fix: Add metrics Service SAN to NiFis certificate (#822)

* fix: Add metrics Service SAN to NiFis certificate

* changelog

* clippy

Author: sbernauer

CHANGELOG.md

@@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Add rolling upgrade support for upgrades between NiFi 2 versions ([#771]).
-- BREAKING: Added Listener support for NiFi ([#784], [#818], [#819]).
+- BREAKING: Added Listener support for NiFi ([#784], [#818], [#819], [#822]).
 - Adds new telemetry CLI arguments and environment variables ([#782]).
   - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept.
   - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation.
@@ -71,6 +71,7 @@ All notable changes to this project will be documented in this file.
 [#817]: https://github.com/stackabletech/nifi-operator/pull/817
 [#818]: https://github.com/stackabletech/nifi-operator/pull/818
 [#819]: https://github.com/stackabletech/nifi-operator/pull/819
+[#822]: https://github.com/stackabletech/nifi-operator/pull/822
 
 ## [25.3.0] - 2025-03-21
 

rust/operator-binary/src/controller.rs

@@ -109,7 +109,7 @@ use crate::{
     },
     service::{
         build_rolegroup_headless_service, build_rolegroup_metrics_service, metrics_service_port,
-        rolegroup_headless_service_name,
+        rolegroup_headless_service_name, rolegroup_metrics_service_name,
     },
 };
 
@@ -1347,7 +1347,10 @@ async fn build_node_rolegroup_statefulset(
             build_tls_volume(
                 nifi,
                 KEYSTORE_VOLUME_NAME,
-                vec![&build_reporting_task_service_name(&nifi_cluster_name)],
+                [
+                    rolegroup_metrics_service_name(rolegroup_ref.object_name()),
+                    build_reporting_task_service_name(&nifi_cluster_name),
+                ],
                 SecretFormat::TlsPkcs12,
                 &requested_secret_lifetime,
                 Some(LISTENER_VOLUME_NAME),

rust/operator-binary/src/reporting_task/mod.rs

@@ -350,7 +350,7 @@ fn build_reporting_task_job(
             build_tls_volume(
                 nifi,
                 REPORTING_TASK_CERT_VOLUME_NAME,
-                vec![],
+                Vec::<String>::new(),
                 SecretFormat::TlsPem,
                 // The certificate is only used for the REST API call, so a short lifetime is sufficient.
                 // There is no correct way to configure this job since it's an implementation detail.

rust/operator-binary/src/security/mod.rs

@@ -47,7 +47,7 @@ pub async fn check_or_generate_oidc_admin_password(
 pub fn build_tls_volume(
     nifi: &v1alpha1::NifiCluster,
     volume_name: &str,
-    service_scopes: Vec<&str>,
+    service_scopes: impl IntoIterator<Item = impl AsRef<str>>,
     secret_format: SecretFormat,
     requested_secret_lifetime: &Duration,
     listener_scope: Option<&str>,

rust/operator-binary/src/security/tls.rs

@@ -24,7 +24,7 @@ pub enum Error {
 pub(crate) fn build_tls_volume(
     nifi: &v1alpha1::NifiCluster,
     volume_name: &str,
-    service_scopes: Vec<&str>,
+    service_scopes: impl IntoIterator<Item = impl AsRef<str>>,
     secret_format: SecretFormat,
     requested_secret_lifetime: &Duration,
     listener_scope: Option<&str>,
@@ -36,7 +36,7 @@ pub(crate) fn build_tls_volume(
         secret_volume_source_builder.with_tls_pkcs12_password(STACKABLE_TLS_STORE_PASSWORD);
     }
     for scope in service_scopes {
-        secret_volume_source_builder.with_service_scope(scope);
+        secret_volume_source_builder.with_service_scope(scope.as_ref());
     }
     if let Some(listener_scope) = listener_scope {
         secret_volume_source_builder.with_listener_volume_scope(listener_scope);

rust/operator-binary/src/service.rs

@@ -74,9 +74,7 @@ pub fn build_rolegroup_metrics_service(
     Ok(Service {
         metadata: ObjectMetaBuilder::new()
             .name_and_namespace(nifi)
-            .name(rolegroup_metrics_service_name(
-                &role_group_ref.object_name(),
-            ))
+            .name(rolegroup_metrics_service_name(role_group_ref.object_name()))
             .ownerreference_from_resource(nifi, None, Some(true))
             .context(ObjectMissingMetadataForOwnerRefSnafu)?
             .with_recommended_labels(object_labels)
@@ -127,7 +125,8 @@ pub fn metrics_service_port(product_version: &str) -> ServicePort {
 }
 
 /// Returns the metrics rolegroup service name `<cluster>-<role>-<rolegroup>-<METRICS_SERVICE_SUFFIX>`.
-fn rolegroup_metrics_service_name(role_group_ref_object_name: &str) -> String {
+pub fn rolegroup_metrics_service_name(role_group_ref_object_name: impl AsRef<str>) -> String {
+    let role_group_ref_object_name = role_group_ref_object_name.as_ref();
     format!("{role_group_ref_object_name}-{METRICS_SERVICE_SUFFIX}")
 }