From b6bc3eee96dac13573996711cd251b11e7f0fd7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 14:36:52 +0200 Subject: [PATCH 1/8] Upstream Hostname validation to operator-rs --- Cargo.lock | 7 ++- Cargo.nix | 18 +++----- Cargo.toml | 5 +- crate-hashes.json | 4 +- deploy/helm/secret-operator/crds/crds.yaml | 4 ++ .../src/backend/kerberos_keytab.rs | 8 ++-- rust/operator-binary/src/crd.rs | 46 +------------------ 7 files changed, 25 insertions(+), 67 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 365d32fa..e4ac1023 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2641,8 +2641,8 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.73.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.73.0#4d98a29b08a7d959e5e287f774cf064c02ffbd62" +version = "0.74.0" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#f09a7908cb6bd10344a26b4859cc3e795212bb3e" dependencies = [ "chrono", "clap", @@ -2655,7 +2655,6 @@ dependencies = [ "json-patch", "k8s-openapi", "kube", - "lazy_static", "opentelemetry-jaeger", "opentelemetry_sdk", "product-config", @@ -2680,7 +2679,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.73.0#4d98a29b08a7d959e5e287f774cf064c02ffbd62" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#f09a7908cb6bd10344a26b4859cc3e795212bb3e" dependencies = [ "darling", "proc-macro2", diff --git a/Cargo.nix b/Cargo.nix index c82c47a5..a4a71ead 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -8343,13 +8343,13 @@ rec { }; "stackable-operator" = rec { crateName = "stackable-operator"; - version = "0.73.0"; + version = "0.74.0"; edition = "2021"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "4d98a29b08a7d959e5e287f774cf064c02ffbd62"; - sha256 = "0cmfbc3v9kklsfkqbnhwig45106gfizhmlmg9p1qgdjp8az43l9m"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f09a7908cb6bd10344a26b4859cc3e795212bb3e"; + sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; }; libName = "stackable_operator"; authors = [ @@ -8406,10 +8406,6 @@ rec { usesDefaultFeatures = false; features = [ "client" "jsonpatch" "runtime" "derive" "rustls-tls" ]; } - { - name = "lazy_static"; - packageId = "lazy_static"; - } { name = "opentelemetry-jaeger"; packageId = "opentelemetry-jaeger"; @@ -8507,9 +8503,9 @@ rec { edition = "2021"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "4d98a29b08a7d959e5e287f774cf064c02ffbd62"; - sha256 = "0cmfbc3v9kklsfkqbnhwig45106gfizhmlmg9p1qgdjp8az43l9m"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f09a7908cb6bd10344a26b4859cc3e795212bb3e"; + sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; }; procMacro = true; libName = "stackable_operator_derive"; diff --git a/Cargo.toml b/Cargo.toml index 4d5e526e..c0fe5c74 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -34,7 +34,7 @@ serde_json = "1.0" serde_yaml = "0.9" snafu = "0.8" socket2 = { version = "0.5", features = ["all"] } -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.73.0", features = ["time"] } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.74.0", features = ["time"] } strum = { version = "0.26", features = ["derive"] } sys-mount = { version = "3.0", default-features = false } tempfile = "3.12" @@ -54,5 +54,6 @@ yasna = "0.5" h2 = { git = "https://github.com/stackabletech/h2.git", branch = "feature/grpc-uds-/0.4.5" } [patch."https://github.com/stackabletech/operator-rs.git"] -# stackable-operator = { path = "../operator-rs" } +# stackable-operator = { path = "../operator-rs/crates/stackable-operator" } # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feature/validation-hostname" } diff --git a/crate-hashes.json b/crate-hashes.json index bc60f196..c5ccb48a 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { + "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator-derive@0.3.1": "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa", + "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator@0.74.0": "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa", "git+https://github.com/stackabletech/h2.git?branch=feature%2Fgrpc-uds-%2F0.4.5#h2@0.4.5": "0v0865w398zw0q6mhkwifbbfwffilhhlr4ympjz6fg0ac1q95s1x", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.73.0#stackable-operator-derive@0.3.1": "0cmfbc3v9kklsfkqbnhwig45106gfizhmlmg9p1qgdjp8az43l9m", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.73.0#stackable-operator@0.73.0": "0cmfbc3v9kklsfkqbnhwig45106gfizhmlmg9p1qgdjp8az43l9m", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index baeeaa00..9b6c451f 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -134,6 +134,7 @@ spec: type: object ldapServer: description: An AD LDAP server, such as the AD Domain Controller. This must match the server’s FQDN, or GSSAPI authentication will fail. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string ldapTlsCaSecret: description: Reference (name and namespace) to a Kubernetes Secret object containing the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. @@ -179,6 +180,7 @@ spec: properties: kadminServer: description: The hostname of the Kerberos Admin Server. This should be provided by the Kerberos administrator. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - kadminServer @@ -202,9 +204,11 @@ spec: type: string kdc: description: The hostname of the Kerberos Key Distribution Center (KDC). This should be provided by the Kerberos administrator. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string realmName: description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - admin diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs index 6cf86b50..79b6726d 100644 --- a/rust/operator-binary/src/backend/kerberos_keytab.rs +++ b/rust/operator-binary/src/backend/kerberos_keytab.rs @@ -5,7 +5,7 @@ use stackable_krb5_provision_keytab::{ self as provision, provision_keytab, }; -use stackable_operator::{k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef}; +use stackable_operator::{commons::networking::{Hostname, KerberosRealmName}, k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef}; use stackable_secret_operator_crd_utils::SecretReference; use tempfile::tempdir; use tokio::{ @@ -15,8 +15,8 @@ use tokio::{ use crate::{ crd::{ - ActiveDirectorySamAccountNameRules, Hostname, InvalidKerberosPrincipal, - KerberosKeytabBackendAdmin, KerberosPrincipal, + ActiveDirectorySamAccountNameRules, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin, + KerberosPrincipal, }, format::{well_known, SecretData, WellKnownSecretData}, utils::Unloggable, @@ -82,7 +82,7 @@ impl SecretBackendError for Error { #[derive(Debug)] pub struct KerberosProfile { - pub realm_name: Hostname, + pub realm_name: KerberosRealmName, pub kdc: Hostname, pub admin: KerberosKeytabBackendAdmin, } diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs index fec70649..333db393 100644 --- a/rust/operator-binary/src/crd.rs +++ b/rust/operator-binary/src/crd.rs @@ -3,6 +3,7 @@ use std::{fmt::Display, ops::Deref}; use serde::{Deserialize, Serialize}; use snafu::Snafu; use stackable_operator::{ + commons::networking::{Hostname, KerberosRealmName}, kube::CustomResource, schemars::{self, JsonSchema}, time::Duration, @@ -125,7 +126,7 @@ impl AutoTlsCa { #[serde(rename_all = "camelCase")] pub struct KerberosKeytabBackend { /// The name of the Kerberos realm. This should be provided by the Kerberos administrator. - pub realm_name: Hostname, + pub realm_name: KerberosRealmName, /// The hostname of the Kerberos Key Distribution Center (KDC). /// This should be provided by the Kerberos administrator. @@ -205,49 +206,6 @@ impl ActiveDirectorySamAccountNameRules { } } -#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)] -#[serde(try_from = "String", into = "String")] -pub struct Hostname(String); -#[derive(Debug, Snafu)] -#[snafu(module)] -pub enum InvalidHostname { - #[snafu(display("hostname contains illegal characters (allowed: alphanumeric, -, and .)"))] - IllegalCharacter, - - #[snafu(display("hostname may not start with a dash"))] - StartWithDash, -} -impl TryFrom for Hostname { - type Error = InvalidHostname; - - fn try_from(value: String) -> Result { - if value.starts_with('-') { - invalid_hostname::StartWithDashSnafu.fail() - } else if value.contains(|chr: char| !chr.is_alphanumeric() && chr != '.' && chr != '-') { - invalid_hostname::IllegalCharacterSnafu.fail() - } else { - Ok(Hostname(value)) - } - } -} -impl From for String { - fn from(value: Hostname) -> Self { - value.0 - } -} -impl Display for Hostname { - fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - f.write_str(&self.0) - } -} -impl Deref for Hostname { - type Target = str; - - fn deref(&self) -> &Self::Target { - &self.0 - } -} - #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)] #[serde(try_from = "String", into = "String")] pub struct KerberosPrincipal(String); From 86916d2dfb1787c3687ca853e42843c43abce667 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 14:58:52 +0200 Subject: [PATCH 2/8] Update op-rs --- Cargo.lock | 4 ++-- Cargo.nix | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e4ac1023..67e202f7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2642,7 +2642,7 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.74.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#f09a7908cb6bd10344a26b4859cc3e795212bb3e" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#b5c129f9219c50b05e75b84b32db37324d39b2bc" dependencies = [ "chrono", "clap", @@ -2679,7 +2679,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#f09a7908cb6bd10344a26b4859cc3e795212bb3e" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feature/validation-hostname#b5c129f9219c50b05e75b84b32db37324d39b2bc" dependencies = [ "darling", "proc-macro2", diff --git a/Cargo.nix b/Cargo.nix index a4a71ead..a10bae22 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -8348,7 +8348,7 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "f09a7908cb6bd10344a26b4859cc3e795212bb3e"; + rev = "b5c129f9219c50b05e75b84b32db37324d39b2bc"; sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; }; libName = "stackable_operator"; @@ -8504,7 +8504,7 @@ rec { workspace_member = null; src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; - rev = "f09a7908cb6bd10344a26b4859cc3e795212bb3e"; + rev = "b5c129f9219c50b05e75b84b32db37324d39b2bc"; sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; }; procMacro = true; From 734b78997607bacc47cb22ff5b72a47972f17ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 15:14:47 +0200 Subject: [PATCH 3/8] Changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e84062db..a53d977e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,12 +8,19 @@ All notable changes to this project will be documented in this file. - Active Directory's `samAccountName` generation can now be customized ([#454]). +### Changed + +- Refactored hostname validation ([#494]). + - BREAKING: Hostname validation is now somewhat stricter. + - BREAKING: Hostname validation is now enforced in CRD. + ### Fixed - Fixed Kerberos keytab provisioning reusing its credential cache ([#490]). [#454]: https://github.com/stackabletech/secret-operator/pull/454 [#490]: https://github.com/stackabletech/secret-operator/pull/490 +[#494]: https://github.com/stackabletech/secret-operator/pull/494 ## [24.7.0] - 2024-07-24 From 95595daab65e209ab586e7b7852e1b32fa35b55a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 16:14:01 +0200 Subject: [PATCH 4/8] Update crate hashes --- Cargo.nix | 4 ++-- crate-hashes.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.nix b/Cargo.nix index a10bae22..ff8606ba 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -8349,7 +8349,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; rev = "b5c129f9219c50b05e75b84b32db37324d39b2bc"; - sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; + sha256 = "0lj63wxqa5bmsi1vs0bmyz5v2s038igc345n97999bahnkgcj034"; }; libName = "stackable_operator"; authors = [ @@ -8505,7 +8505,7 @@ rec { src = pkgs.fetchgit { url = "https://github.com/stackabletech//operator-rs.git"; rev = "b5c129f9219c50b05e75b84b32db37324d39b2bc"; - sha256 = "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa"; + sha256 = "0lj63wxqa5bmsi1vs0bmyz5v2s038igc345n97999bahnkgcj034"; }; procMacro = true; libName = "stackable_operator_derive"; diff --git a/crate-hashes.json b/crate-hashes.json index c5ccb48a..3559adbb 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { - "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator-derive@0.3.1": "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa", - "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator@0.74.0": "0369czn7swn2wnkdgqgdds6467lrf9s54qm228dncf037avrlmaa", + "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator-derive@0.3.1": "0lj63wxqa5bmsi1vs0bmyz5v2s038igc345n97999bahnkgcj034", + "git+https://github.com/stackabletech//operator-rs.git?branch=feature%2Fvalidation-hostname#stackable-operator@0.74.0": "0lj63wxqa5bmsi1vs0bmyz5v2s038igc345n97999bahnkgcj034", "git+https://github.com/stackabletech/h2.git?branch=feature%2Fgrpc-uds-%2F0.4.5#h2@0.4.5": "0v0865w398zw0q6mhkwifbbfwffilhhlr4ympjz6fg0ac1q95s1x", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file From 27dac9f710d1748b1bc491d33fb078dc8fabf485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 16:16:09 +0200 Subject: [PATCH 5/8] fmt --- rust/operator-binary/src/backend/kerberos_keytab.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs index 79b6726d..f9519ad7 100644 --- a/rust/operator-binary/src/backend/kerberos_keytab.rs +++ b/rust/operator-binary/src/backend/kerberos_keytab.rs @@ -5,7 +5,11 @@ use stackable_krb5_provision_keytab::{ self as provision, provision_keytab, }; -use stackable_operator::{commons::networking::{Hostname, KerberosRealmName}, k8s_openapi::api::core::v1::Secret, kube::runtime::reflector::ObjectRef}; +use stackable_operator::{ + commons::networking::{Hostname, KerberosRealmName}, + k8s_openapi::api::core::v1::Secret, + kube::runtime::reflector::ObjectRef, +}; use stackable_secret_operator_crd_utils::SecretReference; use tempfile::tempdir; use tokio::{ From f829f152e16be3772938d6eb08b04c541d8d2061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 29 Aug 2024 16:16:48 +0200 Subject: [PATCH 6/8] make crds --- deploy/helm/secret-operator/crds/crds.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index 9b6c451f..05462bb5 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -208,7 +208,7 @@ spec: type: string realmName: description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + pattern: ^[-.a-zA-Z0-9]+$ type: string required: - admin From a55d1273f7ab370eb41365796a117e389a19bc26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Fri, 20 Sep 2024 13:25:57 +0200 Subject: [PATCH 7/8] make crds --- deploy/helm/secret-operator/crds/crds.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml index 9613f6c0..3f775c43 100644 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ b/deploy/helm/secret-operator/crds/crds.yaml @@ -158,7 +158,7 @@ spec: nullable: true properties: prefix: - default: "" + default: '' description: A prefix to be prepended to generated samAccountNames. type: string totalLength: From d63604169fac314f3d943e0479e311e2e4d15687 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Fri, 20 Sep 2024 15:53:14 +0200 Subject: [PATCH 8/8] Fix markdownlint errors --- CHANGELOG.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d9974b0..a42d6347 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,16 +14,13 @@ All notable changes to this project will be documented in this file. - Refactored hostname validation ([#494]). - BREAKING: Hostname validation is now somewhat stricter. - BREAKING: Hostname validation is now enforced in CRD. +- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]). ### Fixed - Fixed Kerberos keytab provisioning reusing its credential cache ([#490]). - Fixed listener volumes missing a required permission to inspect manually provisioned listeners ([#497]). -### Changed - -- Remove custom `h2` patch, as Kubernetes 1.26 has fixed the invalid data from Kubernetes' side. Starting with 24.11 we only support at least 1.27 (as it's needed by OpenShift 4.14) ([#495]). - [#454]: https://github.com/stackabletech/secret-operator/pull/454 [#482]: https://github.com/stackabletech/secret-operator/pull/482 [#490]: https://github.com/stackabletech/secret-operator/pull/490 @@ -42,9 +39,9 @@ All notable changes to this project will be documented in this file. - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]). - Existing users can either migrate by either: - - (Recommended) Copying the CA into the new location - (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`) - - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`) + - (Recommended) Copying the CA into the new location + (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`) + - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`) - Reduce CA default lifetime to one year ([#403]) - Update the image docker.stackable.tech/k8s/sig-storage/csi-provisioner in the Helm values to v4.0.1 ([#440]). @@ -87,7 +84,6 @@ All notable changes to this project will be documented in this file. [#357]: https://github.com/stackabletech/secret-operator/pull/357 [#361]: https://github.com/stackabletech/secret-operator/pull/361 - ## [23.11.0] - 2023-11-24 ### Added