diff --git a/CHANGELOG.md b/CHANGELOG.md index 785a9f93e..6c463f8c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,14 +10,22 @@ All notable changes to this project will be documented in this file. [#647]: https://github.com/stackabletech/operator-rs/pull/647 +### Changed + +- Bump `kube` to `0.86.0` and Kubernetes version to `1.28` ([#648]). + +[#648]: https://github.com/stackabletech/operator-rs/pull/648 + ## [0.48.0] - 2023-08-18 ### Added - Add `PodBuilder::termination_grace_period_seconds` ([#641]). - Add support for adding `lifecycle`s to `ContainerBuilder` ([#641]). +- Add support for tls pkcs12 password to secret operator volume builder ([#645]). [#641]: https://github.com/stackabletech/operator-rs/pull/641 +[#645]: https://github.com/stackabletech/operator-rs/pull/645 ## [0.47.0] - 2023-08-16 diff --git a/Cargo.toml b/Cargo.toml index c247e62e8..a766f2e2c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,9 +22,9 @@ derivative = "2.2.0" either = "1.9.0" futures = "0.3.28" json-patch = "1.0.0" -k8s-openapi = { version = "0.19.0", default-features = false, features = ["schemars", "v1_27"] } +k8s-openapi = { version = "0.20.0", default-features = false, features = ["schemars", "v1_28"] } # We use rustls instead of openssl for easier portablitly, e.g. so that we can build stackablectl without the need to vendor (build from source) openssl -kube = { version = "0.85.0", default-features = false, features = ["client", "jsonpatch", "runtime", "derive", "rustls-tls"] } +kube = { version = "0.86.0", default-features = false, features = ["client", "jsonpatch", "runtime", "derive", "rustls-tls"] } lazy_static = "1.4.0" opentelemetry = { version = "0.20.0", features = ["rt-tokio"] } opentelemetry-jaeger = { version = "0.19.0", features = ["rt-tokio"] } @@ -41,7 +41,7 @@ strum = { version = "0.25.0", features = ["derive"] } thiserror = "1.0.44" tokio = { version = "1.29.1", features = ["macros", "rt-multi-thread"] } tracing = "0.1.37" -tracing-opentelemetry = "0.20.0" +tracing-opentelemetry = "0.21.0" tracing-subscriber = { version = "0.3.17", features = ["env-filter"] } [dev-dependencies] diff --git a/src/builder/pod/volume.rs b/src/builder/pod/volume.rs index d565ddc33..e17e0b5bf 100644 --- a/src/builder/pod/volume.rs +++ b/src/builder/pod/volume.rs @@ -11,6 +11,7 @@ use k8s_openapi::{ apimachinery::pkg::api::resource::Quantity, }; use std::collections::BTreeMap; +use tracing::warn; use crate::builder::ObjectMetaBuilder; @@ -267,6 +268,7 @@ pub struct SecretOperatorVolumeSourceBuilder { scopes: Vec, format: Option, kerberos_service_names: Vec, + tls_pkcs12_password: Option, } impl SecretOperatorVolumeSourceBuilder { @@ -276,6 +278,7 @@ impl SecretOperatorVolumeSourceBuilder { scopes: Vec::new(), format: None, kerberos_service_names: Vec::new(), + tls_pkcs12_password: None, } } @@ -305,6 +308,11 @@ impl SecretOperatorVolumeSourceBuilder { self } + pub fn with_tls_pkcs12_password(&mut self, password: impl Into) -> &mut Self { + self.tls_pkcs12_password = Some(password.into()); + self + } + pub fn build(&self) -> EphemeralVolumeSource { let mut attrs = BTreeMap::from([( "secrets.stackable.tech/class".to_string(), @@ -343,6 +351,18 @@ impl SecretOperatorVolumeSourceBuilder { ); } + if let Some(password) = &self.tls_pkcs12_password { + // The `tls_pkcs12_password` is only used for PKCS12 stores. + if Some(SecretFormat::TlsPkcs12) != self.format { + warn!(format.actual = ?self.format, format.expected = ?Some(SecretFormat::TlsPkcs12), "A TLS PKCS12 password was set but ignored because another format was requested") + } else { + attrs.insert( + "secrets.stackable.tech/format.compatibility.tls-pkcs12.password".to_string(), + password.to_string(), + ); + } + } + EphemeralVolumeSource { volume_claim_template: Some(PersistentVolumeClaimTemplate { metadata: Some(ObjectMetaBuilder::new().annotations(attrs).build()), @@ -363,7 +383,7 @@ impl SecretOperatorVolumeSourceBuilder { /// A [secret format](https://docs.stackable.tech/home/stable/secret-operator/secretclass.html#format) known by secret-operator. /// /// This must either match or be convertible from the corresponding secret class, or provisioning the volume will fail. -#[derive(Clone, strum::AsRefStr)] +#[derive(Clone, Debug, PartialEq, Eq, strum::AsRefStr)] #[strum(serialize_all = "kebab-case")] pub enum SecretFormat { /// A TLS certificate formatted as a PEM triple (`ca.crt`, `tls.crt`, `tls.key`) according to Kubernetes conventions.