feat: Add v1alpha2, rename experimentalGenerateSamAccountName

Author: Techassi

rust/operator-binary/src/backend/cert_manager.rs

@@ -20,7 +20,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::v1alpha1,
+    crd::v1alpha2,
     external_crd::{self, cert_manager::CertificatePrivateKey},
     format::SecretData,
     utils::Unloggable,
@@ -99,7 +99,7 @@ impl SecretBackendError for Error {
 pub struct CertManager {
     // Not secret per se, but Client isn't Debug: https://github.com/stackabletech/secret-operator/issues/411
     pub client: Unloggable<stackable_operator::client::Client>,
-    pub config: v1alpha1::CertManagerBackend,
+    pub config: v1alpha2::CertManagerBackend,
 }
 
 #[async_trait]
@@ -160,7 +160,7 @@ impl SecretBackend for CertManager {
                     kind: Some(self.config.issuer.kind.to_string()),
                 },
                 private_key: match self.config.key_generation {
-                    v1alpha1::CertificateKeyGeneration::Rsa { length } => CertificatePrivateKey {
+                    v1alpha2::CertificateKeyGeneration::Rsa { length } => CertificatePrivateKey {
                         algorithm: "RSA".to_string(),
                         size: length,
                     },

rust/operator-binary/src/backend/dynamic.rs

@@ -15,7 +15,7 @@ use super::{
     pod_info::{PodInfo, SchedulingPodInfo},
     tls,
 };
-use crate::{crd::v1alpha1, utils::Unloggable};
+use crate::{crd::v1alpha2, utils::Unloggable};
 
 pub struct DynError(Box<dyn SecretBackendError>);
 
@@ -126,18 +126,18 @@ impl SecretBackendError for FromClassError {
 
 pub async fn from_class(
     client: &stackable_operator::client::Client,
-    class: v1alpha1::SecretClass,
+    class: v1alpha2::SecretClass,
 ) -> Result<Box<Dynamic>, FromClassError> {
     Ok(match class.spec.backend {
-        v1alpha1::SecretClassBackend::K8sSearch(v1alpha1::K8sSearchBackend {
+        v1alpha2::SecretClassBackend::K8sSearch(v1alpha2::K8sSearchBackend {
             search_namespace,
             trust_store_config_map_name,
         }) => from(super::K8sSearch {
             client: Unloggable(client.clone()),
             search_namespace,
             trust_store_config_map_name,
         }),
-        v1alpha1::SecretClassBackend::AutoTls(v1alpha1::AutoTlsBackend {
+        v1alpha2::SecretClassBackend::AutoTls(v1alpha2::AutoTlsBackend {
             ca,
             additional_trust_roots,
             max_certificate_lifetime,
@@ -150,11 +150,11 @@ pub async fn from_class(
             )
             .await?,
         ),
-        v1alpha1::SecretClassBackend::CertManager(config) => from(super::CertManager {
+        v1alpha2::SecretClassBackend::CertManager(config) => from(super::CertManager {
             client: Unloggable(client.clone()),
             config,
         }),
-        v1alpha1::SecretClassBackend::KerberosKeytab(v1alpha1::KerberosKeytabBackend {
+        v1alpha2::SecretClassBackend::KerberosKeytab(v1alpha2::KerberosKeytabBackend {
             realm_name,
             kdc,
             admin,
@@ -182,14 +182,14 @@ pub enum FromSelectorError {
     #[snafu(display("failed to get {class}"))]
     GetSecretClass {
         source: stackable_operator::client::Error,
-        class: ObjectRef<v1alpha1::SecretClass>,
+        class: ObjectRef<v1alpha2::SecretClass>,
     },
 
     #[snafu(display("failed to initialize backend for {class}"))]
     FromClass {
         #[snafu(source(from(FromClassError, Box::new)))]
         source: Box<FromClassError>,
-        class: ObjectRef<v1alpha1::SecretClass>,
+        class: ObjectRef<v1alpha2::SecretClass>,
     },
 }
 
@@ -217,7 +217,7 @@ pub async fn from_selector(
 ) -> Result<Box<Dynamic>, FromSelectorError> {
     let class_ref = || ObjectRef::new(&selector.class);
     let class = client
-        .get::<v1alpha1::SecretClass>(&selector.class, &())
+        .get::<v1alpha2::SecretClass>(&selector.class, &())
         .await
         .with_context(|_| from_selector_error::GetSecretClassSnafu { class: class_ref() })?;
     from_class(client, class)

rust/operator-binary/src/backend/k8s_search.rs

@@ -20,7 +20,7 @@ use super::{
     pod_info::{PodInfo, SchedulingPodInfo},
     scope::SecretScope,
 };
-use crate::{crd::v1alpha1, format::SecretData, utils::Unloggable};
+use crate::{crd::v1alpha2, format::SecretData, utils::Unloggable};
 
 const LABEL_CLASS: &str = "secrets.stackable.tech/class";
 pub(super) const LABEL_SCOPE_NODE: &str = "secrets.stackable.tech/node";
@@ -89,7 +89,7 @@ impl SecretBackendError for Error {
 pub struct K8sSearch {
     // Not secret per se, but isn't Debug: https://github.com/stackabletech/secret-operator/issues/411
     pub client: Unloggable<stackable_operator::client::Client>,
-    pub search_namespace: v1alpha1::SearchNamespace,
+    pub search_namespace: v1alpha2::SearchNamespace,
     pub trust_store_config_map_name: Option<String>,
 }
 

rust/operator-binary/src/backend/kerberos_keytab.rs

@@ -22,7 +22,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::{KerberosPrincipal, v1alpha1},
+    crd::{self, KerberosPrincipal, v1alpha2},
     format::{SecretData, WellKnownSecretData, well_known},
     utils::Unloggable,
 };
@@ -60,7 +60,7 @@ pub enum Error {
 
     #[snafu(display("generated invalid Kerberos principal for pod"))]
     PodPrincipal {
-        source: v1alpha1::InvalidKerberosPrincipal,
+        source: crd::InvalidKerberosPrincipal,
     },
 
     #[snafu(display("failed to read the provisioned keytab"))]
@@ -105,7 +105,7 @@ impl SecretBackendError for Error {
 pub struct KerberosProfile {
     pub realm_name: KerberosRealmName,
     pub kdc: HostName,
-    pub admin: v1alpha1::KerberosKeytabBackendAdmin,
+    pub admin: v1alpha2::KerberosKeytabBackendAdmin,
 }
 
 #[derive(Debug)]
@@ -168,10 +168,12 @@ impl SecretBackend for KerberosKeytab {
         } = self;
 
         let admin_server_clause = match admin {
-            v1alpha1::KerberosKeytabBackendAdmin::Mit { kadmin_server } => {
+            v1alpha2::KerberosKeytabBackendAdmin::Mit(v1alpha2::KerberosKeytabBackendMit {
+                kadmin_server,
+            }) => {
                 format!("  admin_server = {kadmin_server}")
             }
-            v1alpha1::KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
+            v1alpha2::KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
         };
 
         let tmp = tempdir().context(TempSetupSnafu)?;
@@ -253,24 +255,26 @@ cluster.local = {realm_name}
                     })
                     .collect(),
                 admin_backend: match admin {
-                    v1alpha1::KerberosKeytabBackendAdmin::Mit { .. } => {
+                    v1alpha2::KerberosKeytabBackendAdmin::Mit { .. } => {
                         stackable_krb5_provision_keytab::AdminBackend::Mit
                     }
-                    v1alpha1::KerberosKeytabBackendAdmin::ActiveDirectory {
-                        ldap_server,
-                        ldap_tls_ca_secret,
-                        password_cache_secret,
-                        user_distinguished_name,
-                        schema_distinguished_name,
-                        generate_sam_account_name,
-                    } => stackable_krb5_provision_keytab::AdminBackend::ActiveDirectory {
+                    v1alpha2::KerberosKeytabBackendAdmin::ActiveDirectory(
+                        v1alpha2::KerberosKeytabBackendActiveDirectory {
+                            ldap_server,
+                            ldap_tls_ca_secret,
+                            password_cache_secret,
+                            user_distinguished_name,
+                            schema_distinguished_name,
+                            generate_sam_account_name,
+                        },
+                    ) => stackable_krb5_provision_keytab::AdminBackend::ActiveDirectory {
                         ldap_server: ldap_server.to_string(),
                         ldap_tls_ca_secret: ldap_tls_ca_secret.clone(),
                         password_cache_secret: password_cache_secret.clone(),
                         user_distinguished_name: user_distinguished_name.clone(),
                         schema_distinguished_name: schema_distinguished_name.clone(),
                         generate_sam_account_name: generate_sam_account_name.clone().map(
-                            |v1alpha1::ActiveDirectorySamAccountNameRules {
+                            |v1alpha2::ActiveDirectorySamAccountNameRules {
                                  prefix,
                                  total_length,
                              }| {

rust/operator-binary/src/backend/tls/ca.rs

@@ -38,7 +38,7 @@ use tracing::{info, info_span, warn};
 
 use crate::{
     backend::SecretBackendError,
-    crd::v1alpha1,
+    crd::v1alpha2,
     utils::{Asn1TimeParseError, Unloggable, asn1time_to_offsetdatetime},
 };
 
@@ -202,7 +202,7 @@ pub struct Config {
     pub rotate_if_ca_expires_before: Option<Duration>,
 
     /// Configuration how TLS private keys should be created.
-    pub key_generation: v1alpha1::CertificateKeyGeneration,
+    pub key_generation: v1alpha2::CertificateKeyGeneration,
 }
 
 /// A single certificate authority certificate.
@@ -241,7 +241,7 @@ impl CertificateAuthority {
             Conf::new(ConfMethod::default()).expect("failed to initialize OpenSSL configuration");
 
         let private_key_length = match config.key_generation {
-            v1alpha1::CertificateKeyGeneration::Rsa { length } => length,
+            v1alpha2::CertificateKeyGeneration::Rsa { length } => length,
         };
 
         let private_key = Rsa::generate(private_key_length)
@@ -348,7 +348,7 @@ impl Manager {
     pub async fn load_or_create(
         client: &stackable_operator::client::Client,
         secret_ref: &SecretReference,
-        additional_trust_roots: &[v1alpha1::AdditionalTrustRoot],
+        additional_trust_roots: &[v1alpha2::AdditionalTrustRoot],
         config: &Config,
     ) -> Result<Self> {
         // Use entry API rather than apply so that we crash and retry on conflicts (to avoid creating spurious certs that we throw away immediately)
@@ -496,10 +496,10 @@ impl Manager {
         let mut additional_trusted_certificates = vec![];
         for entry in additional_trust_roots {
             let certs = match entry {
-                v1alpha1::AdditionalTrustRoot::ConfigMap(config_map) => {
+                v1alpha2::AdditionalTrustRoot::ConfigMap(config_map) => {
                     Self::read_extra_trust_roots_from_config_map(client, config_map).await?
                 }
-                v1alpha1::AdditionalTrustRoot::Secret(secret) => {
+                v1alpha2::AdditionalTrustRoot::Secret(secret) => {
                     Self::read_extra_trust_roots_from_secret(client, secret).await?
                 }
             };

rust/operator-binary/src/backend/tls/mod.rs

@@ -33,7 +33,7 @@ use super::{
     scope::SecretScope,
 };
 use crate::{
-    crd::v1alpha1,
+    crd::v1alpha2,
     format::{SecretData, WellKnownSecretData, well_known},
     utils::iterator_try_concat_bytes,
 };
@@ -150,7 +150,7 @@ impl SecretBackendError for Error {
 pub struct TlsGenerate {
     ca_manager: ca::Manager,
     max_cert_lifetime: Duration,
-    key_generation: v1alpha1::CertificateKeyGeneration,
+    key_generation: v1alpha2::CertificateKeyGeneration,
 }
 
 impl TlsGenerate {
@@ -162,13 +162,13 @@ impl TlsGenerate {
     /// an independent self-signed CA.
     pub async fn get_or_create_k8s_certificate(
         client: &stackable_operator::client::Client,
-        v1alpha1::AutoTlsCa {
+        v1alpha2::AutoTlsCa {
             secret: ca_secret,
             auto_generate: auto_generate_ca,
             ca_certificate_lifetime,
             key_generation,
-        }: &v1alpha1::AutoTlsCa,
-        additional_trust_roots: &[v1alpha1::AdditionalTrustRoot],
+        }: &v1alpha2::AutoTlsCa,
+        additional_trust_roots: &[v1alpha2::AdditionalTrustRoot],
         max_cert_lifetime: Duration,
     ) -> Result<Self> {
         Ok(Self {
@@ -260,7 +260,7 @@ impl SecretBackend for TlsGenerate {
             Conf::new(ConfMethod::default()).expect("failed to initialize OpenSSL configuration");
 
         let pod_key_length = match self.key_generation {
-            v1alpha1::CertificateKeyGeneration::Rsa { length } => length,
+            v1alpha2::CertificateKeyGeneration::Rsa { length } => length,
         };
 
         let pod_key = Rsa::generate(pod_key_length)