fix!: Make fields on S3 structs mandatory, add S3 helpers (#863)

* refactor!: Add Host type. Fix S3 structs to have mandatory fields

* TLS verification struct now reside top-level in the `commons` module

* WIP

* fix: Use String for Host JsonSchema

* changelog

* changelog

* Add unique identifier to avoid clashing volumes and mounts

* move identifier to front

* clippy

* Apply suggestions from code review

Co-authored-by: Nick <[email protected]>

* Remove RetrieveS3Bucket error

* Add some error details

* typo

* Add docs for unique_identifier

* Apply suggestions from code review

Co-authored-by: Techassi <[email protected]>

* Rename NotAHost -> NotAHost

* Add invalid host to error message

* Move to HostParseError

* Rename Host -> HostName

* Update crates/stackable-operator/src/commons/networking.rs

Co-authored-by: Techassi <[email protected]>

* Update crates/stackable-operator/CHANGELOG.md

Co-authored-by: Techassi <[email protected]>

* Update crates/stackable-operator/CHANGELOG.md

Co-authored-by: Techassi <[email protected]>

* changelog

* Bump to 0.76.0

* Update crates/stackable-operator/src/commons/networking.rs

Co-authored-by: Techassi <[email protected]>

* fix domain names

---------

Co-authored-by: Nick <[email protected]>
Co-authored-by: Techassi <[email protected]>

Author: 3 people

Cargo.lock

@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [0.76.0] - 2024-09-19
+
+### Added
+
+- BREAKING: Add `HostName` type and use it within LDAP and OIDC AuthenticationClass as well as S3Connection ([#863]).
+
+### Changed
+
+- BREAKING: The TLS verification struct now resides in the `commons::tls_verification` module, instead of being placed below `commons::authentication::tls` ([#863]).
+- BREAKING: Rename the `Hostname` type to `DomainName` to be consistent with RFC 1123 ([#863]).
+
+### Fixed
+
+- BREAKING: The fields `bucketName`, `connection` and `host` on `S3BucketSpec`, `InlinedS3BucketSpec` and `S3ConnectionSpec` are now mandatory. Previously operators errored out in case these fields where missing ([#863]).
+
+[#863]: https://github.com/stackabletech/operator-rs/pull/863
+
 ## [0.75.0] - 2024-09-19
 
 ### Added

crates/stackable-operator/CHANGELOG.md

@@ -1,7 +1,7 @@
 [package]
 name = "stackable-operator"
 description = "Stackable Operator Framework"
-version = "0.75.0"
+version = "0.76.0"
 authors.workspace = true
 license.workspace = true
 edition.workspace = true

crates/stackable-operator/Cargo.toml

@@ -7,11 +7,10 @@ use url::{ParseError, Url};
 use crate::{
     builder::pod::{container::ContainerBuilder, volume::VolumeMountBuilder, PodBuilder},
     commons::{
-        authentication::{
-            tls::{TlsClientDetails, TlsClientDetailsError},
-            SECRET_BASE_PATH,
-        },
+        authentication::SECRET_BASE_PATH,
+        networking::HostName,
         secret_class::{SecretClassVolume, SecretClassVolumeError},
+        tls_verification::{TlsClientDetails, TlsClientDetailsError},
     },
 };
 
@@ -36,8 +35,8 @@ pub enum Error {
 )]
 #[serde(rename_all = "camelCase")]
 pub struct AuthenticationProvider {
-    /// Hostname of the LDAP server, for example: `my.ldap.server`.
-    pub hostname: String,
+    /// Host of the LDAP server, for example: `my.ldap.server` or `127.0.0.1`.
+    pub hostname: HostName,
 
     /// Port of the LDAP server. If TLS is used defaults to 636 otherwise to 389.
     port: Option<u16>,

crates/stackable-operator/src/commons/authentication/ldap.rs

@@ -11,7 +11,9 @@ use url::{ParseError, Url};
 
 #[cfg(doc)]
 use crate::commons::authentication::AuthenticationClass;
-use crate::commons::authentication::{tls::TlsClientDetails, SECRET_BASE_PATH};
+use crate::commons::{
+    authentication::SECRET_BASE_PATH, networking::HostName, tls_verification::TlsClientDetails,
+};
 
 pub type Result<T, E = Error> = std::result::Result<T, E>;
 
@@ -40,8 +42,8 @@ pub enum Error {
 )]
 #[serde(rename_all = "camelCase")]
 pub struct AuthenticationProvider {
-    /// Hostname of the identity provider, e.g. `my.keycloak.corp`.
-    hostname: String,
+    /// Host of the identity provider, e.g. `my.keycloak.corp` or `127.0.0.1`.
+    hostname: HostName,
 
     /// Port of the identity provider. If TLS is used defaults to 443,
     /// otherwise to 80.
@@ -90,7 +92,7 @@ fn default_root_path() -> String {
 
 impl AuthenticationProvider {
     pub fn new(
-        hostname: String,
+        hostname: HostName,
         port: Option<u16>,
         root_path: String,
         tls: TlsClientDetails,
@@ -113,8 +115,12 @@ impl AuthenticationProvider {
     /// configuration path, use `url.join()`. This module provides the default
     /// path at [`DEFAULT_OIDC_WELLKNOWN_PATH`].
     pub fn endpoint_url(&self) -> Result<Url> {
-        let mut url = Url::parse(&format!("http://{}:{}", self.hostname, self.port()))
-            .context(ParseOidcEndpointUrlSnafu)?;
+        let mut url = Url::parse(&format!(
+            "http://{host}:{port}",
+            host = self.hostname.as_url_host(),
+            port = self.port()
+        ))
+        .context(ParseOidcEndpointUrlSnafu)?;
 
         if self.tls.uses_tls() {
             url.set_scheme("https").map_err(|_| {
@@ -317,7 +323,7 @@ mod test {
     fn test_oidc_ipv6_endpoint_url() {
         let oidc = serde_yaml::from_str::<AuthenticationProvider>(
             "
-            hostname: '[2606:2800:220:1:248:1893:25c8:1946]'
+            hostname: 2606:2800:220:1:248:1893:25c8:1946
             rootPath: my-root-path
             port: 12345
             scopes: [openid]

crates/stackable-operator/src/commons/authentication/oidc.rs

@@ -1,15 +1,5 @@
-use k8s_openapi::api::core::v1::{Volume, VolumeMount};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
-use snafu::{ResultExt, Snafu};
-
-use crate::{
-    builder::pod::{container::ContainerBuilder, volume::VolumeMountBuilder, PodBuilder},
-    commons::{
-        authentication::SECRET_BASE_PATH,
-        secret_class::{SecretClassVolume, SecretClassVolumeError},
-    },
-};
 
 #[derive(
     Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
@@ -22,148 +12,3 @@ pub struct AuthenticationProvider {
     /// will be used to provision client certificates.
     pub client_cert_secret_class: Option<String>,
 }
-
-#[derive(Debug, PartialEq, Snafu)]
-pub enum TlsClientDetailsError {
-    #[snafu(display("failed to convert secret class volume into named Kubernetes volume"))]
-    SecretClassVolume { source: SecretClassVolumeError },
-}
-
-#[derive(
-    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
-)]
-#[serde(rename_all = "camelCase")]
-pub struct TlsClientDetails {
-    /// Use a TLS connection. If not specified no TLS will be used.
-    pub tls: Option<Tls>,
-}
-
-impl TlsClientDetails {
-    /// This functions adds
-    ///
-    /// * The needed volumes to the PodBuilder
-    /// * The needed volume_mounts to all the ContainerBuilder in the list (e.g. init + main container)
-    ///
-    /// This function will handle
-    ///
-    /// * Tls secret class used to verify the cert of the LDAP server
-    pub fn add_volumes_and_mounts(
-        &self,
-        pod_builder: &mut PodBuilder,
-        container_builders: Vec<&mut ContainerBuilder>,
-    ) -> Result<(), TlsClientDetailsError> {
-        let (volumes, mounts) = self.volumes_and_mounts()?;
-        pod_builder.add_volumes(volumes);
-
-        for cb in container_builders {
-            cb.add_volume_mounts(mounts.clone());
-        }
-
-        Ok(())
-    }
-
-    /// It is recommended to use [`Self::add_volumes_and_mounts`], this function returns you the
-    /// volumes and mounts in case you need to add them by yourself.
-    pub fn volumes_and_mounts(
-        &self,
-    ) -> Result<(Vec<Volume>, Vec<VolumeMount>), TlsClientDetailsError> {
-        let mut volumes = Vec::new();
-        let mut mounts = Vec::new();
-
-        if let Some(secret_class) = self.tls_ca_cert_secret_class() {
-            let volume_name = format!("{secret_class}-ca-cert");
-            let secret_class_volume = SecretClassVolume::new(secret_class.clone(), None);
-            let volume = secret_class_volume
-                .to_volume(&volume_name)
-                .context(SecretClassVolumeSnafu)?;
-
-            volumes.push(volume);
-            mounts.push(
-                VolumeMountBuilder::new(volume_name, format!("{SECRET_BASE_PATH}/{secret_class}"))
-                    .build(),
-            );
-        }
-
-        Ok((volumes, mounts))
-    }
-
-    /// Whether TLS is configured
-    pub const fn uses_tls(&self) -> bool {
-        self.tls.is_some()
-    }
-
-    /// Whether TLS verification is configured. Returns `false` if TLS itself isn't configured
-    pub fn uses_tls_verification(&self) -> bool {
-        self.tls
-            .as_ref()
-            .map(|tls| tls.verification != TlsVerification::None {})
-            .unwrap_or_default()
-    }
-
-    /// Returns the path of the ca.crt that should be used to verify the LDAP server certificate
-    /// if TLS verification with a CA cert from a SecretClass is configured.
-    pub fn tls_ca_cert_mount_path(&self) -> Option<String> {
-        self.tls_ca_cert_secret_class()
-            .map(|secret_class| format!("{SECRET_BASE_PATH}/{secret_class}/ca.crt"))
-    }
-
-    /// Extracts the SecretClass that provides the CA cert used to verify the server certificate.
-    pub(crate) fn tls_ca_cert_secret_class(&self) -> Option<String> {
-        if let Some(Tls {
-            verification:
-                TlsVerification::Server(TlsServerVerification {
-                    ca_cert: CaCert::SecretClass(secret_class),
-                }),
-        }) = &self.tls
-        {
-            Some(secret_class.to_owned())
-        } else {
-            None
-        }
-    }
-}
-
-#[derive(
-    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
-)]
-#[serde(rename_all = "camelCase")]
-pub struct Tls {
-    /// The verification method used to verify the certificates of the server and/or the client.
-    pub verification: TlsVerification,
-}
-
-#[derive(
-    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
-)]
-#[serde(rename_all = "camelCase")]
-pub enum TlsVerification {
-    /// Use TLS but don't verify certificates.
-    None {},
-
-    /// Use TLS and a CA certificate to verify the server.
-    Server(TlsServerVerification),
-}
-
-#[derive(
-    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
-)]
-#[serde(rename_all = "camelCase")]
-pub struct TlsServerVerification {
-    /// CA cert to verify the server.
-    pub ca_cert: CaCert,
-}
-
-#[derive(
-    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
-)]
-#[serde(rename_all = "camelCase")]
-pub enum CaCert {
-    /// Use TLS and the CA certificates trusted by the common web browsers to verify the server.
-    /// This can be useful when you e.g. use public AWS S3 or other public available services.
-    WebPki {},
-
-    /// Name of the [SecretClass](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass) which will provide the CA certificate.
-    /// Note that a SecretClass does not need to have a key but can also work with just a CA certificate,
-    /// so if you got provided with a CA cert but don't have access to the key you can still use this method.
-    SecretClass(String),
-}

crates/stackable-operator/src/commons/authentication/tls.rs

@@ -13,3 +13,4 @@ pub mod resources;
 pub mod s3;
 pub mod secret;
 pub mod secret_class;
+pub mod tls_verification;