diff --git a/.gitignore b/.gitignore index 2dbc7ab0..abc7ff9a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ result image.tar tilt_options.json +local_values.yaml .direnv/ .direnvrc diff --git a/CHANGELOG.md b/CHANGELOG.md index 5afad7ed..36e84073 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +## [25.11.0-rc1] - 2025-11-06 + ### Added - Add end-of-support checker which can be controlled with environment variables and CLI arguments ([#644]). diff --git a/Cargo.lock b/Cargo.lock index 5266e0a5..276fe433 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -355,7 +355,7 @@ dependencies = [ [[package]] name = "cert-tools" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "clap", "hex", @@ -2334,7 +2334,7 @@ dependencies = [ [[package]] name = "p12" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "cbc", "cipher", @@ -3388,7 +3388,7 @@ dependencies = [ [[package]] name = "stackable-krb5-provision-keytab" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "byteorder", "futures 0.3.31", @@ -3458,7 +3458,7 @@ dependencies = [ [[package]] name = "stackable-secret-operator" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "anyhow", "async-trait", @@ -3499,7 +3499,7 @@ dependencies = [ [[package]] name = "stackable-secret-operator-olm-deployer" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "anyhow", "built", @@ -3515,7 +3515,7 @@ dependencies = [ [[package]] name = "stackable-secret-operator-utils" -version = "0.0.0-dev" +version = "25.11.0-rc1" dependencies = [ "anyhow", "openssl", diff --git a/Cargo.nix b/Cargo.nix index 0a890cd1..3f161a97 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -1169,7 +1169,7 @@ rec { }; "cert-tools" = rec { crateName = "cert-tools"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; crateBin = [ { @@ -8064,7 +8064,7 @@ rec { }; "p12" = rec { crateName = "p12"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; src = lib.cleanSourceWith { filter = sourceFilter; src = ./rust/p12; }; authors = [ @@ -11554,7 +11554,7 @@ rec { }; "stackable-krb5-provision-keytab" = rec { crateName = "stackable-krb5-provision-keytab"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; crateBin = [ { @@ -11846,7 +11846,7 @@ rec { }; "stackable-secret-operator" = rec { crateName = "stackable-secret-operator"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; crateBin = [ { @@ -12026,7 +12026,7 @@ rec { }; "stackable-secret-operator-olm-deployer" = rec { crateName = "stackable-secret-operator-olm-deployer"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; crateBin = [ { @@ -12091,7 +12091,7 @@ rec { }; "stackable-secret-operator-utils" = rec { crateName = "stackable-secret-operator-utils"; - version = "0.0.0-dev"; + version = "25.11.0-rc1"; edition = "2021"; src = lib.cleanSourceWith { filter = sourceFilter; src = ./rust/utils; }; libName = "stackable_secret_operator_utils"; diff --git a/Cargo.toml b/Cargo.toml index 701c2290..a316928e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -4,7 +4,7 @@ default-members = ["rust/operator-binary"] resolver = "2" [workspace.package] -version = "0.0.0-dev" +version = "25.11.0-rc1" authors = ["Stackable GmbH "] license = "OSL-3.0" edition = "2021" diff --git a/Makefile b/Makefile index 96e1030d..9afd741a 100644 --- a/Makefile +++ b/Makefile @@ -105,7 +105,6 @@ compile-chart: version crds config chart-clean: rm -rf "deploy/helm/${OPERATOR_NAME}/configs" - rm -rf "deploy/helm/${OPERATOR_NAME}/crds" version: cat "deploy/helm/${OPERATOR_NAME}/Chart.yaml" | yq ".version = \"${VERSION}\" | .appVersion = \"${VERSION}\"" > "deploy/helm/${OPERATOR_NAME}/Chart.yaml.new" @@ -117,9 +116,11 @@ config: cp -r deploy/config-spec/* "deploy/helm/${OPERATOR_NAME}/configs";\ fi +# We generate a crds.yaml, so that the effect of code changes are visible. +# The operator will take care of the CRD rollout itself. crds: - mkdir -p deploy/helm/"${OPERATOR_NAME}"/crds - cargo run --bin stackable-"${OPERATOR_NAME}" -- crd | yq eval '.metadata.annotations["helm.sh/resource-policy"]="keep"' - > "deploy/helm/${OPERATOR_NAME}/crds/crds.yaml" + mkdir -p extra + cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml chart-lint: compile-chart docker run -it -v $(shell pwd):/build/helm-charts -w /build/helm-charts quay.io/helmpack/chart-testing:v3.5.0 ct lint --config deploy/helm/ct.yaml diff --git a/Tiltfile b/Tiltfile index ee0941c3..53c3a8e4 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,11 +17,6 @@ custom_build( outputs_image_ref_to='result/ref', ) -# Load the latest CRDs from Nix -watch_file('result') -if os.path.exists('result'): - k8s_yaml('result/crds.yaml') - # We need to set the correct image annotation on the operator Deployment to use e.g. # oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of # oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) @@ -35,18 +30,12 @@ helm_values = settings.get('helm_values', None) helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name -# Exclude stale CRDs from Helm chart, and apply the rest -helm_crds, helm_non_crds = filter_yaml( - helm( - 'deploy/helm/' + operator_name, - name=operator_name, - namespace="stackable-operators", - set=[ - helm_override_image_repository, - ], - values=helm_values, - ), - api_version = "^apiextensions\\.k8s\\.io/.*$", - kind = "^CustomResourceDefinition$", -) -k8s_yaml(helm_non_crds) +k8s_yaml(helm( + 'deploy/helm/' + operator_name, + name=operator_name, + namespace="stackable-operators", + set=[ + helm_override_image_repository, + ], + values=helm_values, +)) diff --git a/deploy/helm/secret-operator/Chart.yaml b/deploy/helm/secret-operator/Chart.yaml index 921bb49b..354c2b1e 100644 --- a/deploy/helm/secret-operator/Chart.yaml +++ b/deploy/helm/secret-operator/Chart.yaml @@ -1,8 +1,8 @@ --- apiVersion: v2 name: secret-operator -version: "0.0.0-dev" -appVersion: "0.0.0-dev" +version: "25.11.0-rc1" +appVersion: "25.11.0-rc1" description: The Stackable Operator for Stackable Secret Operator home: https://github.com/stackabletech/secret-operator maintainers: diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml deleted file mode 100644 index 19c870e5..00000000 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ /dev/null @@ -1,937 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: secretclasses.secrets.stackable.tech - annotations: - helm.sh/resource-policy: keep -spec: - group: secrets.stackable.tech - names: - categories: [] - kind: SecretClass - plural: secretclasses - shortNames: [] - singular: secretclass - scope: Cluster - versions: - - additionalPrinterColumns: [] - name: v1alpha2 - schema: - openAPIV3Schema: - description: Auto-generated derived type for SecretClassSpec via `CustomResource` - properties: - spec: - description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource - that defines a category of secrets that the Secret Operator knows how to provision. - properties: - backend: - description: |- - Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), - which dictates the mechanism for issuing that kind of Secret. - oneOf: - - required: - - k8sSearch - - required: - - autoTls - - required: - - certManager - - required: - - kerberosKeytab - properties: - autoTls: - description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) - issues a TLS certificate signed by the Secret Operator. - The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. - - A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused. - properties: - additionalTrustRoots: - default: [] - description: Additional trust roots which are added to the provided `ca.crt` file. - items: - oneOf: - - required: - - configMap - - required: - - secret - properties: - configMap: - description: |- - Reference (name and namespace) to a Kubernetes ConfigMap object where additional - certificates are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the ConfigMap being referred to. - type: string - namespace: - description: Namespace of the ConfigMap being referred to. - type: string - required: - - name - - namespace - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where additional certificates - are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - type: object - type: array - ca: - description: Configures the certificate authority used to issue Pod certificates. - properties: - autoGenerate: - default: false - description: |- - Whether the certificate authority should be managed by Secret Operator, including being generated - if it does not already exist. - type: boolean - caCertificateLifetime: - default: 365d - description: |- - The lifetime of each generated certificate authority. - - Should always be more than double `maxCertificateLifetime`. - - If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. - If `autoGenerate: false` then the Secret Operator will log a warning instead. - type: string - caCertificateRetirementDuration: - default: 1h - description: |- - Duration at the end of the CA certificate lifetime where no signed certificate will exist. - - Retired (or expired) CA certificates will not be published and will not be used for - signing leaf certificates. - type: string - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where the CA certificate - and key is stored in the keys `ca.crt` and `ca.key` respectively. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - required: - - secret - type: object - maxCertificateLifetime: - default: 15d - description: |- - Maximum lifetime the created certificates are allowed to have. - In case consumers request a longer lifetime than allowed by this setting, - the lifetime will be the minimum of both, so this setting takes precedence. - The default value is 15 days. - - The maximum lifetime must be less than a quarter of the active CA certificate lifetime - where the active CA certificate lifetime is `ca.ca_certificate_lifetime - - ca.ca_certificate_retirement_duration` to ensure that two subjects always have a common - CA certificate in their trust stores – assuming that CAs are rotated at half of their - active lifetimes. - - For instance, if a pod is created right before half of the active CA lifetime has - passed, then it is signed by this CA but it does not know yet the new CA certificate - which is created right afterwards. If another pod is created so that its certificate - lifetime ends right after the first active CA lifetime then it is signed by the new CA. - The `max_certificate_lifetime` must be chosen so that these two pods have no - overlapping lifetimes, otherwise the first pod would see the second one signed by an - unknown CA certificate. This can be achieved by the mentioned formula. - type: string - required: - - ca - type: object - certManager: - description: |- - The [`certManager` backend][1] injects a TLS certificate issued by [cert-manager]. - - A new certificate will be requested the first time it is used by a Pod, it - will be reused after that (subject to cert-manager renewal rules). - - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager - [cert-manager]: https://cert-manager.io/ - properties: - defaultCertificateLifetime: - default: 1d - description: |- - The default lifetime of certificates. - - Defaults to 1 day. This may need to be increased for external issuers that impose rate limits (such as Let's Encrypt). - type: string - issuer: - description: A reference to the cert-manager issuer that the certificates should be requested from. - properties: - kind: - description: |- - The kind of the issuer, Issuer or ClusterIssuer. - - If Issuer then it must be in the same namespace as the Pods using it. - enum: - - Issuer - - ClusterIssuer - type: string - name: - description: The name of the issuer. - type: string - required: - - kind - - name - type: object - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - required: - - issuer - type: object - k8sSearch: - description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) - can be used to mount Secrets across namespaces into Pods. - properties: - searchNamespace: - description: Configures the namespace searched for Secret objects. - oneOf: - - required: - - pod - - required: - - name - properties: - name: - description: |- - The Secret objects are located in a single global namespace. - Should be used for secrets that are provisioned by the cluster administrator. - type: string - pod: - description: |- - The Secret objects are located in the same namespace as the Pod object. - Should be used for Secrets that are provisioned by the application administrator. - type: object - type: object - trustStoreConfigMapName: - description: |- - Name of a ConfigMap that contains the information required to validate against this SecretClass. - - Resolved relative to `search_namespace`. - - Required to request a TrustStore for this SecretClass. - nullable: true - type: string - required: - - searchNamespace - type: object - kerberosKeytab: - description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) - creates a Kerberos keytab file for a selected realm. - The Kerberos KDC and administrator credentials must be provided by the administrator. - properties: - admin: - description: Kerberos admin configuration settings. - oneOf: - - required: - - mit - - required: - - activeDirectory - properties: - activeDirectory: - description: Credentials should be provisioned in a Microsoft Active Directory domain. - properties: - generateSamAccountName: - description: |- - Allows samAccountName generation for new accounts to be customized. - Note that setting this field (even if empty) makes the Secret Operator take - over the generation duty from the domain controller. - nullable: true - properties: - prefix: - default: '' - description: A prefix to be prepended to generated samAccountNames. - type: string - totalLength: - default: 20 - description: |- - The total length of generated samAccountNames, _including_ `prefix`. - Must be larger than the length of `prefix`, but at most `20`. - - Note that this should be as large as possible, to minimize the risk of collisions. - format: uint8 - maximum: 255.0 - minimum: 0.0 - type: integer - type: object - ldapServer: - description: |- - An AD LDAP server, such as the AD Domain Controller. - This must match the server’s FQDN, or GSSAPI authentication will fail. - type: string - ldapTlsCaSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object containing - the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - passwordCacheSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where workload - passwords will be stored. This must not be accessible to end users. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - schemaDistinguishedName: - description: |- - The root Distinguished Name (DN) for AD-managed schemas, - typically `CN=Schema,CN=Configuration,{domain_dn}`. - type: string - userDistinguishedName: - description: |- - The root Distinguished Name (DN) where service accounts should be provisioned, - typically `CN=Users,{domain_dn}`. - type: string - required: - - ldapServer - - ldapTlsCaSecret - - passwordCacheSecret - - schemaDistinguishedName - - userDistinguishedName - type: object - mit: - description: Credentials should be provisioned in a MIT Kerberos Admin Server. - properties: - kadminServer: - description: |- - The hostname of the Kerberos Admin Server. - This should be provided by the Kerberos administrator. - type: string - required: - - kadminServer - type: object - type: object - adminKeytabSecret: - description: |- - Reference (`name` and `namespace`) to a K8s Secret object where a - keytab with administrative privileges is stored in the key `keytab`. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - adminPrincipal: - description: The admin principal. - type: string - kdc: - description: |- - The hostname of the Kerberos Key Distribution Center (KDC). - This should be provided by the Kerberos administrator. - type: string - realmName: - description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. - type: string - required: - - admin - - adminKeytabSecret - - adminPrincipal - - kdc - - realmName - type: object - type: object - required: - - backend - type: object - required: - - spec - title: SecretClass - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: [] - name: v1alpha1 - schema: - openAPIV3Schema: - description: Auto-generated derived type for SecretClassSpec via `CustomResource` - properties: - spec: - description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource - that defines a category of secrets that the Secret Operator knows how to provision. - properties: - backend: - description: |- - Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), - which dictates the mechanism for issuing that kind of Secret. - oneOf: - - required: - - k8sSearch - - required: - - autoTls - - required: - - experimentalCertManager - - required: - - kerberosKeytab - properties: - autoTls: - description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) - issues a TLS certificate signed by the Secret Operator. - The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. - - A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused. - properties: - additionalTrustRoots: - default: [] - description: Additional trust roots which are added to the provided `ca.crt` file. - items: - oneOf: - - required: - - configMap - - required: - - secret - properties: - configMap: - description: |- - Reference (name and namespace) to a Kubernetes ConfigMap object where additional - certificates are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the ConfigMap being referred to. - type: string - namespace: - description: Namespace of the ConfigMap being referred to. - type: string - required: - - name - - namespace - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where additional certificates - are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - type: object - type: array - ca: - description: Configures the certificate authority used to issue Pod certificates. - properties: - autoGenerate: - default: false - description: |- - Whether the certificate authority should be managed by Secret Operator, including being generated - if it does not already exist. - type: boolean - caCertificateLifetime: - default: 365d - description: |- - The lifetime of each generated certificate authority. - - Should always be more than double `maxCertificateLifetime`. - - If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. - If `autoGenerate: false` then the Secret Operator will log a warning instead. - type: string - caCertificateRetirementDuration: - default: 1h - description: |- - Duration at the end of the CA certificate lifetime where no signed certificate will exist. - - Retired (or expired) CA certificates will not be published and will not be used for - signing leaf certificates. - type: string - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where the CA certificate - and key is stored in the keys `ca.crt` and `ca.key` respectively. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - required: - - secret - type: object - maxCertificateLifetime: - default: 15d - description: |- - Maximum lifetime the created certificates are allowed to have. - In case consumers request a longer lifetime than allowed by this setting, - the lifetime will be the minimum of both, so this setting takes precedence. - The default value is 15 days. - - The maximum lifetime must be less than a quarter of the active CA certificate lifetime - where the active CA certificate lifetime is `ca.ca_certificate_lifetime - - ca.ca_certificate_retirement_duration` to ensure that two subjects always have a common - CA certificate in their trust stores – assuming that CAs are rotated at half of their - active lifetimes. - - For instance, if a pod is created right before half of the active CA lifetime has - passed, then it is signed by this CA but it does not know yet the new CA certificate - which is created right afterwards. If another pod is created so that its certificate - lifetime ends right after the first active CA lifetime then it is signed by the new CA. - The `max_certificate_lifetime` must be chosen so that these two pods have no - overlapping lifetimes, otherwise the first pod would see the second one signed by an - unknown CA certificate. This can be achieved by the mentioned formula. - type: string - required: - - ca - type: object - experimentalCertManager: - description: |- - The [`certManager` backend][1] injects a TLS certificate issued by [cert-manager]. - - A new certificate will be requested the first time it is used by a Pod, it - will be reused after that (subject to cert-manager renewal rules). - - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager - [cert-manager]: https://cert-manager.io/ - properties: - defaultCertificateLifetime: - default: 1d - description: |- - The default lifetime of certificates. - - Defaults to 1 day. This may need to be increased for external issuers that impose rate limits (such as Let's Encrypt). - type: string - issuer: - description: A reference to the cert-manager issuer that the certificates should be requested from. - properties: - kind: - description: |- - The kind of the issuer, Issuer or ClusterIssuer. - - If Issuer then it must be in the same namespace as the Pods using it. - enum: - - Issuer - - ClusterIssuer - type: string - name: - description: The name of the issuer. - type: string - required: - - kind - - name - type: object - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - required: - - issuer - type: object - k8sSearch: - description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) - can be used to mount Secrets across namespaces into Pods. - properties: - searchNamespace: - description: Configures the namespace searched for Secret objects. - oneOf: - - required: - - pod - - required: - - name - properties: - name: - description: |- - The Secret objects are located in a single global namespace. - Should be used for secrets that are provisioned by the cluster administrator. - type: string - pod: - description: |- - The Secret objects are located in the same namespace as the Pod object. - Should be used for Secrets that are provisioned by the application administrator. - type: object - type: object - trustStoreConfigMapName: - description: |- - Name of a ConfigMap that contains the information required to validate against this SecretClass. - - Resolved relative to `search_namespace`. - - Required to request a TrustStore for this SecretClass. - nullable: true - type: string - required: - - searchNamespace - type: object - kerberosKeytab: - description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) - creates a Kerberos keytab file for a selected realm. - The Kerberos KDC and administrator credentials must be provided by the administrator. - properties: - admin: - description: Kerberos admin configuration settings. - oneOf: - - required: - - mit - - required: - - activeDirectory - properties: - activeDirectory: - description: Credentials should be provisioned in a Microsoft Active Directory domain. - properties: - experimentalGenerateSamAccountName: - description: |- - Allows samAccountName generation for new accounts to be customized. - Note that setting this field (even if empty) makes the Secret Operator take - over the generation duty from the domain controller. - nullable: true - properties: - prefix: - default: '' - description: A prefix to be prepended to generated samAccountNames. - type: string - totalLength: - default: 20 - description: |- - The total length of generated samAccountNames, _including_ `prefix`. - Must be larger than the length of `prefix`, but at most `20`. - - Note that this should be as large as possible, to minimize the risk of collisions. - format: uint8 - maximum: 255.0 - minimum: 0.0 - type: integer - type: object - ldapServer: - description: |- - An AD LDAP server, such as the AD Domain Controller. - This must match the server’s FQDN, or GSSAPI authentication will fail. - type: string - ldapTlsCaSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object containing - the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - passwordCacheSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where workload - passwords will be stored. This must not be accessible to end users. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - schemaDistinguishedName: - description: |- - The root Distinguished Name (DN) for AD-managed schemas, - typically `CN=Schema,CN=Configuration,{domain_dn}`. - type: string - userDistinguishedName: - description: |- - The root Distinguished Name (DN) where service accounts should be provisioned, - typically `CN=Users,{domain_dn}`. - type: string - required: - - ldapServer - - ldapTlsCaSecret - - passwordCacheSecret - - schemaDistinguishedName - - userDistinguishedName - type: object - mit: - description: Credentials should be provisioned in a MIT Kerberos Admin Server. - properties: - kadminServer: - description: |- - The hostname of the Kerberos Admin Server. - This should be provided by the Kerberos administrator. - type: string - required: - - kadminServer - type: object - type: object - adminKeytabSecret: - description: |- - Reference (`name` and `namespace`) to a K8s Secret object where a - keytab with administrative privileges is stored in the key `keytab`. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - adminPrincipal: - description: The admin principal. - type: string - kdc: - description: |- - The hostname of the Kerberos Key Distribution Center (KDC). - This should be provided by the Kerberos administrator. - type: string - realmName: - description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. - type: string - required: - - admin - - adminKeytabSecret - - adminPrincipal - - kdc - - realmName - type: object - type: object - required: - - backend - type: object - required: - - spec - title: SecretClass - type: object - served: true - storage: false - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: truststores.secrets.stackable.tech - annotations: - helm.sh/resource-policy: keep -spec: - group: secrets.stackable.tech - names: - categories: [] - kind: TrustStore - plural: truststores - shortNames: [] - singular: truststore - scope: Namespaced - versions: - - additionalPrinterColumns: [] - name: v1alpha1 - schema: - openAPIV3Schema: - description: Auto-generated derived type for TrustStoreSpec via `CustomResource` - properties: - spec: - description: |- - A [TrustStore](https://docs.stackable.tech/home/nightly/secret-operator/truststore) requests information about how to - validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass). - - The requested information is written to a ConfigMap with the same name as the TrustStore. - properties: - format: - description: The [format](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#format) that the data should be converted into. - enum: - - tls-pem - - tls-pkcs12 - - kerberos - - null - nullable: true - type: string - secretClassName: - description: The name of the SecretClass that the request concerns. - type: string - targetKind: - default: ConfigMap - description: |- - Which Kubernetes kind should be used to output the requested information to. - - The trust information (such as a `ca.crt`) can be considered public information, so we put - it in a `ConfigMap` by default. However, some tools might require it to be placed in a - `Secret`, so we also support that. - - Can be either `ConfigMap` or `Secret`, defaults to `ConfigMap`. - enum: - - Secret - - ConfigMap - type: string - required: - - secretClassName - type: object - required: - - spec - title: TrustStore - type: object - served: true - storage: true - subresources: {} diff --git a/deploy/helm/secret-operator/templates/service.yaml b/deploy/helm/secret-operator/templates/service.yaml index 0cb05696..5cf6439b 100644 --- a/deploy/helm/secret-operator/templates/service.yaml +++ b/deploy/helm/secret-operator/templates/service.yaml @@ -1,4 +1,4 @@ - +{{- if .Values.maintenance.customResourceDefinitions.maintain }} --- apiVersion: v1 kind: Service @@ -11,9 +11,11 @@ metadata: {{- include "operator.labels" . | nindent 4 }} spec: selector: - {{- include "operator.selectorLabels" . | nindent 6 }} + webhook.stackable.tech/conversion: enabled + {{- include "operator.selectorLabels" . | nindent 4 }} ports: - name: conversion-webhook protocol: TCP port: 8443 targetPort: 8443 +{{- end }} diff --git a/docs/antora.yml b/docs/antora.yml index d522680b..5e6e6767 100644 --- a/docs/antora.yml +++ b/docs/antora.yml @@ -1,3 +1,4 @@ --- name: home -version: "nightly" +version: "25.11" +prerelease: false diff --git a/extra/crds.yaml b/extra/crds.yaml index 79abcc4a..9cefa3b4 100644 --- a/extra/crds.yaml +++ b/extra/crds.yaml @@ -21,13 +21,13 @@ spec: properties: spec: description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource + A [SecretClass](https://docs.stackable.tech/home/25.11/secret-operator/secretclass) is a cluster-global Kubernetes resource that defines a category of secrets that the Secret Operator knows how to provision. properties: backend: description: |- Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), + [backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend), which dictates the mechanism for issuing that kind of Secret. oneOf: - required: @@ -41,7 +41,7 @@ spec: properties: autoTls: description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) + The [`autoTls` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-autotls) issues a TLS certificate signed by the Secret Operator. The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. @@ -198,7 +198,7 @@ spec: A new certificate will be requested the first time it is used by a Pod, it will be reused after that (subject to cert-manager renewal rules). - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager + [1]: https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-certmanager [cert-manager]: https://cert-manager.io/ properties: defaultCertificateLifetime: @@ -258,7 +258,7 @@ spec: type: object k8sSearch: description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) + The [`k8sSearch` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-k8ssearch) can be used to mount Secrets across namespaces into Pods. properties: searchNamespace: @@ -294,7 +294,7 @@ spec: type: object kerberosKeytab: description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) + The [`kerberosKeytab` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-kerberoskeytab) creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator. properties: @@ -448,13 +448,13 @@ spec: properties: spec: description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource + A [SecretClass](https://docs.stackable.tech/home/25.11/secret-operator/secretclass) is a cluster-global Kubernetes resource that defines a category of secrets that the Secret Operator knows how to provision. properties: backend: description: |- Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), + [backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend), which dictates the mechanism for issuing that kind of Secret. oneOf: - required: @@ -468,7 +468,7 @@ spec: properties: autoTls: description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) + The [`autoTls` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-autotls) issues a TLS certificate signed by the Secret Operator. The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. @@ -625,7 +625,7 @@ spec: A new certificate will be requested the first time it is used by a Pod, it will be reused after that (subject to cert-manager renewal rules). - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager + [1]: https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-certmanager [cert-manager]: https://cert-manager.io/ properties: defaultCertificateLifetime: @@ -685,7 +685,7 @@ spec: type: object k8sSearch: description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) + The [`k8sSearch` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-k8ssearch) can be used to mount Secrets across namespaces into Pods. properties: searchNamespace: @@ -721,7 +721,7 @@ spec: type: object kerberosKeytab: description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) + The [`kerberosKeytab` backend](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#backend-kerberoskeytab) creates a Kerberos keytab file for a selected realm. The Kerberos KDC and administrator credentials must be provided by the administrator. properties: @@ -890,13 +890,13 @@ spec: properties: spec: description: |- - A [TrustStore](https://docs.stackable.tech/home/nightly/secret-operator/truststore) requests information about how to - validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass). + A [TrustStore](https://docs.stackable.tech/home/25.11/secret-operator/truststore) requests information about how to + validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/25.11/secret-operator/secretclass). The requested information is written to a ConfigMap with the same name as the TrustStore. properties: format: - description: The [format](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#format) that the data should be converted into. + description: The [format](https://docs.stackable.tech/home/25.11/secret-operator/secretclass#format) that the data should be converted into. enum: - tls-pem - tls-pkcs12 diff --git a/rust/cert-tools/Cargo.toml b/rust/cert-tools/Cargo.toml index 1172ce53..12dcab93 100644 --- a/rust/cert-tools/Cargo.toml +++ b/rust/cert-tools/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "cert-tools" description = "A CLI tool to merge two truststores in PEM or PKCS12 format in such as way that they are accepted by the JVM" -version = "0.0.0-dev" +version = "25.11.0-rc1" authors.workspace = true license.workspace = true edition.workspace = true diff --git a/scripts/run-tests b/scripts/run-tests index 00639f45..7fa07fc5 100755 --- a/scripts/run-tests +++ b/scripts/run-tests @@ -11,6 +11,7 @@ import shutil import subprocess import sys import tempfile +import time __version__ = "0.0.1" @@ -451,6 +452,7 @@ def main(argv) -> int: gen_tests(opts.test_suite, opts.namespace, opts.work_dir) with release_file(opts.operator, opts.skip_operator) as f: maybe_install_release(opts.skip_release, f, opts.listener_class_preset) + time.sleep(10) if opts.skip_tests: logging.info("Skip running tests.") else: diff --git a/tests/release.yaml b/tests/release.yaml index ef1ad6e5..e44997a4 100644 --- a/tests/release.yaml +++ b/tests/release.yaml @@ -7,8 +7,8 @@ releases: description: Integration test products: commons: - operatorVersion: 0.0.0-dev + operatorVersion: 25.11.0-rc1 secret: - operatorVersion: 0.0.0-dev + operatorVersion: 25.11.0-rc1 listener: - operatorVersion: 0.0.0-dev + operatorVersion: 25.11.0-rc1