From 81875519cb70c4b38e4aac8b0af33503f7cc8d84 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 28 May 2026 16:45:26 +0200 Subject: [PATCH 1/2] feat: Add FQDNs to the subject DNs of TLS certificates --- CHANGELOG.md | 2 + Cargo.lock | 23 +++---- Cargo.nix | 62 ++++++++++--------- Cargo.toml | 2 +- crate-hashes.json | 18 +++--- rust/operator-binary/src/crd/security.rs | 3 + .../kuttl/opa/20-install-opa.yaml.j2 | 13 +++- 7 files changed, 71 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7728b498..58ff52f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,10 +16,12 @@ All notable changes to this project will be documented in this file. controllers). Previously, arbitrary file names were silently accepted and ignored ([#960]). - Bump `stackable-operator` to 0.111.1 and snafu to 0.9 ([#960], [#961]). +- BREAKING: Extend the subject DNs of TLS certificates with the FQDNs of the Kafka pods ([#972]). [#953]: https://github.com/stackabletech/kafka-operator/pull/953 [#960]: https://github.com/stackabletech/kafka-operator/pull/960 [#961]: https://github.com/stackabletech/kafka-operator/pull/961 +[#972]: https://github.com/stackabletech/kafka-operator/pull/972 ## [26.3.0] - 2026-03-16 diff --git a/Cargo.lock b/Cargo.lock index 5357bf1f..85158345 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1517,7 +1517,7 @@ dependencies = [ [[package]] name = "k8s-version" version = "0.1.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "regex", @@ -2889,7 +2889,7 @@ checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" [[package]] name = "stackable-certs" version = "0.4.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "const-oid", "ecdsa", @@ -2935,7 +2935,7 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.111.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "base64", "clap", @@ -2971,12 +2971,13 @@ dependencies = [ "tracing-appender", "tracing-subscriber", "url", + "winnow", ] [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "darling", "proc-macro2", @@ -2987,7 +2988,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.1.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "jiff", "k8s-openapi", @@ -3004,7 +3005,7 @@ dependencies = [ [[package]] name = "stackable-telemetry" version = "0.6.3" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "axum", "clap", @@ -3028,7 +3029,7 @@ dependencies = [ [[package]] name = "stackable-versioned" version = "0.10.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "kube", "schemars", @@ -3042,7 +3043,7 @@ dependencies = [ [[package]] name = "stackable-versioned-macros" version = "0.10.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "convert_case", "convert_case_extras", @@ -3060,7 +3061,7 @@ dependencies = [ [[package]] name = "stackable-webhook" version = "0.9.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#7a5f0c3fbcd091340214a23f0607fcd4b4fcc152" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#8eb179f9faf75afae2db8171445e84a6a54a4401" dependencies = [ "arc-swap", "async-trait", @@ -3901,9 +3902,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0" +checksum = "0592e1c9d151f854e6fd382574c3a0855250e1d9b2f99d9281c6e6391af352f1" dependencies = [ "memchr", ] diff --git a/Cargo.nix b/Cargo.nix index 75415d97..a14e29f2 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -4842,9 +4842,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "k8s_version"; authors = [ @@ -9516,9 +9516,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_certs"; authors = [ @@ -9711,9 +9711,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_operator"; authors = [ @@ -9873,6 +9873,10 @@ rec { packageId = "url"; features = [ "serde" ]; } + { + name = "winnow"; + packageId = "winnow"; + } ]; features = { "certs" = [ "dep:stackable-certs" ]; @@ -9891,9 +9895,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -9926,9 +9930,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_shared"; authors = [ @@ -10007,9 +10011,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_telemetry"; authors = [ @@ -10117,9 +10121,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_versioned"; authors = [ @@ -10167,9 +10171,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; procMacro = true; libName = "stackable_versioned_macros"; @@ -10235,9 +10239,9 @@ rec { edition = "2024"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "7a5f0c3fbcd091340214a23f0607fcd4b4fcc152"; - sha256 = "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "8eb179f9faf75afae2db8171445e84a6a54a4401"; + sha256 = "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d"; }; libName = "stackable_webhook"; authors = [ @@ -13804,9 +13808,9 @@ rec { }; "winnow" = rec { crateName = "winnow"; - version = "1.0.2"; + version = "1.0.3"; edition = "2021"; - sha256 = "1l7xnfvlgy4da6gq5ip2bgcm8i9d0rwzaxg1p88nlw8lxy5p1q9f"; + sha256 = "1wajycd3krn6h699vydjv7hm0ll5l31p899qzpk59y2is74y34h5"; dependencies = [ { name = "memchr"; diff --git a/Cargo.toml b/Cargo.toml index 8620a9ef..9c5ced05 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -31,4 +31,4 @@ tracing = "0.1" [patch."https://github.com/stackabletech/operator-rs.git"] # stackable-operator = { path = "../operator-rs/crates/stackable-operator" } -# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/annotation-auto-tls-cert-subject-dn" } diff --git a/crate-hashes.json b/crate-hashes.json index a6396ca0..4e0f1877 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,12 +1,12 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#k8s-version@0.1.3": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-certs@0.4.0": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-operator-derive@0.3.1": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-operator@0.111.1": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-shared@0.1.0": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-telemetry@0.6.3": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-versioned-macros@0.10.0": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-versioned@0.10.0": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.111.1#stackable-webhook@0.9.1": "0d58yvxvy8hbai12bjhcyvh4zw182j5dsfyqja4k2xc1vzjy29by", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#k8s-version@0.1.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-certs@0.4.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator-derive@0.3.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-operator@0.111.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-shared@0.1.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-telemetry@0.6.3": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned-macros@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-versioned@0.10.0": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Fannotation-auto-tls-cert-subject-dn#stackable-webhook@0.9.1": "0liwh50756wajvzrbklcdcasrzczrh7xsf3q4gzq32h145x9151d", "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987" } \ No newline at end of file diff --git a/rust/operator-binary/src/crd/security.rs b/rust/operator-binary/src/crd/security.rs index b38f32a9..c0718119 100644 --- a/rust/operator-binary/src/crd/security.rs +++ b/rust/operator-binary/src/crd/security.rs @@ -563,6 +563,7 @@ impl KafkaTlsSecurity { .with_pod_scope() .with_format(SecretFormat::TlsPkcs12) .with_auto_tls_cert_lifetime(*requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true) .build() .context(SecretVolumeBuildSnafu)?, ) @@ -864,6 +865,7 @@ impl KafkaTlsSecurity { .with_pod_scope() .with_format(SecretFormat::TlsPem) .with_auto_tls_cert_lifetime(*requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true) .build() .context(SecretVolumeBuildSnafu)?, ) @@ -888,6 +890,7 @@ impl KafkaTlsSecurity { .with_listener_volume_scope(LISTENER_BOOTSTRAP_VOLUME_NAME) .with_format(SecretFormat::TlsPkcs12) .with_auto_tls_cert_lifetime(*requested_secret_lifetime) + .with_auto_tls_cert_domain_components_in_subject_dn(true) .build() .context(SecretVolumeBuildSnafu)?, ) diff --git a/tests/templates/kuttl/opa/20-install-opa.yaml.j2 b/tests/templates/kuttl/opa/20-install-opa.yaml.j2 index dcc10746..54b22aad 100644 --- a/tests/templates/kuttl/opa/20-install-opa.yaml.j2 +++ b/tests/templates/kuttl/opa/20-install-opa.yaml.j2 @@ -18,18 +18,27 @@ commands: default allow := false allow if { - input.requestContext.principal.name == "kafka" + is_internal_request + startswith( + input.requestContext.principal.name, + "DC=local,DC=cluster,DC=svc,DC=$NAMESPACE,DC=test-kafka-broker-default-headless,DC=test-kafka-broker-default-", + ) } allow if { - input.requestContext.principal.name == "CN=generated certificate for pod" + is_external_request + input.requestContext.principal.name == "kafka" } allow if { + is_external_request input.requestContext.principal.name == "developer" resource_is_allowed } + is_internal_request if input.requestContext.listenerName == "INTERNAL" + is_external_request if not is_internal_request + # only allow access to a specific topic resource_is_allowed if { input.action.resourcePattern.resourceType == "TOPIC" From 2db9ecf3b5e6d865f82dbe6a6559f26cc6150165 Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Thu, 28 May 2026 17:09:53 +0200 Subject: [PATCH 2/2] tests: Use specific operator versions in the tests --- tests/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/release.yaml b/tests/release.yaml index 981efdf3..55516f87 100644 --- a/tests/release.yaml +++ b/tests/release.yaml @@ -9,12 +9,12 @@ releases: commons: operatorVersion: 0.0.0-dev secret: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr708 listener: operatorVersion: 0.0.0-dev zookeeper: operatorVersion: 0.0.0-dev kafka: - operatorVersion: 0.0.0-dev + operatorVersion: 0.0.0-pr972 opa: operatorVersion: 0.0.0-dev