constants. constants everywhere.

sbernauer · sbernauer · commit 61345c49abba · 2025-01-28T16:54:43.000+01:00
diff --git a/rust/operator-binary/src/config/jvm.rs b/rust/operator-binary/src/config/jvm.rs
@@ -6,6 +6,8 @@ use stackable_operator::{
     role_utils::JvmArgumentOverrides,
 };
 
+use crate::security::kerberos::KERBEROS_CONTAINER_PATH;
+
 const JVM_HEAP_FACTOR: f32 = 0.8;
 
 #[derive(Snafu, Debug)]
@@ -29,7 +31,9 @@ pub fn construct_global_jvm_args(kerberos_enabled: bool) -> String {
     let mut jvm_args = Vec::new();
 
     if kerberos_enabled {
-        jvm_args.push("-Djava.security.krb5.conf=/stackable/kerberos/krb5.conf".to_owned());
+        jvm_args.push(format!(
+            "-Djava.security.krb5.conf={KERBEROS_CONTAINER_PATH}/krb5.conf"
+        ));
     }
 
     // We do *not* add user overrides to the global JVM args, but only the role specific JVM arguments.
@@ -76,7 +80,9 @@ pub fn construct_role_specific_jvm_args(
         format!("-javaagent:/stackable/jmx/jmx_prometheus_javaagent.jar={metrics_port}:/stackable/jmx/{hdfs_role}.yaml")
     ]);
     if kerberos_enabled {
-        jvm_args.push("-Djava.security.krb5.conf=/stackable/kerberos/krb5.conf".to_string());
+        jvm_args.push(format!(
+            "-Djava.security.krb5.conf={KERBEROS_CONTAINER_PATH}/krb5.conf"
+        ));
     }
 
     let operator_generated = JvmArgumentOverrides::new_with_only_additions(jvm_args);
@@ -102,7 +108,7 @@ mod tests {
         assert_eq!(construct_global_jvm_args(false), "");
         assert_eq!(
             construct_global_jvm_args(true),
-            "-Djava.security.krb5.conf=/stackable/kerberos/krb5.conf"
+            format!("-Djava.security.krb5.conf={KERBEROS_CONTAINER_PATH}/krb5.conf")
         );
     }
 
@@ -172,14 +178,15 @@ mod tests {
 
         assert_eq!(
             jvm_config,
-            "-Xms34406m \
-            -Djava.security.properties=/stackable/config/security.properties \
-            -javaagent:/stackable/jmx/jmx_prometheus_javaagent.jar=8183:/stackable/jmx/namenode.yaml \
-            -Djava.security.krb5.conf=/stackable/kerberos/krb5.conf \
-            -Dhttps.proxyHost=proxy.my.corp \
-            -Djava.net.preferIPv4Stack=true \
-            -Xmx40000m \
-            -Dhttps.proxyPort=1234"
+            format!(
+                "-Xms34406m \
+                -Djava.security.properties=/stackable/config/security.properties \
+                -javaagent:/stackable/jmx/jmx_prometheus_javaagent.jar=8183:/stackable/jmx/namenode.yaml \
+                -Djava.security.krb5.conf={KERBEROS_CONTAINER_PATH}/krb5.conf \
+                -Dhttps.proxyHost=proxy.my.corp \
+                -Djava.net.preferIPv4Stack=true \
+                -Xmx40000m \
+                -Dhttps.proxyPort=1234")
         );
     }
 
diff --git a/rust/operator-binary/src/container.rs b/rust/operator-binary/src/container.rs
@@ -78,6 +78,7 @@ use crate::{
         MAX_WAIT_NAMENODES_LOG_FILE_SIZE, MAX_ZKFC_LOG_FILE_SIZE, STACKABLE_LOG_DIR,
         WAIT_FOR_NAMENODES_LOG4J_CONFIG_FILE, ZKFC_LOG4J_CONFIG_FILE,
     },
+    security::kerberos::KERBEROS_CONTAINER_PATH,
     DATANODE_ROOT_DATA_DIR_PREFIX, LOG4J_PROPERTIES,
 };
 
@@ -801,8 +802,7 @@ wait_for_termination $!
 
     // Command to export `KERBEROS_REALM` env var to default real from krb5.conf, e.g. `CLUSTER.LOCAL`
     fn export_kerberos_real_env_var_command() -> String {
-        "export KERBEROS_REALM=$(grep -oP 'default_realm = \\K.*' /stackable/kerberos/krb5.conf)\n"
-            .to_string()
+        format!("export KERBEROS_REALM=$(grep -oP 'default_realm = \\K.*' {KERBEROS_CONTAINER_PATH}/krb5.conf)\n")
     }
 
     /// Command to `kinit` a ticket using the principal created for the specified hdfs role
@@ -822,8 +822,8 @@ wait_for_termination $!
         );
         Ok(formatdoc!(
             r###"
-            echo "Getting ticket for {principal}" from /stackable/kerberos/keytab
-            kinit "{principal}" -kt /stackable/kerberos/keytab
+            echo "Getting ticket for {principal}" from {KERBEROS_CONTAINER_PATH}/keytab
+            kinit "{principal}" -kt {KERBEROS_CONTAINER_PATH}/keytab
             "###,
         ))
     }
@@ -892,15 +892,15 @@ wait_for_termination $!
                 "KRB5_CONFIG".to_string(),
                 EnvVar {
                     name: "KRB5_CONFIG".to_string(),
-                    value: Some("/stackable/kerberos/krb5.conf".to_string()),
+                    value: Some(format!("{KERBEROS_CONTAINER_PATH}/krb5.conf")),
                     ..EnvVar::default()
                 },
             );
             env.insert(
                 "KRB5_CLIENT_KTNAME".to_string(),
                 EnvVar {
                     name: "KRB5_CLIENT_KTNAME".to_string(),
-                    value: Some("/stackable/kerberos/keytab".to_string()),
+                    value: Some(format!("{KERBEROS_CONTAINER_PATH}/keytab")),
                     ..EnvVar::default()
                 },
             );
@@ -1107,7 +1107,8 @@ wait_for_termination $!
 
         // Adding this for all containers, as not only the main container needs Kerberos or TLS
         if hdfs.has_kerberos_enabled() {
-            volume_mounts.push(VolumeMountBuilder::new("kerberos", "/stackable/kerberos").build());
+            volume_mounts
+                .push(VolumeMountBuilder::new("kerberos", KERBEROS_CONTAINER_PATH).build());
         }
         if hdfs.has_https_enabled() {
             // This volume will be propagated by the create-tls-cert-bundle container
diff --git a/rust/operator-binary/src/security/kerberos.rs b/rust/operator-binary/src/security/kerberos.rs
@@ -10,6 +10,8 @@ use stackable_operator::{
 
 use crate::config::{CoreSiteConfigBuilder, HdfsSiteConfigBuilder};
 
+pub const KERBEROS_CONTAINER_PATH: &str = "/stackable/kerberos";
+
 type Result<T, E = Error> = std::result::Result<T, E>;
 
 #[derive(Snafu, Debug)]
@@ -85,9 +87,18 @@ impl CoreSiteConfigBuilder {
                     "dfs.web.authentication.kerberos.principal",
                     format!("HTTP/{principal_host_part}"),
                 )
-                .add("dfs.journalnode.keytab.file", "/stackable/kerberos/keytab")
-                .add("dfs.namenode.keytab.file", "/stackable/kerberos/keytab")
-                .add("dfs.datanode.keytab.file", "/stackable/kerberos/keytab")
+                .add(
+                    "dfs.journalnode.keytab.file",
+                    format!("{KERBEROS_CONTAINER_PATH}/keytab"),
+                )
+                .add(
+                    "dfs.namenode.keytab.file",
+                    format!("{KERBEROS_CONTAINER_PATH}/keytab"),
+                )
+                .add(
+                    "dfs.datanode.keytab.file",
+                    format!("{KERBEROS_CONTAINER_PATH}/keytab"),
+                )
                 .add(
                     "dfs.journalnode.kerberos.principal.pattern",
                     format!("jn/{principal_host_part}"),
