diff --git a/CHANGELOG.md b/CHANGELOG.md index a1f72c51..4e282207 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Fixed + +- Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]). +- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be + deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after + restart ([#672]). + +[#672]: https://github.com/stackabletech/trino-operator/pull/672 +[#673]: https://github.com/stackabletech/trino-operator/pull/673 + ## [24.11.0] - 2024-11-18 ### Added diff --git a/Cargo.lock b/Cargo.lock index 0144c60e..b0e586fc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2225,8 +2225,8 @@ checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" [[package]] name = "stackable-operator" -version = "0.80.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +version = "0.82.0" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "chrono", "clap", @@ -2264,7 +2264,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "darling", "proc-macro2", @@ -2275,7 +2275,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "kube", "semver", diff --git a/Cargo.nix b/Cargo.nix index 75bf100b..5f5e8278 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -6816,13 +6816,13 @@ rec { }; "stackable-operator" = rec { crateName = "stackable-operator"; - version = "0.80.0"; + version = "0.82.0"; edition = "2021"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; libName = "stackable_operator"; authors = [ @@ -6979,8 +6979,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -7014,8 +7014,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; libName = "stackable_shared"; authors = [ diff --git a/Cargo.toml b/Cargo.toml index 47c9e994..f2e17024 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,7 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" serde_yaml = "0.9" snafu = "0.8" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.80.0" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" } product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" } strum = { version = "0.26", features = ["derive"] } tokio = { version = "1.40", features = ["full"] } diff --git a/Makefile b/Makefile index 94cb81bb..343086c9 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,9 @@ SHELL=/usr/bin/env bash -euo pipefail render-readme: scripts/render_readme.sh +render-docs: + scripts/docs_templating.sh + ## Docker related targets docker-build: docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . diff --git a/crate-hashes.json b/crate-hashes.json index 562fb18b..0ca37e6e 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-operator-derive@0.3.1": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-operator@0.80.0": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-shared@0.0.1": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator-derive@0.3.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator@0.82.0": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-shared@0.0.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/docs/modules/trino/examples/getting_started/code/getting_started.sh b/docs/modules/trino/examples/getting_started/code/getting_started.sh index 7a82283f..be06c70c 100755 --- a/docs/modules/trino/examples/getting_started/code/getting_started.sh +++ b/docs/modules/trino/examples/getting_started/code/getting_started.sh @@ -2,17 +2,7 @@ set -euo pipefail # DO NOT EDIT THE SCRIPT -# Instead, update the j2 template, and regenerate it for dev: -# cat < = std::result::Result; pub struct ResolvedAuthenticationClassRef { /// An [AuthenticationClass](DOCS_BASE_URL_PLACEHOLDER/concepts/authentication) to use. pub authentication_class: AuthenticationClass, - pub oidc: Option, + pub client_auth_options: Option, } /// Retrieve all provided AuthenticationClass references. @@ -43,7 +43,7 @@ pub async fn resolve_authentication_classes( let auth_class_name = resolved_auth_class.name_any(); resolved_auth_classes.push(ResolvedAuthenticationClassRef { - oidc: match &resolved_auth_class.spec.provider { + client_auth_options: match &resolved_auth_class.spec.provider { AuthenticationClassProvider::Oidc(_) => Some( client_authentication_detail .oidc_or_error(&auth_class_name) diff --git a/rust/operator-binary/src/authentication/mod.rs b/rust/operator-binary/src/authentication/mod.rs index b6cdcf86..bfad5804 100644 --- a/rust/operator-binary/src/authentication/mod.rs +++ b/rust/operator-binary/src/authentication/mod.rs @@ -508,7 +508,7 @@ impl TryFrom> for TrinoAuthenticationTypes { ); } AuthenticationClassProvider::Oidc(provider) => { - let oidc = resolved_auth_class.oidc.context( + let oidc = resolved_auth_class.client_auth_options.context( OidcAuthenticationDetailsNotSpecifiedSnafu { auth_class_name: auth_class_name.clone(), }, @@ -591,7 +591,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -610,7 +610,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -636,7 +636,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -651,7 +651,7 @@ mod tests { provider: oidc: hostname: {HOST_NAME} - rootPath: /realms/master + rootPath: /realms/master/ scopes: ["openid"] principalClaim: preferred_username "#, @@ -663,7 +663,7 @@ mod tests { deserializer, ) .unwrap(), - oidc: Some(ClientAuthenticationOptions { + client_auth_options: Some(ClientAuthenticationOptions { client_credentials_secret_ref: "my-oidc-secret".to_string(), extra_scopes: Vec::new(), product_specific_fields: (), diff --git a/rust/operator-binary/src/authentication/oidc/mod.rs b/rust/operator-binary/src/authentication/oidc/mod.rs index 05104f00..8b75b547 100644 --- a/rust/operator-binary/src/authentication/oidc/mod.rs +++ b/rust/operator-binary/src/authentication/oidc/mod.rs @@ -210,10 +210,10 @@ mod tests { use std::mem; use super::*; + use rstest::rstest; use stackable_trino_crd::Container; const IDP_PORT: u16 = 8080; - const IDP_ROOT_PATH: &str = "/realms/master"; const IDP_SCOPE_1: &str = "openid"; const IDP_SCOPE_2: &str = "test"; const AUTH_CLASS_NAME_1: &str = "trino-oidc-auth-1"; @@ -223,12 +223,13 @@ mod tests { fn setup_test_authenticator( auth_class_name: &str, credential_secret: String, + root_path: &str, ) -> OidcAuthenticator { let input = format!( r#" hostname: keycloak port: {IDP_PORT} - rootPath: {IDP_ROOT_PATH} + rootPath: {root_path} scopes: - {IDP_SCOPE_1} principalClaim: preferred_username @@ -249,8 +250,16 @@ mod tests { #[test] fn test_oidc_authentication_limit_one_error() { let oidc_authentication = TrinoOidcAuthentication::new(vec![ - setup_test_authenticator(AUTH_CLASS_NAME_1, AUTH_CLASS_CREDENTIAL_SECRET.to_string()), - setup_test_authenticator(AUTH_CLASS_NAME_2, AUTH_CLASS_CREDENTIAL_SECRET.to_string()), + setup_test_authenticator( + AUTH_CLASS_NAME_1, + AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + "/", + ), + setup_test_authenticator( + AUTH_CLASS_NAME_2, + AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + "/", + ), ]); let error = oidc_authentication @@ -264,17 +273,21 @@ mod tests { ); } - #[test] - fn test_oidc_authentication_settings() { + #[rstest] + #[case("/realms/sdp")] + #[case("/realms/sdp/")] + #[case("/realms/sdp/////")] + fn test_oidc_authentication_settings(#[case] root_path: &str) { let oidc_authentication = TrinoOidcAuthentication::new(vec![setup_test_authenticator( AUTH_CLASS_NAME_1, AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + root_path, )]); let trino_oidc_auth = oidc_authentication.oauth2_authentication_config().unwrap(); assert_eq!( - Some(&format!("http://keycloak:{IDP_PORT}{IDP_ROOT_PATH}")), + Some(&format!("http://keycloak:{IDP_PORT}/realms/sdp")), trino_oidc_auth .config_properties .get(&TrinoRole::Coordinator) diff --git a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 index af0b04bf..2c90ac43 100644 --- a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 +++ b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 @@ -8,7 +8,7 @@ spec: oidc: hostname: keycloak.$NAMESPACE.svc.cluster.local port: 8443 - rootPath: /realms/stackable + rootPath: /realms/stackable/ scopes: - openid principalClaim: preferred_username diff --git a/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 b/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 index 4563414b..9eff5093 100644 --- a/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 +++ b/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 @@ -32,4 +32,4 @@ metadata: type: Opaque stringData: username: hive - password: hive + password: hive