Provision Kerberos principals for IP addresses (#552)

nightkr · web-flow · commit add89d9f0f3d · 2025-01-23T14:06:24.000Z
* Provision principals for IP addresses * Add nodeport IP listener volume test * Changelog * Remove FQDNization from changelog It was reverted in #551
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,10 +12,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
-
-### Changed
-
-- Append a dot (`.`) to the default cluster domain to reduce DNS requests ([#543]).
+- Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
 
 ### Fixed
 
@@ -26,8 +23,8 @@ All notable changes to this project will be documented in this file.
 
 [#528]: https://github.com/stackabletech/secret-operator/pull/528
 [#536]: https://github.com/stackabletech/secret-operator/pull/536
-[#543]: https://github.com/stackabletech/secret-operator/pull/543
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
+[#552]: https://github.com/stackabletech/secret-operator/pull/552
 
 ## [24.11.0] - 2024-11-18
 
diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs
@@ -208,13 +208,18 @@ cluster.local = {realm_name}
                             scope: scope.clone(),
                         })?
                 {
-                    if let Address::Dns(hostname) = addr {
-                        pod_principals.push(
-                            format!("{service_name}/{hostname}")
-                                .try_into()
-                                .context(PodPrincipalSnafu)?,
-                        );
-                    }
+                    pod_principals.push(
+                        match addr {
+                            Address::Dns(hostname) => {
+                                format!("{service_name}/{hostname}")
+                            }
+                            Address::Ip(ip) => {
+                                format!("{service_name}/{ip}")
+                            }
+                        }
+                        .try_into()
+                        .context(PodPrincipalSnafu)?,
+                    );
                 }
             }
         }
diff --git a/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2 b/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2
@@ -3,6 +3,7 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   - script: envsubst '$NAMESPACE' < secretclass.yaml | kubectl apply -f -
+  - script: envsubst '$NAMESPACE' < listenerclass.yaml | kubectl apply -f -
 ---
 apiVersion: apps/v1
 kind: StatefulSet
diff --git a/tests/templates/kuttl/kerberos/kinit-client.yaml.j2 b/tests/templates/kuttl/kerberos/kinit-client.yaml.j2
@@ -21,6 +21,10 @@ spec:
               klist -k /stackable/krb/keytab -teKC
               echo kiniting node
               kinit -kt /stackable/krb/keytab -p HTTP/$NODE_NAME
+              echo kiniting node ip
+              NODE_IP="$(cat /stackable/listener/nodeport-ip/default-address/address)"
+              echo node ip is "$NODE_IP"
+              kinit -kt /stackable/krb/keytab -p "HTTP/$NODE_IP"
               echo kiniting service
               kinit -kt /stackable/krb/keytab -p HTTP/krb5-client.$NAMESPACE.svc.cluster.local
               echo kiniting pod
@@ -39,21 +43,39 @@ spec:
           volumeMounts:
             - mountPath: /stackable/krb
               name: kerberos
+            - mountPath: /stackable/listener/nodeport-ip
+              name: listener-nodeport-ip
+          ports:
+            - name: dummy
+              containerPort: 9999
       volumes:
         - name: kerberos
           ephemeral:
             volumeClaimTemplate:
               metadata:
                 annotations:
                   secrets.stackable.tech/class: kerberos-$NAMESPACE
-                  secrets.stackable.tech/scope: node,pod
+                  secrets.stackable.tech/scope: node,pod,listener-volume=listener-nodeport-ip
               spec:
                 storageClassName: secrets.stackable.tech
                 accessModes:
                   - ReadWriteOnce
                 resources:
                   requests:
                     storage: "1"
+        - name: listener-nodeport-ip
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  listeners.stackable.tech/listener-class: nodeport-ip-$NAMESPACE
+              spec:
+                storageClassName: listeners.stackable.tech
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: "1"
       restartPolicy: Never
       terminationGracePeriodSeconds: 0
       subdomain: krb5-client
diff --git a/tests/templates/kuttl/kerberos/listenerclass.yaml b/tests/templates/kuttl/kerberos/listenerclass.yaml
@@ -0,0 +1,9 @@
+# $NAMESPACE will be replaced with the namespace of the test case.
+---
+apiVersion: listeners.stackable.tech/v1alpha1
+kind: ListenerClass
+metadata:
+  name: nodeport-ip-$NAMESPACE
+spec:
+  serviceType: NodePort
+  preferredAddressType: IP
