validation mechanism (as we e.g. do for ldap server conections). Or would say 99% of the users run their AD behind their own pki?

I would assume that private PKI is by far the norm. We can always go back and enable WebPKI support later, should the need arise.

bors r+

Pull request successfully merged into main.

Build succeeded!

The publicly hosted instance of bors-ng is deprecated and will go away soon.

If you want to self-host your own instance, instructions are here.
For more help, visit the forum.

If you want to switch to GitHub's built-in merge queue, visit their help page.

• All tests passed