From 4b38517c7f8c01ea583a6bf2745957723ce6fdd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Wed, 29 Mar 2023 14:09:05 +0200 Subject: [PATCH 1/6] Split out MIT into separate CRD section --- rust/operator-binary/src/backend/dynamic.rs | 6 ++++-- rust/operator-binary/src/crd.rs | 9 ++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/rust/operator-binary/src/backend/dynamic.rs b/rust/operator-binary/src/backend/dynamic.rs index 5895d010..49e02935 100644 --- a/rust/operator-binary/src/backend/dynamic.rs +++ b/rust/operator-binary/src/backend/dynamic.rs @@ -109,7 +109,7 @@ pub async fn from_class( crd::SecretClassBackend::KerberosKeytab(crd::KerberosKeytabBackend { realm_name, kdc, - admin_server, + admin, admin_keytab_secret, admin_principal, }) => from( @@ -118,7 +118,9 @@ pub async fn from_class( KerberosProfile { realm_name, kdc, - admin_server, + admin_server: match admin { + crd::KerberosKeytabBackendAdmin::Mit { admin_server } => admin_server, + }, }, &admin_keytab_secret, admin_principal, diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs index eae80544..40c1d7ea 100644 --- a/rust/operator-binary/src/crd.rs +++ b/rust/operator-binary/src/crd.rs @@ -65,11 +65,18 @@ pub struct AutoTlsCa { pub struct KerberosKeytabBackend { pub realm_name: Hostname, pub kdc: Hostname, - pub admin_server: Hostname, + pub admin: KerberosKeytabBackendAdmin, pub admin_keytab_secret: SecretReference, pub admin_principal: KerberosPrincipal, } +#[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)] +#[serde(rename_all = "camelCase")] +pub enum KerberosKeytabBackendAdmin { + #[serde(rename_all = "camelCase")] + Mit { admin_server: Hostname }, +} + #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)] #[serde(try_from = "String", into = "String")] pub struct Hostname(String); From 278de63c100fe9239d86e5992c579d8809adc06e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Wed, 29 Mar 2023 14:18:17 +0200 Subject: [PATCH 2/6] Regenerate CRD --- deploy/helm/secret-operator/crds/crds.yaml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index 42baf557..93c47822 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -75,6 +75,19 @@ spec: type: object kerberosKeytab: properties: + admin: + oneOf: + - required: + - mit + properties: + mit: + properties: + adminServer: + type: string + required: + - adminServer + type: object + type: object adminKeytabSecret: description: SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace properties: @@ -87,16 +100,14 @@ spec: type: object adminPrincipal: type: string - adminServer: - type: string kdc: type: string realmName: type: string required: + - admin - adminKeytabSecret - adminPrincipal - - adminServer - kdc - realmName type: object From 0b6fd370dba6f7f35e965adc93e6a6f47c6e8924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 30 Mar 2023 10:18:06 +0200 Subject: [PATCH 3/6] Rename admin_server to kadmin_server --- deploy/helm/secret-operator/crds/crds.yaml | 4 ++-- rust/operator-binary/src/backend/dynamic.rs | 4 ++-- rust/operator-binary/src/backend/kerberos_keytab.rs | 6 +++--- rust/operator-binary/src/crd.rs | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index 93c47822..b479a5ec 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -82,10 +82,10 @@ spec: properties: mit: properties: - adminServer: + kadminServer: type: string required: - - adminServer + - kadminServer type: object type: object adminKeytabSecret: diff --git a/rust/operator-binary/src/backend/dynamic.rs b/rust/operator-binary/src/backend/dynamic.rs index 49e02935..078dc82f 100644 --- a/rust/operator-binary/src/backend/dynamic.rs +++ b/rust/operator-binary/src/backend/dynamic.rs @@ -118,8 +118,8 @@ pub async fn from_class( KerberosProfile { realm_name, kdc, - admin_server: match admin { - crd::KerberosKeytabBackendAdmin::Mit { admin_server } => admin_server, + kadmin_server: match admin { + crd::KerberosKeytabBackendAdmin::Mit { kadmin_server } => kadmin_server, }, }, &admin_keytab_secret, diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs index aa464a45..7389e54f 100644 --- a/rust/operator-binary/src/backend/kerberos_keytab.rs +++ b/rust/operator-binary/src/backend/kerberos_keytab.rs @@ -59,7 +59,7 @@ impl SecretBackendError for Error { pub struct KerberosProfile { pub realm_name: Hostname, pub kdc: Hostname, - pub admin_server: Hostname, + pub kadmin_server: Hostname, } pub struct KerberosKeytab { @@ -123,7 +123,7 @@ impl SecretBackend for KerberosKeytab { KerberosProfile { realm_name, kdc, - admin_server, + kadmin_server, }, admin_keytab, admin_principal, @@ -141,7 +141,7 @@ udp_preference_limit = 1 [realms] {realm_name} = {{ kdc = {kdc} - admin_server = {admin_server} + admin_server = {kadmin_server} }} [domain_realm] diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs index 40c1d7ea..e87c5cd7 100644 --- a/rust/operator-binary/src/crd.rs +++ b/rust/operator-binary/src/crd.rs @@ -74,7 +74,7 @@ pub struct KerberosKeytabBackend { #[serde(rename_all = "camelCase")] pub enum KerberosKeytabBackendAdmin { #[serde(rename_all = "camelCase")] - Mit { admin_server: Hostname }, + Mit { kadmin_server: Hostname }, } #[derive(Serialize, Deserialize, Clone, Debug, JsonSchema)] From 7b6f9284faed7f80a8f21b951aa3e6b90145bc69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 30 Mar 2023 10:23:46 +0200 Subject: [PATCH 4/6] Update tests --- tests/templates/kuttl/kerberos/01-install-kdc.yaml | 2 +- tests/templates/kuttl/kerberos/secretclass.yaml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/templates/kuttl/kerberos/01-install-kdc.yaml b/tests/templates/kuttl/kerberos/01-install-kdc.yaml index 1231f5b4..76ddf35f 100644 --- a/tests/templates/kuttl/kerberos/01-install-kdc.yaml +++ b/tests/templates/kuttl/kerberos/01-install-kdc.yaml @@ -2,7 +2,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: yq eval '.spec.backend.kerberosKeytab |= (.adminKeytabSecret.namespace = strenv(NAMESPACE) | .kdc = "krb5-kdc." + strenv(NAMESPACE) + ".svc.cluster.local" | .adminServer = .kdc)' secretclass.yaml | kubectl apply -f- + - script: yq eval '.spec.backend.kerberosKeytab |= (.adminKeytabSecret.namespace = strenv(NAMESPACE) | .kdc = "krb5-kdc." + strenv(NAMESPACE) + ".svc.cluster.local" | .admin.mit.kadminServer = .kdc)' secretclass.yaml | kubectl apply -f- --- apiVersion: apps/v1 kind: StatefulSet diff --git a/tests/templates/kuttl/kerberos/secretclass.yaml b/tests/templates/kuttl/kerberos/secretclass.yaml index 5424d524..7e7a7f32 100644 --- a/tests/templates/kuttl/kerberos/secretclass.yaml +++ b/tests/templates/kuttl/kerberos/secretclass.yaml @@ -9,7 +9,9 @@ spec: kerberosKeytab: realmName: CLUSTER.LOCAL kdc: krb5-kdc - adminServer: krb5-kdc + admin: + mit: + kadminServer: krb5-kdc adminKeytabSecret: # namespace: default name: secret-operator-keytab From 813d1228fe3f9dc8abe3f97ffb2f6eba719c5339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 30 Mar 2023 10:27:01 +0200 Subject: [PATCH 5/6] Changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27eb53a8..089cb290 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Added -- Added `kerberosKeytab` provisioner backend ([#99]). +- Added `kerberosKeytab` provisioner backend ([#99], [#257]). ### Changed @@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file. [#99]: https://github.com/stackabletech/secret-operator/pull/99 [#231]: https://github.com/stackabletech/secret-operator/pull/231 [#232]: https://github.com/stackabletech/secret-operator/pull/232 +[#257]: https://github.com/stackabletech/secret-operator/pull/257 ## [23.1.0] - 2023-01-23 From d62790b275321d086c00cd7b6e129be766094f42 Mon Sep 17 00:00:00 2001 From: Natalie Date: Thu, 30 Mar 2023 10:49:56 +0200 Subject: [PATCH 6/6] Update CHANGELOG.md Co-authored-by: Sebastian Bernauer --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 168a1b91..423a6f76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Added -- Added `kerberosKeytab` provisioner backend ([#99], [#257]). +- Added `kerberosKeytab` provisioner backend using MIT Kerberos ([#99], [#257]). - Added experimental unprivileged mode ([#252]). ### Changed