Merge branch 'main' into feature/podlisteners

stackabletech · Sep 14, 2023 · d55ef2f · d55ef2f
2 parents 33d0471 + d2b8b80
commit d55ef2f
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,15 @@ All notable changes to this project will be documented in this file.
 
 - Derive `Eq` and `Copy` where applicable for listener CRDs ([#644]).
 
+- Add support for tls pkcs12 password to secret operator volume builder ([#645]).
+
+### Changed
+
+- Bump `kube` to `0.86.0` and Kubernetes version to `1.28` ([#648]).
+
 [#644]: https://github.com/stackabletech/operator-rs/pull/644
+[#645]: https://github.com/stackabletech/operator-rs/pull/645
+[#648]: https://github.com/stackabletech/operator-rs/pull/648
 
 ## [0.48.0] - 2023-08-18
 

diff --git a/Cargo.toml b/Cargo.toml
@@ -22,9 +22,9 @@ derivative = "2.2.0"
 either = "1.9.0"
 futures = "0.3.28"
 json-patch = "1.0.0"
-k8s-openapi = { version = "0.19.0", default-features = false, features = ["schemars", "v1_27"] }
+k8s-openapi = { version = "0.20.0", default-features = false, features = ["schemars", "v1_28"] }
 # We use rustls instead of openssl for easier portablitly, e.g. so that we can build stackablectl without the need to vendor (build from source) openssl
-kube = { version = "0.85.0", default-features = false, features = ["client", "jsonpatch", "runtime", "derive", "rustls-tls"] }
+kube = { version = "0.86.0", default-features = false, features = ["client", "jsonpatch", "runtime", "derive", "rustls-tls"] }
 lazy_static = "1.4.0"
 opentelemetry = { version = "0.20.0", features = ["rt-tokio"] }
 opentelemetry-jaeger = { version = "0.19.0", features = ["rt-tokio"] }
@@ -41,7 +41,7 @@ strum = { version = "0.25.0", features = ["derive"] }
 thiserror = "1.0.44"
 tokio = { version = "1.29.1", features = ["macros", "rt-multi-thread"] }
 tracing = "0.1.37"
-tracing-opentelemetry = "0.20.0"
+tracing-opentelemetry = "0.21.0"
 tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
 
 [dev-dependencies]

diff --git a/src/builder/pod/volume.rs b/src/builder/pod/volume.rs
@@ -11,6 +11,7 @@ use k8s_openapi::{
     apimachinery::pkg::api::resource::Quantity,
 };
 use std::collections::BTreeMap;
+use tracing::warn;
 
 use crate::builder::ObjectMetaBuilder;
 
@@ -267,6 +268,7 @@ pub struct SecretOperatorVolumeSourceBuilder {
     scopes: Vec<SecretOperatorVolumeScope>,
     format: Option<SecretFormat>,
     kerberos_service_names: Vec<String>,
+    tls_pkcs12_password: Option<String>,
 }
 
 impl SecretOperatorVolumeSourceBuilder {
@@ -276,6 +278,7 @@ impl SecretOperatorVolumeSourceBuilder {
             scopes: Vec::new(),
             format: None,
             kerberos_service_names: Vec::new(),
+            tls_pkcs12_password: None,
         }
     }
 
@@ -305,6 +308,11 @@ impl SecretOperatorVolumeSourceBuilder {
         self
     }
 
+    pub fn with_tls_pkcs12_password(&mut self, password: impl Into<String>) -> &mut Self {
+        self.tls_pkcs12_password = Some(password.into());
+        self
+    }
+
     pub fn build(&self) -> EphemeralVolumeSource {
         let mut attrs = BTreeMap::from([(
             "secrets.stackable.tech/class".to_string(),
@@ -343,6 +351,18 @@ impl SecretOperatorVolumeSourceBuilder {
             );
         }
 
+        if let Some(password) = &self.tls_pkcs12_password {
+            // The `tls_pkcs12_password` is only used for PKCS12 stores.
+            if Some(SecretFormat::TlsPkcs12) != self.format {
+                warn!(format.actual = ?self.format, format.expected = ?Some(SecretFormat::TlsPkcs12), "A TLS PKCS12 password was set but ignored because another format was requested")
+            } else {
+                attrs.insert(
+                    "secrets.stackable.tech/format.compatibility.tls-pkcs12.password".to_string(),
+                    password.to_string(),
+                );
+            }
+        }
+
         EphemeralVolumeSource {
             volume_claim_template: Some(PersistentVolumeClaimTemplate {
                 metadata: Some(ObjectMetaBuilder::new().annotations(attrs).build()),
@@ -363,7 +383,7 @@ impl SecretOperatorVolumeSourceBuilder {
 /// A [secret format](https://docs.stackable.tech/home/stable/secret-operator/secretclass.html#format) known by secret-operator.
 ///
 /// This must either match or be convertible from the corresponding secret class, or provisioning the volume will fail.
-#[derive(Clone, strum::AsRefStr)]
+#[derive(Clone, Debug, PartialEq, Eq, strum::AsRefStr)]
 #[strum(serialize_all = "kebab-case")]
 pub enum SecretFormat {
     /// A TLS certificate formatted as a PEM triple (`ca.crt`, `tls.crt`, `tls.key`) according to Kubernetes conventions.