chore: Update to operator-rs 0.77.1 and use new S3 structs

Cargo.toml

@@ -24,11 +24,12 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 serde_yaml = "0.9"
 snafu = "0.8"
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.74.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.76.0" }
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 strum = { version = "0.26", features = ["derive"] }
-tokio = { version = "1.39", features = ["full"] }
+tokio = { version = "1.40", features = ["full"] }
 tracing = "0.1"
 
 # [patch."https://github.com/stackabletech/operator-rs.git"]
 # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+# stackable-operator = { path = "../operator-rs/crates/stackable-operator" }

rust/crd/src/catalog/delta_lake.rs

@@ -1,7 +1,7 @@
 use super::commons::{HdfsConnection, MetastoreConnection};
 use serde::{Deserialize, Serialize};
 use stackable_operator::{
-    commons::s3::S3ConnectionDef,
+    commons::s3::S3ConnectionInlineOrReference,
     schemars::{self, JsonSchema},
 };
 
@@ -12,10 +12,12 @@ use stackable_operator::{
 pub struct DeltaLakeConnector {
     /// Mandatory connection to a Hive Metastore, which will be used as a storage for metadata.
     pub metastore: MetastoreConnection,
+
     /// Connection to an S3 store.
     /// Please make sure that the underlying Hive metastore also has access to the S3 store.
     /// Learn more about S3 configuration in the [S3 concept docs](DOCS_BASE_URL_PLACEHOLDER/concepts/s3).
-    pub s3: Option<S3ConnectionDef>,
+    pub s3: Option<S3ConnectionInlineOrReference>,
+
     /// Connection to an HDFS cluster.
     /// Please make sure that the underlying Hive metastore also has access to the HDFS.
     pub hdfs: Option<HdfsConnection>,

rust/crd/src/catalog/generic.rs

@@ -84,7 +84,7 @@ mod tests {
                         Property::ValueFromSecret {
                             secret_key_selector: SecretKeySelector {
                                 key: "user".to_string(),
-                                name: Some("my-postgresql-credentials-secret".to_string()),
+                                name: "my-postgresql-credentials-secret".to_string(),
                                 optional: None,
                             }
                         }
@@ -94,7 +94,7 @@ mod tests {
                         Property::ValueFromSecret {
                             secret_key_selector: SecretKeySelector {
                                 key: "password".to_string(),
-                                name: Some("my-postgresql-credentials-secret".to_string()),
+                                name: "my-postgresql-credentials-secret".to_string(),
                                 optional: None,
                             }
                         }

rust/crd/src/catalog/hive.rs

@@ -1,7 +1,7 @@
 use super::commons::{HdfsConnection, MetastoreConnection};
 use serde::{Deserialize, Serialize};
 use stackable_operator::{
-    commons::s3::S3ConnectionDef,
+    commons::s3::S3ConnectionInlineOrReference,
     schemars::{self, JsonSchema},
 };
 
@@ -10,10 +10,12 @@ use stackable_operator::{
 pub struct HiveConnector {
     /// Mandatory connection to a Hive Metastore, which will be used as a storage for metadata.
     pub metastore: MetastoreConnection,
+
     /// Connection to an S3 store.
     /// Please make sure that the underlying Hive metastore also has access to the S3 store.
     /// Learn more about S3 configuration in the [S3 concept docs](DOCS_BASE_URL_PLACEHOLDER/concepts/s3).
-    pub s3: Option<S3ConnectionDef>,
+    pub s3: Option<S3ConnectionInlineOrReference>,
+
     /// Connection to an HDFS cluster.
     /// Please make sure that the underlying Hive metastore also has access to the HDFS.
     pub hdfs: Option<HdfsConnection>,

rust/crd/src/catalog/iceberg.rs

@@ -1,7 +1,7 @@
 use super::commons::{HdfsConnection, MetastoreConnection};
 use serde::{Deserialize, Serialize};
 use stackable_operator::{
-    commons::s3::S3ConnectionDef,
+    commons::s3::S3ConnectionInlineOrReference,
     schemars::{self, JsonSchema},
 };
 
@@ -12,10 +12,12 @@ use stackable_operator::{
 pub struct IcebergConnector {
     /// Mandatory connection to a Hive Metastore, which will be used as a storage for metadata.
     pub metastore: MetastoreConnection,
+
     /// Connection to an S3 store.
     /// Please make sure that the underlying Hive metastore also has access to the S3 store.
     /// Learn more about S3 configuration in the [S3 concept docs](DOCS_BASE_URL_PLACEHOLDER/concepts/s3).
-    pub s3: Option<S3ConnectionDef>,
+    pub s3: Option<S3ConnectionInlineOrReference>,
+
     /// Connection to an HDFS cluster.
     /// Please make sure that the underlying Hive metastore also has access to the HDFS.
     pub hdfs: Option<HdfsConnection>,

rust/crd/src/lib.rs

@@ -92,12 +92,10 @@ pub const METRICS_PORT_PROPERTY: &str = "metricsPort";
 pub const CONFIG_DIR_NAME: &str = "/stackable/config";
 pub const RW_CONFIG_DIR_NAME: &str = "/stackable/rwconfig";
 pub const DATA_DIR_NAME: &str = "/stackable/data";
-pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets";
 pub const STACKABLE_SERVER_TLS_DIR: &str = "/stackable/server_tls";
 pub const STACKABLE_CLIENT_TLS_DIR: &str = "/stackable/client_tls";
 pub const STACKABLE_INTERNAL_TLS_DIR: &str = "/stackable/internal_tls";
 pub const STACKABLE_MOUNT_SERVER_TLS_DIR: &str = "/stackable/mount_server_tls";
-pub const STACKABLE_MOUNT_CLIENT_TLS_DIR: &str = "/stackable/mount_client_tls";
 pub const STACKABLE_MOUNT_INTERNAL_TLS_DIR: &str = "/stackable/mount_internal_tls";
 pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
 // store pws

rust/operator-binary/src/authentication/oidc/mod.rs

@@ -4,7 +4,7 @@
 use crate::authentication::TrinoAuthenticationConfig;
 use crate::command;
 use snafu::{ResultExt, Snafu};
-use stackable_operator::commons::authentication::oidc;
+use stackable_operator::commons::{authentication::oidc, tls_verification::TlsClientDetailsError};
 use stackable_trino_crd::{TrinoRole, STACKABLE_CLIENT_TLS_DIR};
 
 // Trino properties
@@ -45,9 +45,7 @@ pub enum Error {
     UnverifiedOidcTlsConnectionNotSupported,
 
     #[snafu(display("Failed to create OIDC Volumes and VolumeMounts"))]
-    FailedToCreateOidcVolumeAndVolumeMounts {
-        source: stackable_operator::commons::authentication::tls::TlsClientDetailsError,
-    },
+    FailedToCreateOidcVolumeAndVolumeMounts { source: TlsClientDetailsError },
 }
 
 #[derive(Clone, Debug, Default)]

rust/operator-binary/src/catalog/commons.rs

@@ -3,26 +3,23 @@ use crate::command;
 use async_trait::async_trait;
 use snafu::{OptionExt, ResultExt};
 use stackable_operator::{
-    builder::pod::volume::{SecretOperatorVolumeSourceBuilder, VolumeBuilder, VolumeMountBuilder},
+    builder::pod::volume::{VolumeBuilder, VolumeMountBuilder},
     client::Client,
     commons::{
-        authentication::tls::{CaCert, TlsServerVerification, TlsVerification},
-        s3::{S3AccessStyle, S3ConnectionDef},
+        s3::{S3AccessStyle, S3ConnectionInlineOrReference},
+        tls_verification::{CaCert, TlsServerVerification, TlsVerification},
     },
     k8s_openapi::api::core::v1::ConfigMap,
 };
 use stackable_trino_crd::catalog::commons::{HdfsConnection, MetastoreConnection};
-use stackable_trino_crd::{
-    CONFIG_DIR_NAME, S3_SECRET_DIR_NAME, STACKABLE_CLIENT_TLS_DIR, STACKABLE_MOUNT_CLIENT_TLS_DIR,
-};
+use stackable_trino_crd::{CONFIG_DIR_NAME, STACKABLE_CLIENT_TLS_DIR};
 
 use super::{
     config::CatalogConfig,
     from_trino_catalog_error::{
-        CreateS3CredentialsSecretOperatorVolumeSnafu, CreateS3TLSSecretOperatorVolumeSnafu,
-        FailedToGetDiscoveryConfigMapDataKeySnafu, FailedToGetDiscoveryConfigMapDataSnafu,
-        FailedToGetDiscoveryConfigMapSnafu, ObjectHasNoNamespaceSnafu, ResolveS3ConnectionDefSnafu,
-        S3TlsNoVerificationNotSupportedSnafu,
+        ConfigureS3Snafu, FailedToGetDiscoveryConfigMapDataKeySnafu,
+        FailedToGetDiscoveryConfigMapDataSnafu, FailedToGetDiscoveryConfigMapSnafu,
+        ObjectHasNoNamespaceSnafu, S3TlsNoVerificationNotSupportedSnafu,
     },
     ExtendCatalogConfig, FromTrinoCatalogError,
 };
@@ -74,7 +71,7 @@ impl ExtendCatalogConfig for MetastoreConnection {
 }
 
 #[async_trait]
-impl ExtendCatalogConfig for S3ConnectionDef {
+impl ExtendCatalogConfig for S3ConnectionInlineOrReference {
     async fn extend_catalog_config(
         &self,
         catalog_config: &mut CatalogConfig,
@@ -83,84 +80,52 @@ impl ExtendCatalogConfig for S3ConnectionDef {
         client: &Client,
     ) -> Result<(), FromTrinoCatalogError> {
         let s3 = self
+            .clone()
             .resolve(
                 client,
                 catalog_namespace
                     .as_deref()
                     .context(ObjectHasNoNamespaceSnafu)?,
             )
             .await
-            .context(ResolveS3ConnectionDefSnafu)?;
+            .context(ConfigureS3Snafu)?;
 
-        if let Some(endpoint) = s3.endpoint() {
-            catalog_config.add_property("hive.s3.endpoint", endpoint)
-        }
-        if let Some(S3AccessStyle::Path) = s3.access_style {
-            catalog_config.add_property("hive.s3.path-style-access", true.to_string())
-        }
+        catalog_config.add_property("hive.s3.endpoint", s3.endpoint().context(ConfigureS3Snafu)?);
+        catalog_config.add_property(
+            "hive.s3.path-style-access",
+            (s3.access_style == S3AccessStyle::Path).to_string(),
+        );
+
+        let (volumes, mounts) = s3
+            .volumes_and_mounts(catalog_name)
+            .context(ConfigureS3Snafu)?;
+        catalog_config.volumes.extend(volumes);
+        catalog_config.volume_mounts.extend(mounts);
 
-        if let Some(credentials) = s3.credentials {
-            let secret_class = credentials.secret_class;
-            let volume_name = format!("{catalog_name}-{secret_class}");
-            let volume_mount_path = format!("{S3_SECRET_DIR_NAME}/{catalog_name}/{secret_class}");
-            catalog_config.volumes.push(
-                VolumeBuilder::new(&volume_name)
-                    .ephemeral(
-                        SecretOperatorVolumeSourceBuilder::new(&secret_class)
-                            .build()
-                            .context(CreateS3CredentialsSecretOperatorVolumeSnafu)?,
-                    )
-                    .build(),
-            );
-            catalog_config
-                .volume_mounts
-                .push(VolumeMountBuilder::new(&volume_name, &volume_mount_path).build());
-
-            catalog_config.add_env_property_from_file(
-                "hive.s3.aws-access-key",
-                format!("{volume_mount_path}/accessKey"),
-            );
-            catalog_config.add_env_property_from_file(
-                "hive.s3.aws-secret-key",
-                format!("{volume_mount_path}/secretKey"),
-            );
+        if let Some((access_key, secret_key)) = s3.credentials_mount_paths(catalog_name) {
+            catalog_config.add_env_property_from_file("hive.s3.aws-access-key", access_key);
+            catalog_config.add_env_property_from_file("hive.s3.aws-secret-key", secret_key);
         }
 
-        catalog_config.add_property("hive.s3.ssl.enabled", s3.tls.is_some().to_string());
-        if let Some(tls) = s3.tls {
+        catalog_config.add_property("hive.s3.ssl.enabled", s3.tls.uses_tls().to_string());
+        if let Some(tls) = s3.tls.tls.as_ref() {
             match &tls.verification {
                 TlsVerification::None {} => return S3TlsNoVerificationNotSupportedSnafu.fail(),
                 TlsVerification::Server(TlsServerVerification {
                     ca_cert: CaCert::WebPki {},
                 }) => {}
                 TlsVerification::Server(TlsServerVerification {
-                    ca_cert: CaCert::SecretClass(secret_class),
+                    ca_cert: CaCert::SecretClass(_),
                 }) => {
-                    // Add needed ca-cert secretclass mount
-                    let volume_name = format!("{catalog_name}-{secret_class}-ca-cert");
-                    let volume_mount_path =
-                        format!("{STACKABLE_MOUNT_CLIENT_TLS_DIR}/{catalog_name}/{secret_class}");
-                    catalog_config.volumes.push(
-                        VolumeBuilder::new(&volume_name)
-                            .ephemeral(
-                                SecretOperatorVolumeSourceBuilder::new(secret_class)
-                                    .build()
-                                    .context(CreateS3TLSSecretOperatorVolumeSnafu)?,
-                            )
-                            .build(),
-                    );
-                    catalog_config
-                        .volume_mounts
-                        .push(VolumeMountBuilder::new(&volume_name, &volume_mount_path).build());
-
-                    // Copy the ca.crt from the ca-cert secretclass into truststore for external services
-                    catalog_config.init_container_extra_start_commands.extend(
-                        command::add_cert_to_truststore(
-                            format!("{volume_mount_path}/ca.crt").as_str(),
-                            STACKABLE_CLIENT_TLS_DIR,
-                            &volume_name,
-                        ),
-                    );
+                    if let Some(ca_cert) = s3.tls.tls_ca_cert_mount_path() {
+                        catalog_config.init_container_extra_start_commands.extend(
+                            command::add_cert_to_truststore(
+                                &ca_cert,
+                                STACKABLE_CLIENT_TLS_DIR,
+                                &format!("{catalog_name}-ca-cert"),
+                            ),
+                        );
+                    }
                 }
             }
         }

rust/operator-binary/src/catalog/mod.rs

@@ -12,18 +12,22 @@ pub mod tpch;
 use self::config::CatalogConfig;
 use async_trait::async_trait;
 use snafu::Snafu;
-use stackable_operator::client::Client;
+use stackable_operator::{
+    client::Client,
+    commons::{s3::S3Error, tls_verification::TlsClientDetailsError},
+};
 
 #[derive(Debug, Snafu)]
 #[snafu(module)]
 pub enum FromTrinoCatalogError {
     #[snafu(display("object has no namespace"))]
     ObjectHasNoNamespace,
 
-    #[snafu(display("failed to resolve S3ConnectionDef"))]
-    ResolveS3ConnectionDef {
-        source: stackable_operator::commons::s3::Error,
-    },
+    #[snafu(display("failed to configure S3 connection"))]
+    ConfigureS3 { source: S3Error },
+
+    #[snafu(display("failed to configure S3 TLS client details"))]
+    ConfigureS3TlsClientDetails { source: TlsClientDetailsError },
 
     #[snafu(display("trino does not support disabling the TLS verification of S3 servers"))]
     S3TlsNoVerificationNotSupported,
@@ -56,11 +60,6 @@ pub enum FromTrinoCatalogError {
     CreateS3CredentialsSecretOperatorVolume {
         source: stackable_operator::builder::pod::volume::SecretOperatorVolumeSourceBuilderError,
     },
-
-    #[snafu(display("Failed to create the Secret Volume for the TLS certificate for S3"))]
-    CreateS3TLSSecretOperatorVolume {
-        source: stackable_operator::builder::pod::volume::SecretOperatorVolumeSourceBuilderError,
-    },
 }
 
 #[async_trait]