From f1b421d8de6a4e437b3df71ef3d71d9093f148cb Mon Sep 17 00:00:00 2001 From: Techassi Date: Mon, 18 Nov 2024 16:16:54 +0100 Subject: [PATCH 1/6] Update CHANGELOG.md from release 24.11.0 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0561046..a1f72c51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +## [24.11.0] - 2024-11-18 + ### Added - Added support for Trino 455 ([#638]). From 24a9a9f85cc093dae6f00859b7cfe247969678be Mon Sep 17 00:00:00 2001 From: Stacky McStackface <95074132+stackable-bot@users.noreply.github.com> Date: Mon, 18 Nov 2024 22:49:44 +0100 Subject: [PATCH 2/6] chore: Generated commit to update templated files since the last template run up to stackabletech/operator-templating@fd40109c1bd66c79fa74bf67a5b5bff1e3a96ce8 (#670) Reference-to: stackabletech/operator-templating@fd40109 (Add make render-doc command) --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index 94cb81bb..343086c9 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,9 @@ SHELL=/usr/bin/env bash -euo pipefail render-readme: scripts/render_readme.sh +render-docs: + scripts/docs_templating.sh + ## Docker related targets docker-build: docker build --force-rm --build-arg VERSION=${VERSION} -t "${DOCKER_REPO}/${ORGANIZATION}/${OPERATOR_NAME}:${VERSION}-${ARCH}" -f docker/Dockerfile . From 0609a152c54f0e10ecea063b423a194dd6d4e395 Mon Sep 17 00:00:00 2001 From: Nick <10092581+NickLarsenNZ@users.noreply.github.com> Date: Wed, 20 Nov 2024 21:09:29 +1300 Subject: [PATCH 3/6] chore(getting_started): replace templating instructions with make (#668) --- .../examples/getting_started/code/getting_started.sh | 12 +----------- .../getting_started/code/getting_started.sh.j2 | 12 +----------- 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/docs/modules/trino/examples/getting_started/code/getting_started.sh b/docs/modules/trino/examples/getting_started/code/getting_started.sh index 6de045b4..bba9cf4e 100755 --- a/docs/modules/trino/examples/getting_started/code/getting_started.sh +++ b/docs/modules/trino/examples/getting_started/code/getting_started.sh @@ -2,17 +2,7 @@ set -euo pipefail # DO NOT EDIT THE SCRIPT -# Instead, update the j2 template, and regenerate it for dev: -# cat < Date: Mon, 25 Nov 2024 11:25:20 +0100 Subject: [PATCH 4/6] fix: Construction of OIDC endpoint when rootPath has a trailing slash (#673) * fix: Calculation of OIDC endpoint when rootPath has a trailing slash * Update test * Use op-rs 0.82.0 * nixfiles * Update tests and docs * changelog * Rename oidc -> client_auth_options --- CHANGELOG.md | 2 ++ Cargo.lock | 8 +++--- Cargo.nix | 14 +++++----- Cargo.toml | 2 +- crate-hashes.json | 6 ++--- .../usage-guide/trino-oidc-auth-snippet.yaml | 2 +- examples/simple-trino-oauth2.yaml | 2 +- rust/crd/src/authentication.rs | 4 +-- .../operator-binary/src/authentication/mod.rs | 12 ++++----- .../src/authentication/oidc/mod.rs | 27 ++++++++++++++----- .../create-authentication-classes.yaml.j2 | 2 +- 11 files changed, 48 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1f72c51..7c61502f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ All notable changes to this project will be documented in this file. - Don't ignore envOverrides ([#633]). - Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). - Invalid `TrinoCluster`, `TrinoCatalog` or `AuthenticationClass` objects don't stop the operator from reconciliation ([#657]) +- Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]). ### Removed @@ -36,6 +37,7 @@ All notable changes to this project will be documented in this file. [#646]: https://github.com/stackabletech/trino-operator/pull/646 [#655]: https://github.com/stackabletech/trino-operator/pull/655 [#657]: https://github.com/stackabletech/trino-operator/pull/657 +[#673]: https://github.com/stackabletech/trino-operator/pull/673 ## [24.7.0] - 2024-07-24 diff --git a/Cargo.lock b/Cargo.lock index 645815c7..9eccdf12 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2225,8 +2225,8 @@ checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" [[package]] name = "stackable-operator" -version = "0.80.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +version = "0.82.0" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "chrono", "clap", @@ -2264,7 +2264,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "darling", "proc-macro2", @@ -2275,7 +2275,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#6fbe32300b60f95e0baa2ab0ff2daf961b06531c" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" dependencies = [ "kube", "semver", diff --git a/Cargo.nix b/Cargo.nix index f1cef947..47c80888 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -6816,13 +6816,13 @@ rec { }; "stackable-operator" = rec { crateName = "stackable-operator"; - version = "0.80.0"; + version = "0.82.0"; edition = "2021"; workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; libName = "stackable_operator"; authors = [ @@ -6979,8 +6979,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -7014,8 +7014,8 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech/operator-rs.git"; - rev = "6fbe32300b60f95e0baa2ab0ff2daf961b06531c"; - sha256 = "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3"; + rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; + sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; }; libName = "stackable_shared"; authors = [ diff --git a/Cargo.toml b/Cargo.toml index 118c741d..b9c57ba9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,7 +24,7 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" serde_yaml = "0.9" snafu = "0.8" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.80.0" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" } product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" } strum = { version = "0.26", features = ["derive"] } tokio = { version = "1.40", features = ["full"] } diff --git a/crate-hashes.json b/crate-hashes.json index 562fb18b..0ca37e6e 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-operator-derive@0.3.1": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-operator@0.80.0": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.80.0#stackable-shared@0.0.1": "16jrq3wdwz63210jgmqbx3snrr15wxw6l1smqhzv7b7jpq8qvya3", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator-derive@0.3.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator@0.82.0": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", + "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-shared@0.0.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/docs/modules/trino/examples/usage-guide/trino-oidc-auth-snippet.yaml b/docs/modules/trino/examples/usage-guide/trino-oidc-auth-snippet.yaml index beda8d29..32534eef 100644 --- a/docs/modules/trino/examples/usage-guide/trino-oidc-auth-snippet.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-oidc-auth-snippet.yaml @@ -21,7 +21,7 @@ spec: oidc: hostname: keycloak.default.svc.cluster.local port: 8080 - rootPath: /realms/stackable + rootPath: /realms/stackable/ scopes: - openid principalClaim: preferred_username diff --git a/examples/simple-trino-oauth2.yaml b/examples/simple-trino-oauth2.yaml index adc9a3bd..7f5f6ee8 100644 --- a/examples/simple-trino-oauth2.yaml +++ b/examples/simple-trino-oauth2.yaml @@ -53,7 +53,7 @@ spec: oidc: hostname: keycloak port: 8080 - rootPath: /realms/stackable + rootPath: /realms/stackable/ scopes: ["openid"] principalClaim: preferred_username --- diff --git a/rust/crd/src/authentication.rs b/rust/crd/src/authentication.rs index fad0d3d0..05c13e30 100644 --- a/rust/crd/src/authentication.rs +++ b/rust/crd/src/authentication.rs @@ -25,7 +25,7 @@ type Result = std::result::Result; pub struct ResolvedAuthenticationClassRef { /// An [AuthenticationClass](DOCS_BASE_URL_PLACEHOLDER/concepts/authentication) to use. pub authentication_class: AuthenticationClass, - pub oidc: Option, + pub client_auth_options: Option, } /// Retrieve all provided AuthenticationClass references. @@ -43,7 +43,7 @@ pub async fn resolve_authentication_classes( let auth_class_name = resolved_auth_class.name_any(); resolved_auth_classes.push(ResolvedAuthenticationClassRef { - oidc: match &resolved_auth_class.spec.provider { + client_auth_options: match &resolved_auth_class.spec.provider { AuthenticationClassProvider::Oidc(_) => Some( client_authentication_detail .oidc_or_error(&auth_class_name) diff --git a/rust/operator-binary/src/authentication/mod.rs b/rust/operator-binary/src/authentication/mod.rs index b6cdcf86..bfad5804 100644 --- a/rust/operator-binary/src/authentication/mod.rs +++ b/rust/operator-binary/src/authentication/mod.rs @@ -508,7 +508,7 @@ impl TryFrom> for TrinoAuthenticationTypes { ); } AuthenticationClassProvider::Oidc(provider) => { - let oidc = resolved_auth_class.oidc.context( + let oidc = resolved_auth_class.client_auth_options.context( OidcAuthenticationDetailsNotSpecifiedSnafu { auth_class_name: auth_class_name.clone(), }, @@ -591,7 +591,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -610,7 +610,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -636,7 +636,7 @@ mod tests { ResolvedAuthenticationClassRef { authentication_class: input, - oidc: None, + client_auth_options: None, } } @@ -651,7 +651,7 @@ mod tests { provider: oidc: hostname: {HOST_NAME} - rootPath: /realms/master + rootPath: /realms/master/ scopes: ["openid"] principalClaim: preferred_username "#, @@ -663,7 +663,7 @@ mod tests { deserializer, ) .unwrap(), - oidc: Some(ClientAuthenticationOptions { + client_auth_options: Some(ClientAuthenticationOptions { client_credentials_secret_ref: "my-oidc-secret".to_string(), extra_scopes: Vec::new(), product_specific_fields: (), diff --git a/rust/operator-binary/src/authentication/oidc/mod.rs b/rust/operator-binary/src/authentication/oidc/mod.rs index 05104f00..8b75b547 100644 --- a/rust/operator-binary/src/authentication/oidc/mod.rs +++ b/rust/operator-binary/src/authentication/oidc/mod.rs @@ -210,10 +210,10 @@ mod tests { use std::mem; use super::*; + use rstest::rstest; use stackable_trino_crd::Container; const IDP_PORT: u16 = 8080; - const IDP_ROOT_PATH: &str = "/realms/master"; const IDP_SCOPE_1: &str = "openid"; const IDP_SCOPE_2: &str = "test"; const AUTH_CLASS_NAME_1: &str = "trino-oidc-auth-1"; @@ -223,12 +223,13 @@ mod tests { fn setup_test_authenticator( auth_class_name: &str, credential_secret: String, + root_path: &str, ) -> OidcAuthenticator { let input = format!( r#" hostname: keycloak port: {IDP_PORT} - rootPath: {IDP_ROOT_PATH} + rootPath: {root_path} scopes: - {IDP_SCOPE_1} principalClaim: preferred_username @@ -249,8 +250,16 @@ mod tests { #[test] fn test_oidc_authentication_limit_one_error() { let oidc_authentication = TrinoOidcAuthentication::new(vec![ - setup_test_authenticator(AUTH_CLASS_NAME_1, AUTH_CLASS_CREDENTIAL_SECRET.to_string()), - setup_test_authenticator(AUTH_CLASS_NAME_2, AUTH_CLASS_CREDENTIAL_SECRET.to_string()), + setup_test_authenticator( + AUTH_CLASS_NAME_1, + AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + "/", + ), + setup_test_authenticator( + AUTH_CLASS_NAME_2, + AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + "/", + ), ]); let error = oidc_authentication @@ -264,17 +273,21 @@ mod tests { ); } - #[test] - fn test_oidc_authentication_settings() { + #[rstest] + #[case("/realms/sdp")] + #[case("/realms/sdp/")] + #[case("/realms/sdp/////")] + fn test_oidc_authentication_settings(#[case] root_path: &str) { let oidc_authentication = TrinoOidcAuthentication::new(vec![setup_test_authenticator( AUTH_CLASS_NAME_1, AUTH_CLASS_CREDENTIAL_SECRET.to_string(), + root_path, )]); let trino_oidc_auth = oidc_authentication.oauth2_authentication_config().unwrap(); assert_eq!( - Some(&format!("http://keycloak:{IDP_PORT}{IDP_ROOT_PATH}")), + Some(&format!("http://keycloak:{IDP_PORT}/realms/sdp")), trino_oidc_auth .config_properties .get(&TrinoRole::Coordinator) diff --git a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 index af0b04bf..2c90ac43 100644 --- a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 +++ b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 @@ -8,7 +8,7 @@ spec: oidc: hostname: keycloak.$NAMESPACE.svc.cluster.local port: 8443 - rootPath: /realms/stackable + rootPath: /realms/stackable/ scopes: - openid principalClaim: preferred_username From 791d2cb8d6495b6bf9e854b0bb98d469fd383736 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6nke=20Liebau?= Date: Mon, 25 Nov 2024 14:44:36 +0100 Subject: [PATCH 5/6] Use patched version of op-rs that hopefully addresses SUP-148. (#672) * Patch operator-rs to use a PR version which fixes SUP-148 * Update PR revision * Updated changelog Removed patched version of op-rs and pulled in 0.82 * Regenerate Nix files * Update Cargo.toml * Run pre-commit --------- Co-authored-by: Siegfried Weber --- CHANGELOG.md | 2 ++ tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c61502f..dbf81794 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ All notable changes to this project will be documented in this file. - Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). - Invalid `TrinoCluster`, `TrinoCatalog` or `AuthenticationClass` objects don't stop the operator from reconciliation ([#657]) - Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]). +- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after restart ([#672]). ### Removed @@ -37,6 +38,7 @@ All notable changes to this project will be documented in this file. [#646]: https://github.com/stackabletech/trino-operator/pull/646 [#655]: https://github.com/stackabletech/trino-operator/pull/655 [#657]: https://github.com/stackabletech/trino-operator/pull/657 +[#672]: https://github.com/stackabletech/trino-operator/pull/672 [#673]: https://github.com/stackabletech/trino-operator/pull/673 ## [24.7.0] - 2024-07-24 diff --git a/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 b/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 index 4563414b..9eff5093 100644 --- a/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 +++ b/tests/templates/kuttl/opa-authorization/03-install-hive.yaml.j2 @@ -32,4 +32,4 @@ metadata: type: Opaque stringData: username: hive - password: hive + password: hive From ad96ac24bc5131efb33f122a6e1f10d9b059ad17 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Tue, 26 Nov 2024 17:39:16 +0100 Subject: [PATCH 6/6] Update changelog --- CHANGELOG.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbf81794..4e282207 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Fixed + +- Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]). +- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be + deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after + restart ([#672]). + +[#672]: https://github.com/stackabletech/trino-operator/pull/672 +[#673]: https://github.com/stackabletech/trino-operator/pull/673 + ## [24.11.0] - 2024-11-18 ### Added @@ -24,8 +34,6 @@ All notable changes to this project will be documented in this file. - Don't ignore envOverrides ([#633]). - Don't print credentials to STDOUT during startup. Ideally we should use [config-utils](https://github.com/stackabletech/config-utils), but that's not easy (see [here](https://github.com/stackabletech/trino-operator/tree/fix/secret-printing)) ([#634]). - Invalid `TrinoCluster`, `TrinoCatalog` or `AuthenticationClass` objects don't stop the operator from reconciliation ([#657]) -- Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]). -- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after restart ([#672]). ### Removed @@ -38,8 +46,6 @@ All notable changes to this project will be documented in this file. [#646]: https://github.com/stackabletech/trino-operator/pull/646 [#655]: https://github.com/stackabletech/trino-operator/pull/655 [#657]: https://github.com/stackabletech/trino-operator/pull/657 -[#672]: https://github.com/stackabletech/trino-operator/pull/672 -[#673]: https://github.com/stackabletech/trino-operator/pull/673 ## [24.7.0] - 2024-07-24