Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat: Add format-specific annotations to override secret file names #572

Merged
merged 13 commits into from
Mar 31, 2025
Merged

feat: Add format-specific annotations to override secret file names #572

merged 13 commits into from
Mar 31, 2025

Conversation

Techassi
Copy link
Member

@Techassi Techassi commented Mar 18, 2025
edited
Loading

This PR adds support to customize the secret file names using secrets.stackable.tech annotations on the volume. The following attributes were added:

  • secrets.stackable.tech/format.tls-pkcs12.keystore-name
  • secrets.stackable.tech/format.tls-pkcs12.truststore-name
  • secrets.stackable.tech/format.tls-pem.cert-name
  • secrets.stackable.tech/format.tls-pem.key-name
  • secrets.stackable.tech/format.tls-pem.ca-name

This came up in demo testing during the 25.3.0 SPD release, see stackabletech/demos#157 (comment).

This PR adds a new test dimension which is used in the tls tests. All adjusted tests pass:

--- PASS: kuttl (98.75s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-False (18.34s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-True (7.51s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-True (16.37s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-False (8.31s)
        --- PASS: kuttl/harness/cert-manager-tls_openshift-false (98.73s)
PASS

@Techassi Techassi self-assigned this Mar 18, 2025
@Techassi Techassi marked this pull request as draft March 18, 2025 13:24
nightkr
nightkr reviewed Mar 18, 2025
View reviewed changes
@Techassi
Copy link
Member Author

Techassi commented Mar 25, 2025
edited
Loading

The path traversal check will be replaced in a followup PR by a better suited solution which leverages capabilities-based filesystem operations. See #572 (comment).

Techassi added 3 commits March 31, 2025 11:09
@Techassi
chore: Merge branch 'main' into feat/filename-annotations
932e993
@Techassi
refactor: Adjust path traversal checks
ad76a26 
Path::canonicalize will return an error if the path does not exist.
The path we are checking obviously doesn't exist yet, because we want
to prevent path traversals and the file at that path will only exist
after we are done with the check. So using canonicalize does not work
in this use-case.
@Techassi
test: Add custom CA name
1c2d64c
@Techassi Techassi marked this pull request as ready for review March 31, 2025 09:54
@Techassi Techassi requested a review from nightkr March 31, 2025 10:46
nightkr
nightkr previously approved these changes Mar 31, 2025
View reviewed changes
@nightkr
Copy link
Member

nightkr commented Mar 31, 2025

LGTM, assuming tests pass on your end.

@nightkr
Copy link
Member

nightkr commented Mar 31, 2025

Actually - just noticed that you forgot to add it to the changelog.

@Techassi
Copy link
Member Author

You are right, I will add it right away.

@Techassi Techassi requested a review from nightkr March 31, 2025 14:53
@Techassi Techassi added this pull request to the merge queue Mar 31, 2025
Merged via the queue into main with commit 53945ea Mar 31, 2025
17 checks passed
@Techassi Techassi deleted the feat/filename-annotations branch March 31, 2025 15:13
@lfrancke
Copy link
Member

Can you please link docs and add a release note snippet?

@Techassi
Copy link
Member Author

Techassi commented Apr 1, 2025

Link to docs: https://docs.stackable.tech/home/nightly/secret-operator/volume/

Release Notes

Add support for format-specific annotations to override secret file names.
Names can be customized using secret volume annotations which are listed xref:secret-operator:volume.adoc[in our documentation].
See https://github.com/stackabletech/secret-operator/pull/572[secret-operator#572].

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@nightkr nightkr nightkr approved these changes

Assignees

@Techassi Techassi

Labels
release/25.7.0
Projects
Stackable Engineering
Status: Acceptance: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Techassi @nightkr @lfrancke @NickLarsenNZ