diff --git a/.gitignore b/.gitignore index 2dbc7ab0..abc7ff9a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ result image.tar tilt_options.json +local_values.yaml .direnv/ .direnvrc diff --git a/Makefile b/Makefile index 96e1030d..9afd741a 100644 --- a/Makefile +++ b/Makefile @@ -105,7 +105,6 @@ compile-chart: version crds config chart-clean: rm -rf "deploy/helm/${OPERATOR_NAME}/configs" - rm -rf "deploy/helm/${OPERATOR_NAME}/crds" version: cat "deploy/helm/${OPERATOR_NAME}/Chart.yaml" | yq ".version = \"${VERSION}\" | .appVersion = \"${VERSION}\"" > "deploy/helm/${OPERATOR_NAME}/Chart.yaml.new" @@ -117,9 +116,11 @@ config: cp -r deploy/config-spec/* "deploy/helm/${OPERATOR_NAME}/configs";\ fi +# We generate a crds.yaml, so that the effect of code changes are visible. +# The operator will take care of the CRD rollout itself. crds: - mkdir -p deploy/helm/"${OPERATOR_NAME}"/crds - cargo run --bin stackable-"${OPERATOR_NAME}" -- crd | yq eval '.metadata.annotations["helm.sh/resource-policy"]="keep"' - > "deploy/helm/${OPERATOR_NAME}/crds/crds.yaml" + mkdir -p extra + cargo run --bin stackable-"${OPERATOR_NAME}" -- crd > extra/crds.yaml chart-lint: compile-chart docker run -it -v $(shell pwd):/build/helm-charts -w /build/helm-charts quay.io/helmpack/chart-testing:v3.5.0 ct lint --config deploy/helm/ct.yaml diff --git a/Tiltfile b/Tiltfile index ee0941c3..53c3a8e4 100644 --- a/Tiltfile +++ b/Tiltfile @@ -17,11 +17,6 @@ custom_build( outputs_image_ref_to='result/ref', ) -# Load the latest CRDs from Nix -watch_file('result') -if os.path.exists('result'): - k8s_yaml('result/crds.yaml') - # We need to set the correct image annotation on the operator Deployment to use e.g. # oci.stackable.tech/sandbox/opa-operator:7y19m3d8clwxlv34v5q2x4p7v536s00g instead of # oci.stackable.tech/sandbox/opa-operator:0.0.0-dev (which does not exist) @@ -35,18 +30,12 @@ helm_values = settings.get('helm_values', None) helm_override_image_repository = 'image.repository=' + registry + '/' + operator_name -# Exclude stale CRDs from Helm chart, and apply the rest -helm_crds, helm_non_crds = filter_yaml( - helm( - 'deploy/helm/' + operator_name, - name=operator_name, - namespace="stackable-operators", - set=[ - helm_override_image_repository, - ], - values=helm_values, - ), - api_version = "^apiextensions\\.k8s\\.io/.*$", - kind = "^CustomResourceDefinition$", -) -k8s_yaml(helm_non_crds) +k8s_yaml(helm( + 'deploy/helm/' + operator_name, + name=operator_name, + namespace="stackable-operators", + set=[ + helm_override_image_repository, + ], + values=helm_values, +)) diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml deleted file mode 100644 index 19c870e5..00000000 --- a/deploy/helm/secret-operator/crds/crds.yaml +++ /dev/null @@ -1,937 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: secretclasses.secrets.stackable.tech - annotations: - helm.sh/resource-policy: keep -spec: - group: secrets.stackable.tech - names: - categories: [] - kind: SecretClass - plural: secretclasses - shortNames: [] - singular: secretclass - scope: Cluster - versions: - - additionalPrinterColumns: [] - name: v1alpha2 - schema: - openAPIV3Schema: - description: Auto-generated derived type for SecretClassSpec via `CustomResource` - properties: - spec: - description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource - that defines a category of secrets that the Secret Operator knows how to provision. - properties: - backend: - description: |- - Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), - which dictates the mechanism for issuing that kind of Secret. - oneOf: - - required: - - k8sSearch - - required: - - autoTls - - required: - - certManager - - required: - - kerberosKeytab - properties: - autoTls: - description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) - issues a TLS certificate signed by the Secret Operator. - The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. - - A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused. - properties: - additionalTrustRoots: - default: [] - description: Additional trust roots which are added to the provided `ca.crt` file. - items: - oneOf: - - required: - - configMap - - required: - - secret - properties: - configMap: - description: |- - Reference (name and namespace) to a Kubernetes ConfigMap object where additional - certificates are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the ConfigMap being referred to. - type: string - namespace: - description: Namespace of the ConfigMap being referred to. - type: string - required: - - name - - namespace - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where additional certificates - are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - type: object - type: array - ca: - description: Configures the certificate authority used to issue Pod certificates. - properties: - autoGenerate: - default: false - description: |- - Whether the certificate authority should be managed by Secret Operator, including being generated - if it does not already exist. - type: boolean - caCertificateLifetime: - default: 365d - description: |- - The lifetime of each generated certificate authority. - - Should always be more than double `maxCertificateLifetime`. - - If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. - If `autoGenerate: false` then the Secret Operator will log a warning instead. - type: string - caCertificateRetirementDuration: - default: 1h - description: |- - Duration at the end of the CA certificate lifetime where no signed certificate will exist. - - Retired (or expired) CA certificates will not be published and will not be used for - signing leaf certificates. - type: string - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where the CA certificate - and key is stored in the keys `ca.crt` and `ca.key` respectively. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - required: - - secret - type: object - maxCertificateLifetime: - default: 15d - description: |- - Maximum lifetime the created certificates are allowed to have. - In case consumers request a longer lifetime than allowed by this setting, - the lifetime will be the minimum of both, so this setting takes precedence. - The default value is 15 days. - - The maximum lifetime must be less than a quarter of the active CA certificate lifetime - where the active CA certificate lifetime is `ca.ca_certificate_lifetime - - ca.ca_certificate_retirement_duration` to ensure that two subjects always have a common - CA certificate in their trust stores – assuming that CAs are rotated at half of their - active lifetimes. - - For instance, if a pod is created right before half of the active CA lifetime has - passed, then it is signed by this CA but it does not know yet the new CA certificate - which is created right afterwards. If another pod is created so that its certificate - lifetime ends right after the first active CA lifetime then it is signed by the new CA. - The `max_certificate_lifetime` must be chosen so that these two pods have no - overlapping lifetimes, otherwise the first pod would see the second one signed by an - unknown CA certificate. This can be achieved by the mentioned formula. - type: string - required: - - ca - type: object - certManager: - description: |- - The [`certManager` backend][1] injects a TLS certificate issued by [cert-manager]. - - A new certificate will be requested the first time it is used by a Pod, it - will be reused after that (subject to cert-manager renewal rules). - - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager - [cert-manager]: https://cert-manager.io/ - properties: - defaultCertificateLifetime: - default: 1d - description: |- - The default lifetime of certificates. - - Defaults to 1 day. This may need to be increased for external issuers that impose rate limits (such as Let's Encrypt). - type: string - issuer: - description: A reference to the cert-manager issuer that the certificates should be requested from. - properties: - kind: - description: |- - The kind of the issuer, Issuer or ClusterIssuer. - - If Issuer then it must be in the same namespace as the Pods using it. - enum: - - Issuer - - ClusterIssuer - type: string - name: - description: The name of the issuer. - type: string - required: - - kind - - name - type: object - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - required: - - issuer - type: object - k8sSearch: - description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) - can be used to mount Secrets across namespaces into Pods. - properties: - searchNamespace: - description: Configures the namespace searched for Secret objects. - oneOf: - - required: - - pod - - required: - - name - properties: - name: - description: |- - The Secret objects are located in a single global namespace. - Should be used for secrets that are provisioned by the cluster administrator. - type: string - pod: - description: |- - The Secret objects are located in the same namespace as the Pod object. - Should be used for Secrets that are provisioned by the application administrator. - type: object - type: object - trustStoreConfigMapName: - description: |- - Name of a ConfigMap that contains the information required to validate against this SecretClass. - - Resolved relative to `search_namespace`. - - Required to request a TrustStore for this SecretClass. - nullable: true - type: string - required: - - searchNamespace - type: object - kerberosKeytab: - description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) - creates a Kerberos keytab file for a selected realm. - The Kerberos KDC and administrator credentials must be provided by the administrator. - properties: - admin: - description: Kerberos admin configuration settings. - oneOf: - - required: - - mit - - required: - - activeDirectory - properties: - activeDirectory: - description: Credentials should be provisioned in a Microsoft Active Directory domain. - properties: - generateSamAccountName: - description: |- - Allows samAccountName generation for new accounts to be customized. - Note that setting this field (even if empty) makes the Secret Operator take - over the generation duty from the domain controller. - nullable: true - properties: - prefix: - default: '' - description: A prefix to be prepended to generated samAccountNames. - type: string - totalLength: - default: 20 - description: |- - The total length of generated samAccountNames, _including_ `prefix`. - Must be larger than the length of `prefix`, but at most `20`. - - Note that this should be as large as possible, to minimize the risk of collisions. - format: uint8 - maximum: 255.0 - minimum: 0.0 - type: integer - type: object - ldapServer: - description: |- - An AD LDAP server, such as the AD Domain Controller. - This must match the server’s FQDN, or GSSAPI authentication will fail. - type: string - ldapTlsCaSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object containing - the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - passwordCacheSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where workload - passwords will be stored. This must not be accessible to end users. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - schemaDistinguishedName: - description: |- - The root Distinguished Name (DN) for AD-managed schemas, - typically `CN=Schema,CN=Configuration,{domain_dn}`. - type: string - userDistinguishedName: - description: |- - The root Distinguished Name (DN) where service accounts should be provisioned, - typically `CN=Users,{domain_dn}`. - type: string - required: - - ldapServer - - ldapTlsCaSecret - - passwordCacheSecret - - schemaDistinguishedName - - userDistinguishedName - type: object - mit: - description: Credentials should be provisioned in a MIT Kerberos Admin Server. - properties: - kadminServer: - description: |- - The hostname of the Kerberos Admin Server. - This should be provided by the Kerberos administrator. - type: string - required: - - kadminServer - type: object - type: object - adminKeytabSecret: - description: |- - Reference (`name` and `namespace`) to a K8s Secret object where a - keytab with administrative privileges is stored in the key `keytab`. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - adminPrincipal: - description: The admin principal. - type: string - kdc: - description: |- - The hostname of the Kerberos Key Distribution Center (KDC). - This should be provided by the Kerberos administrator. - type: string - realmName: - description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. - type: string - required: - - admin - - adminKeytabSecret - - adminPrincipal - - kdc - - realmName - type: object - type: object - required: - - backend - type: object - required: - - spec - title: SecretClass - type: object - served: true - storage: true - subresources: {} - - additionalPrinterColumns: [] - name: v1alpha1 - schema: - openAPIV3Schema: - description: Auto-generated derived type for SecretClassSpec via `CustomResource` - properties: - spec: - description: |- - A [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass) is a cluster-global Kubernetes resource - that defines a category of secrets that the Secret Operator knows how to provision. - properties: - backend: - description: |- - Each SecretClass is associated with a single - [backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend), - which dictates the mechanism for issuing that kind of Secret. - oneOf: - - required: - - k8sSearch - - required: - - autoTls - - required: - - experimentalCertManager - - required: - - kerberosKeytab - properties: - autoTls: - description: |- - The [`autoTls` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-autotls) - issues a TLS certificate signed by the Secret Operator. - The certificate authority can be provided by the administrator, or managed automatically by the Secret Operator. - - A new certificate and key pair will be generated and signed for each Pod, keys or certificates are never reused. - properties: - additionalTrustRoots: - default: [] - description: Additional trust roots which are added to the provided `ca.crt` file. - items: - oneOf: - - required: - - configMap - - required: - - secret - properties: - configMap: - description: |- - Reference (name and namespace) to a Kubernetes ConfigMap object where additional - certificates are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the ConfigMap being referred to. - type: string - namespace: - description: Namespace of the ConfigMap being referred to. - type: string - required: - - name - - namespace - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where additional certificates - are stored. - The extensions of the keys denote its contents: A key suffixed with `.crt` contains a stack - of base64 encoded DER certificates, a key suffixed with `.der` contains a binary DER - certificate. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - type: object - type: array - ca: - description: Configures the certificate authority used to issue Pod certificates. - properties: - autoGenerate: - default: false - description: |- - Whether the certificate authority should be managed by Secret Operator, including being generated - if it does not already exist. - type: boolean - caCertificateLifetime: - default: 365d - description: |- - The lifetime of each generated certificate authority. - - Should always be more than double `maxCertificateLifetime`. - - If `autoGenerate: true` then the Secret Operator will prepare a new CA certificate the old CA approaches expiration. - If `autoGenerate: false` then the Secret Operator will log a warning instead. - type: string - caCertificateRetirementDuration: - default: 1h - description: |- - Duration at the end of the CA certificate lifetime where no signed certificate will exist. - - Retired (or expired) CA certificates will not be published and will not be used for - signing leaf certificates. - type: string - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - secret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where the CA certificate - and key is stored in the keys `ca.crt` and `ca.key` respectively. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - required: - - secret - type: object - maxCertificateLifetime: - default: 15d - description: |- - Maximum lifetime the created certificates are allowed to have. - In case consumers request a longer lifetime than allowed by this setting, - the lifetime will be the minimum of both, so this setting takes precedence. - The default value is 15 days. - - The maximum lifetime must be less than a quarter of the active CA certificate lifetime - where the active CA certificate lifetime is `ca.ca_certificate_lifetime - - ca.ca_certificate_retirement_duration` to ensure that two subjects always have a common - CA certificate in their trust stores – assuming that CAs are rotated at half of their - active lifetimes. - - For instance, if a pod is created right before half of the active CA lifetime has - passed, then it is signed by this CA but it does not know yet the new CA certificate - which is created right afterwards. If another pod is created so that its certificate - lifetime ends right after the first active CA lifetime then it is signed by the new CA. - The `max_certificate_lifetime` must be chosen so that these two pods have no - overlapping lifetimes, otherwise the first pod would see the second one signed by an - unknown CA certificate. This can be achieved by the mentioned formula. - type: string - required: - - ca - type: object - experimentalCertManager: - description: |- - The [`certManager` backend][1] injects a TLS certificate issued by [cert-manager]. - - A new certificate will be requested the first time it is used by a Pod, it - will be reused after that (subject to cert-manager renewal rules). - - [1]: https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-certmanager - [cert-manager]: https://cert-manager.io/ - properties: - defaultCertificateLifetime: - default: 1d - description: |- - The default lifetime of certificates. - - Defaults to 1 day. This may need to be increased for external issuers that impose rate limits (such as Let's Encrypt). - type: string - issuer: - description: A reference to the cert-manager issuer that the certificates should be requested from. - properties: - kind: - description: |- - The kind of the issuer, Issuer or ClusterIssuer. - - If Issuer then it must be in the same namespace as the Pods using it. - enum: - - Issuer - - ClusterIssuer - type: string - name: - description: The name of the issuer. - type: string - required: - - kind - - name - type: object - keyGeneration: - default: - rsa: - length: 2048 - description: |- - The algorithm used to generate a key pair and required configuration settings. - Currently only RSA and a key length of 2048, 3072 or 4096 bits can be configured. - oneOf: - - required: - - rsa - properties: - rsa: - properties: - length: - description: |- - The amount of bits used for generating the RSA keypair. - Currently, `2048`, `3072` and `4096` are supported. Defaults to `2048` bits. - enum: - - 2048 - - 3072 - - 4096 - type: integer - required: - - length - type: object - type: object - required: - - issuer - type: object - k8sSearch: - description: |- - The [`k8sSearch` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-k8ssearch) - can be used to mount Secrets across namespaces into Pods. - properties: - searchNamespace: - description: Configures the namespace searched for Secret objects. - oneOf: - - required: - - pod - - required: - - name - properties: - name: - description: |- - The Secret objects are located in a single global namespace. - Should be used for secrets that are provisioned by the cluster administrator. - type: string - pod: - description: |- - The Secret objects are located in the same namespace as the Pod object. - Should be used for Secrets that are provisioned by the application administrator. - type: object - type: object - trustStoreConfigMapName: - description: |- - Name of a ConfigMap that contains the information required to validate against this SecretClass. - - Resolved relative to `search_namespace`. - - Required to request a TrustStore for this SecretClass. - nullable: true - type: string - required: - - searchNamespace - type: object - kerberosKeytab: - description: |- - The [`kerberosKeytab` backend](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#backend-kerberoskeytab) - creates a Kerberos keytab file for a selected realm. - The Kerberos KDC and administrator credentials must be provided by the administrator. - properties: - admin: - description: Kerberos admin configuration settings. - oneOf: - - required: - - mit - - required: - - activeDirectory - properties: - activeDirectory: - description: Credentials should be provisioned in a Microsoft Active Directory domain. - properties: - experimentalGenerateSamAccountName: - description: |- - Allows samAccountName generation for new accounts to be customized. - Note that setting this field (even if empty) makes the Secret Operator take - over the generation duty from the domain controller. - nullable: true - properties: - prefix: - default: '' - description: A prefix to be prepended to generated samAccountNames. - type: string - totalLength: - default: 20 - description: |- - The total length of generated samAccountNames, _including_ `prefix`. - Must be larger than the length of `prefix`, but at most `20`. - - Note that this should be as large as possible, to minimize the risk of collisions. - format: uint8 - maximum: 255.0 - minimum: 0.0 - type: integer - type: object - ldapServer: - description: |- - An AD LDAP server, such as the AD Domain Controller. - This must match the server’s FQDN, or GSSAPI authentication will fail. - type: string - ldapTlsCaSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object containing - the TLS CA (in `ca.crt`) that the LDAP server’s certificate should be authenticated against. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - passwordCacheSecret: - description: |- - Reference (name and namespace) to a Kubernetes Secret object where workload - passwords will be stored. This must not be accessible to end users. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - schemaDistinguishedName: - description: |- - The root Distinguished Name (DN) for AD-managed schemas, - typically `CN=Schema,CN=Configuration,{domain_dn}`. - type: string - userDistinguishedName: - description: |- - The root Distinguished Name (DN) where service accounts should be provisioned, - typically `CN=Users,{domain_dn}`. - type: string - required: - - ldapServer - - ldapTlsCaSecret - - passwordCacheSecret - - schemaDistinguishedName - - userDistinguishedName - type: object - mit: - description: Credentials should be provisioned in a MIT Kerberos Admin Server. - properties: - kadminServer: - description: |- - The hostname of the Kerberos Admin Server. - This should be provided by the Kerberos administrator. - type: string - required: - - kadminServer - type: object - type: object - adminKeytabSecret: - description: |- - Reference (`name` and `namespace`) to a K8s Secret object where a - keytab with administrative privileges is stored in the key `keytab`. - properties: - name: - description: Name of the Secret being referred to. - type: string - namespace: - description: Namespace of the Secret being referred to. - type: string - required: - - name - - namespace - type: object - adminPrincipal: - description: The admin principal. - type: string - kdc: - description: |- - The hostname of the Kerberos Key Distribution Center (KDC). - This should be provided by the Kerberos administrator. - type: string - realmName: - description: The name of the Kerberos realm. This should be provided by the Kerberos administrator. - type: string - required: - - admin - - adminKeytabSecret - - adminPrincipal - - kdc - - realmName - type: object - type: object - required: - - backend - type: object - required: - - spec - title: SecretClass - type: object - served: true - storage: false - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: truststores.secrets.stackable.tech - annotations: - helm.sh/resource-policy: keep -spec: - group: secrets.stackable.tech - names: - categories: [] - kind: TrustStore - plural: truststores - shortNames: [] - singular: truststore - scope: Namespaced - versions: - - additionalPrinterColumns: [] - name: v1alpha1 - schema: - openAPIV3Schema: - description: Auto-generated derived type for TrustStoreSpec via `CustomResource` - properties: - spec: - description: |- - A [TrustStore](https://docs.stackable.tech/home/nightly/secret-operator/truststore) requests information about how to - validate secrets issued by a [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass). - - The requested information is written to a ConfigMap with the same name as the TrustStore. - properties: - format: - description: The [format](https://docs.stackable.tech/home/nightly/secret-operator/secretclass#format) that the data should be converted into. - enum: - - tls-pem - - tls-pkcs12 - - kerberos - - null - nullable: true - type: string - secretClassName: - description: The name of the SecretClass that the request concerns. - type: string - targetKind: - default: ConfigMap - description: |- - Which Kubernetes kind should be used to output the requested information to. - - The trust information (such as a `ca.crt`) can be considered public information, so we put - it in a `ConfigMap` by default. However, some tools might require it to be placed in a - `Secret`, so we also support that. - - Can be either `ConfigMap` or `Secret`, defaults to `ConfigMap`. - enum: - - Secret - - ConfigMap - type: string - required: - - secretClassName - type: object - required: - - spec - title: TrustStore - type: object - served: true - storage: true - subresources: {} diff --git a/deploy/helm/secret-operator/templates/service.yaml b/deploy/helm/secret-operator/templates/service.yaml index 0cb05696..5cf6439b 100644 --- a/deploy/helm/secret-operator/templates/service.yaml +++ b/deploy/helm/secret-operator/templates/service.yaml @@ -1,4 +1,4 @@ - +{{- if .Values.maintenance.customResourceDefinitions.maintain }} --- apiVersion: v1 kind: Service @@ -11,9 +11,11 @@ metadata: {{- include "operator.labels" . | nindent 4 }} spec: selector: - {{- include "operator.selectorLabels" . | nindent 6 }} + webhook.stackable.tech/conversion: enabled + {{- include "operator.selectorLabels" . | nindent 4 }} ports: - name: conversion-webhook protocol: TCP port: 8443 targetPort: 8443 +{{- end }} diff --git a/scripts/run-tests b/scripts/run-tests index 00639f45..7fa07fc5 100755 --- a/scripts/run-tests +++ b/scripts/run-tests @@ -11,6 +11,7 @@ import shutil import subprocess import sys import tempfile +import time __version__ = "0.0.1" @@ -451,6 +452,7 @@ def main(argv) -> int: gen_tests(opts.test_suite, opts.namespace, opts.work_dir) with release_file(opts.operator, opts.skip_operator) as f: maybe_install_release(opts.skip_release, f, opts.listener_class_preset) + time.sleep(10) if opts.skip_tests: logging.info("Skip running tests.") else: