misc cleanup

Author: sbernauer

crates/stackable-certs/src/ca/ca_builder.rs

@@ -157,12 +157,11 @@ where
         )
         .context(CreateCertificateBuilderSnafu)?;
 
-        // Add extension constructed above
         builder
             .add_extension(&aki)
             .context(AddCertificateExtensionSnafu)?;
 
-        debug!("create and sign CA certificate");
+        debug!("creating and signing CA certificate");
         let certificate = builder.build().context(BuildCertificateSnafu)?;
 
         Ok(CertificateAuthority {

crates/stackable-certs/src/ca/consts.rs

@@ -10,4 +10,5 @@ pub const DEFAULT_CERTIFICATE_VALIDITY: Duration = Duration::from_hours_unchecke
 /// The root CA subject name containing only the common name.
 pub const SDP_ROOT_CA_SUBJECT: &str = "CN=Stackable Data Platform Internal CA";
 
+/// As we are mostly on Unix systems, we are using `\ņ`.
 pub const PEM_LINE_ENDING: LineEnding = LineEnding::LF;

crates/stackable-certs/src/ca/k8s.rs

@@ -10,8 +10,7 @@ use crate::{CertificatePair, keys::CertificateKeypair};
 
 pub const TLS_SECRET_TYPE: &str = "kubernetes.io/tls";
 
-/// Defines all error variants which can occur when loading a CA from a
-/// Kubernetes [`Secret`].
+/// Defines all error variants which can occur when loading a CA from a Kubernetes [`Secret`].
 #[derive(Debug, Snafu)]
 pub enum SecretError<E>
 where
@@ -50,7 +49,7 @@ where
 
 /// Create a [`CertificateAuthority`] from a Kubernetes [`Secret`].
 ///
-/// Both the  `certificate_key` and `private_key_key` parameters describe
+/// Both the `certificate_key` and `private_key_key` parameters describe
 /// the _key_ used to lookup the certificate and private key value in the
 /// Kubernetes [`Secret`]. Common keys are `ca.crt` and `ca.key`.
 #[instrument(skip(secret))]
@@ -71,7 +70,7 @@ where
         secret: ObjectRef::from_obj(&secret),
     })?;
 
-    debug!("retrieving certificate data from secret via key {certificate_key:?}");
+    debug!("retrieving certificate data from secret via key \"{certificate_key}\"");
     let certificate_data = data
         .get(certificate_key)
         .with_context(|| NoCertificateDataSnafu {
@@ -84,7 +83,7 @@ where
         })?
         .remove(0);
 
-    debug!("retrieving private key data from secret via key {private_key_key:?}");
+    debug!("retrieving private key data from secret via key \"{private_key_key}\"");
     let private_key_data = data
         .get(private_key_key)
         .with_context(|| NoPrivateKeyDataSnafu {
@@ -107,8 +106,8 @@ where
 #[instrument(skip(secret_ref, client))]
 pub async fn ca_from_k8s_secret_ref<SK>(
     secret_ref: &SecretReference,
-    key_certificate: &str,
-    key_private_key: &str,
+    certificate_key: &str,
+    private_key_key: &str,
     client: &Client,
 ) -> Result<CertificateAuthority<SK>, SecretError<SK::Error>>
 where
@@ -123,5 +122,5 @@ where
             secret_ref: secret_ref.to_owned(),
         })?;
 
-    ca_from_k8s_secret(secret, key_certificate, key_private_key)
+    ca_from_k8s_secret(secret, certificate_key, private_key_key)
 }

crates/stackable-certs/src/cert_builder.rs

@@ -22,7 +22,7 @@ use crate::{
     keys::CertificateKeypair,
 };
 
-/// Defines all error variants which can occur when creating a CertificateRequest
+/// Defines all error variants which can occur when creating a certificate
 #[derive(Debug, Snafu)]
 pub enum CreateCertificateError<E>
 where
@@ -37,8 +37,6 @@ where
         subject: String,
     },
 
-    // #[snafu(display("failed to create key pair"))]
-    // CreateKeyPair { source: Box<dyn std::error::Error> },
     #[snafu(display("failed to create key pair"))]
     CreateKeyPair { source: E },
 
@@ -275,9 +273,9 @@ mod tests {
             .find(|ext| ext.extn_id == ID_CE_SUBJECT_ALT_NAME)
             .expect("cert had no SAN extension");
 
-        let actual_sans = SubjectAltName::from_der(san_extension.extn_value.as_bytes())
+        let san_extension = SubjectAltName::from_der(san_extension.extn_value.as_bytes())
             .expect("failed to parse SAN");
-        let actual_sans = actual_sans
+        let actual_sans = san_extension
             .0
             .iter()
             .filter_map(|san| match san {

crates/stackable-certs/src/keys/mod.rs

@@ -20,7 +20,7 @@
 //!
 //! ```no_run
 //! use stackable_certs::keys::{rsa::SigningKey, CertificateKeypair};
-//! let key = SigningKey::new().unwrap();;
+//! let key = SigningKey::new().unwrap();
 //! ```
 //!
 //! It should be noted, that the crate is currently vulnerable to the recently

crates/stackable-webhook/CHANGELOG.md

@@ -4,11 +4,17 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Use `ecdsa` keys instead of `rsa`. This is because generating 4096 bit `rsa` keys takes forever,
+  thus making webhook development nearly impossible ([#1044]).
+
 ### Fixed
 
 - Don't pull in the `aws-lc-rs` crate, as this currently fails to build in `make run-dev` ([#1043]).
 
 [#1043]: https://github.com/stackabletech/operator-rs/pull/1043
+[#1044]: https://github.com/stackabletech/operator-rs/pull/1044
 
 ## [0.3.1] - 2024-07-10
 

crates/stackable-webhook/src/tls.rs

@@ -114,6 +114,7 @@ impl TlsServer {
                     .build()
                     .build_ca()
                     .context(CreateCertificateAuthoritySnafu)?;
+
             let certificate = CertificateBuilder::builder()
                 .subject("CN=webhook")
                 .signed_by(&ca)