diff --git a/CHANGELOG.md b/CHANGELOG.md index dedce195..a42d6347 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,18 +9,22 @@ All notable changes to this project will be documented in this file. - Active Directory's `samAccountName` generation can now be customized ([#454]). - Added experimental cert-manager backend ([#482]). +### Changed + +- Refactored hostname validation ([#494]). + - BREAKING: Hostname validation is now somewhat stricter. + - BREAKING: Hostname validation is now enforced in CRD. +- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]). + ### Fixed - Fixed Kerberos keytab provisioning reusing its credential cache ([#490]). - Fixed listener volumes missing a required permission to inspect manually provisioned listeners ([#497]). -### Changed - -- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]). - [#454]: https://github.com/stackabletech/secret-operator/pull/454 [#482]: https://github.com/stackabletech/secret-operator/pull/482 [#490]: https://github.com/stackabletech/secret-operator/pull/490 +[#494]: https://github.com/stackabletech/secret-operator/pull/494 [#495]: https://github.com/stackabletech/secret-operator/pull/495 [#497]: https://github.com/stackabletech/secret-operator/pull/497 @@ -35,9 +39,9 @@ All notable changes to this project will be documented in this file. - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]). - Existing users can either migrate by either: - - (Recommended) Copying the CA into the new location - (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`) - - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`) + - (Recommended) Copying the CA into the new location + (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`) + - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`) - Reduce CA default lifetime to one year ([#403]) - Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner in the Helm values to v4.0.1 ([#440]). @@ -80,7 +84,6 @@ All notable changes to this project will be documented in this file. [#357]: https://github.com/stackabletech/secret-operator/pull/357 [#361]: https://github.com/stackabletech/secret-operator/pull/361 - ## [23.11.0] - 2023-11-24 ### Added diff --git a/Cargo.toml b/Cargo.toml index a4dccd28..b8e8841d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -50,5 +50,5 @@ uuid = { version = "1.10.0", features = ["v4"] } yasna = "0.5" [patch."https://github.com/stackabletech/operator-rs.git"] -# stackable-operator = { path = "../operator-rs" } +# stackable-operator = { path = "../operator-rs/crates/stackable-operator" } # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index 60c4b00c..3f775c43 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -244,6 +244,7 @@ spec: type: string realmName: description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. + pattern: ^[-.a-zA-Z0-9]+$ type: string required: - admin diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs index fd2d8358..9bce7f3f 100644 --- a/rust/operator-binary/src/backend/kerberos_keytab.rs +++ b/rust/operator-binary/src/backend/kerberos_keytab.rs @@ -5,7 +5,11 @@ use stackable_krb5_provision_keytab::{ self as provision, provision_keytab, }; -use stackable_operator::{k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef}; +use stackable_operator::{ + commons::networking::{HostName, KerberosRealmName}, + k8s_openapi::api::core::v1::Secret, + kube::runtime::reflector::ObjectRef, +}; use stackable_secret_operator_crd_utils::SecretReference; use tempfile::tempdir; use tokio::{ @@ -15,8 +19,8 @@ use tokio::{ use crate::{ crd::{ - ActiveDirectorySamAccountNameRules, Hostname, InvalidKerberosPrincipal, - KerberosKeytabBackendAdmin, KerberosPrincipal, + ActiveDirectorySamAccountNameRules, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin, + KerberosPrincipal, }, format::{well_known, SecretData, WellKnownSecretData}, utils::Unloggable, @@ -82,8 +86,8 @@ impl SecretBackendError for Error { #[derive(Debug)] pub struct KerberosProfile { - pub realm_name: Hostname, - pub kdc: Hostname, + pub realm_name: KerberosRealmName, + pub kdc: HostName, pub admin: KerberosKeytabBackendAdmin, } diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs index b208e13b..8cf76e11 100644 --- a/rust/operator-binary/src/crd.rs +++ b/rust/operator-binary/src/crd.rs @@ -3,6 +3,7 @@ use std::{fmt::Display, ops::Deref}; use serde::{Deserialize, Serialize}; use snafu::Snafu; use stackable_operator::{ + commons::networking::{HostName, KerberosRealmName}, kube::CustomResource, schemars::{self, JsonSchema}, time::Duration, @@ -175,11 +176,11 @@ pub enum CertManagerIssuerKind { #[serde(rename_all = "camelCase")] pub struct KerberosKeytabBackend { /// The name of the Kerberos realm. This should be provided by the Kerberos administrator. - pub realm_name: Hostname, + pub realm_name: KerberosRealmName, /// The hostname of the Kerberos Key Distribution Center (KDC). /// This should be provided by the Kerberos administrator. - pub kdc: Hostname, + pub kdc: HostName, /// Kerberos admin configuration settings. pub admin: KerberosKeytabBackendAdmin, @@ -200,7 +201,7 @@ pub enum KerberosKeytabBackendAdmin { Mit { /// The hostname of the Kerberos Admin Server. /// This should be provided by the Kerberos administrator. - kadmin_server: Hostname, + kadmin_server: HostName, }, /// Credentials should be provisioned in a Microsoft Active Directory domain. @@ -208,7 +209,7 @@ pub enum KerberosKeytabBackendAdmin { ActiveDirectory { /// An AD LDAP server, such as the AD Domain Controller. /// This must match the server’s FQDN, or GSSAPI authentication will fail. - ldap_server: Hostname, + ldap_server: HostName, /// Reference (name and namespace) to a Kubernetes Secret object containing /// the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. @@ -255,49 +256,6 @@ impl ActiveDirectorySamAccountNameRules { } } -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)] -#[serde(try_from = "String", into = "String")] -pub struct Hostname(String); -#[derive(Debug, Snafu)] -#[snafu(module)] -pub enum InvalidHostname { - #[snafu(display("hostname contains illegal characters (allowed: alphanumeric, -, and .)"))] - IllegalCharacter, - - #[snafu(display("hostname may not start with a dash"))] - StartWithDash, -} -impl TryFrom for Hostname { - type Error = InvalidHostname; - - fn try_from(value: String) -> Result { - if value.starts_with('-') { - invalid_hostname::StartWithDashSnafu.fail() - } else if value.contains(|chr: char| !chr.is_alphanumeric() && chr != '.' && chr != '-') { - invalid_hostname::IllegalCharacterSnafu.fail() - } else { - Ok(Hostname(value)) - } - } -} -impl From for String { - fn from(value: Hostname) -> Self { - value.0 - } -} -impl Display for Hostname { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - f.write_str(&self.0) - } -} -impl Deref for Hostname { - type Target = str; - - fn deref(&self) -> &Self::Target { - &self.0 - } -} - #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)] #[serde(try_from = "String", into = "String")] pub struct KerberosPrincipal(String);