Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add format-specific annotations to override secret file names #572

Merged
merged 13 commits into from
Mar 31, 2025
Merged

feat: Add format-specific annotations to override secret file names #572

merged 13 commits into from
Mar 31, 2025

Conversation

Techassi
Copy link
Member

@Techassi Techassi commented Mar 18, 2025
edited
Loading

This PR adds support to customize the secret file names using secrets.stackable.tech annotations on the volume. The following attributes were added:

  • secrets.stackable.tech/format.tls-pkcs12.keystore-name
  • secrets.stackable.tech/format.tls-pkcs12.truststore-name
  • secrets.stackable.tech/format.tls-pem.cert-name
  • secrets.stackable.tech/format.tls-pem.key-name
  • secrets.stackable.tech/format.tls-pem.ca-name

This came up in demo testing during the 25.3.0 SPD release, see stackabletech/demos#157 (comment).

This PR adds a new test dimension which is used in the tls tests. All adjusted tests pass:

--- PASS: kuttl (98.75s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-False (18.34s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-True (7.51s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-3072_custom-secret-names-True (16.37s)
        --- PASS: kuttl/harness/tls_openshift-false_rsa-key-length-2048_custom-secret-names-False (8.31s)
        --- PASS: kuttl/harness/cert-manager-tls_openshift-false (98.73s)
PASS

@Techassi Techassi self-assigned this Mar 18, 2025
@Techassi Techassi marked this pull request as draft March 18, 2025 13:24
@Techassi Techassi moved this to Development: In Progress in Stackable Engineering Mar 18, 2025
nightkr
nightkr reviewed Mar 18, 2025
View reviewed changes
@Techassi
Copy link
Member Author

Techassi commented Mar 25, 2025
edited
Loading

The path traversal check will be replaced in a followup PR by a better suited solution which leverages capabilities-based filesystem operations. See #572 (comment).

Techassi added 3 commits March 31, 2025 11:09
@Techassi
chore: Merge branch 'main' into feat/filename-annotations
932e993
@Techassi
refactor: Adjust path traversal checks
ad76a26 
Path::canonicalize will return an error if the path does not exist.
The path we are checking obviously doesn't exist yet, because we want
to prevent path traversals and the file at that path will only exist
after we are done with the check. So using canonicalize does not work
in this use-case.
@Techassi
test: Add custom CA name
1c2d64c
@Techassi Techassi marked this pull request as ready for review March 31, 2025 09:54
@Techassi Techassi requested a review from nightkr March 31, 2025 10:46
@Techassi Techassi moved this from Development: In Progress to Development: In Review in Stackable Engineering Mar 31, 2025
nightkr
nightkr previously approved these changes Mar 31, 2025
View reviewed changes
@nightkr
Copy link
Member

nightkr commented Mar 31, 2025

LGTM, assuming tests pass on your end.

@nightkr
Copy link
Member

nightkr commented Mar 31, 2025

Actually - just noticed that you forgot to add it to the changelog.

@Techassi
Copy link
Member Author

You are right, I will add it right away.

@Techassi Techassi requested a review from nightkr March 31, 2025 14:53
@Techassi Techassi added this pull request to the merge queue Mar 31, 2025
@Techassi Techassi moved this from Development: In Review to Development: Done in Stackable Engineering Mar 31, 2025
Merged via the queue into main with commit 53945ea Mar 31, 2025
17 checks passed
@Techassi Techassi deleted the feat/filename-annotations branch March 31, 2025 15:13
@lfrancke
Copy link
Member

Can you please link docs and add a release note snippet?

@lfrancke lfrancke moved this from Development: Done to Acceptance: In Progress in Stackable Engineering Mar 31, 2025
@Techassi
Copy link
Member Author

Techassi commented Apr 1, 2025

Link to docs: https://docs.stackable.tech/home/nightly/secret-operator/volume/

Release Notes

Add support for format-specific annotations to override secret file names.
Names can be customized using secret volume annotations which are listed xref:secret-operator:volume.adoc[in our documentation].
See https://github.com/stackabletech/secret-operator/pull/572[secret-operator#572].

@lfrancke lfrancke moved this from Acceptance: In Progress to Done in Stackable Engineering Apr 2, 2025
@lfrancke lfrancke added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Apr 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nightkr nightkr nightkr approved these changes

Assignees

@Techassi Techassi

Labels
release/25.7.0 release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
Stackable Engineering
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Techassi @nightkr @lfrancke @NickLarsenNZ