Merge branch 'main' into feat/handle-fqdn-hostnames

Author: dervoeti

CHANGELOG.md

@@ -13,16 +13,23 @@ All notable changes to this project will be documented in this file.
 
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
 - Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
+- OLM deployment helper ([#546]).
 
 ### Changed
 
 - Default to OCI for image metadata ([#544]).
 - [BREAKING] When using a fully qualified domain name, only the variant without the trailing dot is added to the SANs. This should only improve the behavior in scenarios where FQDNs are used and not affect anything else ([#564]).
 
+### Fixed
+
+- Underscores are now allowed in Kerberos principal names ([#563]).
+
 [#528]: https://github.com/stackabletech/secret-operator/pull/528
+[#544]: https://github.com/stackabletech/secret-operator/pull/544
+[#546]: https://github.com/stackabletech/secret-operator/pull/546
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552
-[#544]: https://github.com/stackabletech/secret-operator/pull/544
+[#563]: https://github.com/stackabletech/secret-operator/pull/563
 [#564]: https://github.com/stackabletech/secret-operator/pull/564
 
 ## [24.11.1] - 2025-01-10

Cargo.lock

@@ -20,8 +20,8 @@ clap = "4.5"
 futures = { version = "0.3", features = ["compat"] }
 h2 = "0.4"
 ldap3 = { version = "0.11", default-features = false, features = [
-    "gssapi",
-    "tls",
+  "gssapi",
+  "tls",
 ] }
 libc = "0.2"
 native-tls = "0.2"
@@ -49,6 +49,7 @@ tonic-build = "0.12"
 tonic-reflection = "0.12"
 tracing = "0.1"
 tracing-subscriber = "0.3"
+walkdir = "2.5.0"
 uuid = { version = "1.10.0", features = ["v4"] }
 yasna = "0.5"
 

Cargo.toml

@@ -0,0 +1,27 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: secret-operator-deployer
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
+      tolerations:
+      - key: keep-out
+        value: "yes"
+        operator: Equal
+        effect: NoSchedule

nginx-deployment.yaml

@@ -0,0 +1,23 @@
+[package]
+name = "olm-deployer"
+description = "OLM deployment helper."
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+edition.workspace = true
+repository.workspace = true
+publish = false
+
+[dependencies]
+anyhow.workspace = true
+clap.workspace = true
+tokio.workspace = true
+tracing.workspace = true
+stackable-operator.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+serde_yaml.workspace = true
+walkdir.workspace = true
+
+[build-dependencies]
+built.workspace = true

rust/olm-deployer/Cargo.toml

@@ -0,0 +1,26 @@
+# How to test
+
+Requirements:
+
+1. An OpenShift cluster.
+2. Checkout the branch `secret-olm-deployer` from the [operators](https://github.com/stackabletech/openshift-certified-operators/tree/secret-olm-deployer) repo.
+3. Clone the `stackable-utils` [repo](https://github.com/stackabletech/stackable-utils)
+
+Install the secret operator using OLM and the `olm-deployer`. From the `stackable-utils` repo, run:
+
+```bash
+$ ./olm/build-bundles.sh -c $HOME/repo/stackable/openshift-certified-operators -r 24.11.0 -o secret -d
+...
+```
+
+[!NOTE]
+Bundle images are published to `oci.stackable.tech` so you need to log in there first.
+
+The secret op and all it's dependencies should be installed and running in the `stackable-operators` namespace.
+
+Run the integration tests:
+
+```bash
+$ ./scripts/run-tests --skip-operator secret --test-suite openshift
+...
+```

rust/olm-deployer/README.md

@@ -0,0 +1,3 @@
+fn main() {
+    built::write_built_file().unwrap();
+}

rust/olm-deployer/build.rs

@@ -0,0 +1,75 @@
+use anyhow::{bail, Result};
+use stackable_operator::kube::{api::DynamicObject, ResourceExt};
+
+pub fn data_field_as_mut<'a>(
+    value: &'a mut serde_json::Value,
+    pointer: &str,
+) -> Result<&'a mut serde_json::Value> {
+    match value.pointer_mut(pointer) {
+        Some(field) => Ok(field),
+        x => bail!("invalid pointer {pointer} for object {x:?}"),
+    }
+}
+
+pub fn container<'a>(
+    target: &'a mut DynamicObject,
+    container_name: &str,
+) -> anyhow::Result<&'a mut serde_json::Value> {
+    let tname = target.name_any();
+    let path = "template/spec/containers".split("/");
+    match get_or_create(target.data.pointer_mut("/spec").unwrap(), path)? {
+        serde_json::Value::Array(containers) => {
+            for c in containers {
+                if c.is_object() {
+                    if let Some(serde_json::Value::String(name)) = c.get("name") {
+                        if container_name == name {
+                            return Ok(c);
+                        }
+                    }
+                } else {
+                    anyhow::bail!("container is not a object: {:?}", c);
+                }
+            }
+            anyhow::bail!("container named {container_name} not found");
+        }
+        _ => anyhow::bail!("no containers found in object {tname}"),
+    }
+}
+
+/// Returns the object nested in `root` by traversing the `path` of nested keys.
+/// Creates any missing objects in path.
+/// In case of success, the returned value is either the existing object or
+/// serde_json::Value::Null.
+/// Returns an error if any of the nested objects has a type other than map.
+pub fn get_or_create<'a, 'b, I>(
+    root: &'a mut serde_json::Value,
+    path: I,
+) -> anyhow::Result<&'a mut serde_json::Value>
+where
+    I: IntoIterator<Item = &'b str>,
+{
+    let mut iter = path.into_iter();
+    match iter.next() {
+        None => Ok(root),
+        Some(first) => {
+            let new_root = get_or_insert_default_object(root, first)?;
+            get_or_create(new_root, iter)
+        }
+    }
+}
+
+/// Given a map object create or return the object corresponding to the given `key`.
+fn get_or_insert_default_object<'a>(
+    value: &'a mut serde_json::Value,
+    key: &str,
+) -> anyhow::Result<&'a mut serde_json::Value> {
+    let map = match value {
+        serde_json::Value::Object(map) => map,
+        x @ serde_json::Value::Null => {
+            *x = serde_json::json!({});
+            x.as_object_mut().unwrap()
+        }
+        x => anyhow::bail!("invalid type {x:?}, expected map"),
+    };
+    Ok(map.entry(key).or_insert_with(|| serde_json::Value::Null))
+}