feat!: Add working conversion webhook with cert rotation (#1066)

* WIP

* Actually rotate certs

* clippy

* doctests

* HashMap -> Vec

* Set correct CA lifetime

* Result type

* fix rustdocs

* Add some docs

* Update rustdoc

* Handle cert rottion loop falures

* changelog

* link to decision

* fix rustdocs

* Rework CLI structs and names

* test: Remove CLI parsing from env var test

* Move subject_alterative_dns_names into Options

* changelog

* Remove mpsc in tests leftover

* docs: Use result of WebhookServer::new

* fmt

* Update crates/stackable-webhook/src/tls/mod.rs

Co-authored-by: Techassi <[email protected]>

* fix suggestion

* capture in variable

* Move route into variable

* docs: Mention background cert rotation

* docs: Document TlsServer::new

* docs: Hint on downward API env var

* Rewrite certificate rotation logic

Co-authored-by: Techassi <[email protected]>

* Avoid unwrap

* Make CertResolver pub, so docs pass

* Add missing await

* mount -> project

* Update crates/stackable-webhook/src/tls/mod.rs

Co-authored-by: Techassi <[email protected]>

* changelog

* Add ConversionWebhookOptions struct

* PascalCase error variants

* changelog

* changelog

* fix rustdocs

* Update crates/stackable-operator/CHANGELOG.md

Co-authored-by: Techassi <[email protected]>

* ReceiverCertificateFromChannel -> ReceiveCertificateFromChannel

* Remove double re-export

* fixup

* Update crates/stackable-webhook/src/tls/cert_resolver.rs

Co-authored-by: Techassi <[email protected]>

* Use CryptoProvider::get_default

* Update crates/stackable-webhook/src/tls/cert_resolver.rs

Co-authored-by: Techassi <[email protected]>

* changelog

* Remove CLI parsing tests

* clippy

* Move stuff into send_certificate_to_channel

* OptionsBuilder -> WebhookOptionsBuilder

* fix typo with read and write

* Refactor cert resolver

* chore: Dont use OperatorEnvironmentOptions

* fix outdated docs

* fix doc test

* fix clippy lints

* Improve rust docs

* Further improve docs

* Add CONVERSION_WEBHOOK_HTTPS_PORT

* update docs

* suggest 0.0.0.0 in docs

* markdown linter

* Refactor stuff into generate_new_certificatei

Co-authored-by: Techassi <[email protected]>

* chore: Increase TLS certificate lifetime to 24 hours

---------

Co-authored-by: Techassi <[email protected]>

Author: sbernauer

Cargo.lock

@@ -11,6 +11,7 @@ repository = "https://github.com/stackabletech/operator-rs"
 [workspace.dependencies]
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 
+arc-swap = "1.7"
 axum = { version = "0.8.1", features = ["http2"] }
 chrono = { version = "0.4.38", default-features = false }
 clap = { version = "4.5.17", features = ["derive", "cargo", "env"] }

Cargo.toml

@@ -1,6 +1,6 @@
 use stackable_operator::time::Duration;
 
-/// The default CA validity time span of one hour (3600 seconds).
+/// The default CA validity time span
 pub const DEFAULT_CA_VALIDITY: Duration = Duration::from_hours_unchecked(1);
 
 /// The root CA subject name containing only the common name.

crates/stackable-certs/src/ca/consts.rs

@@ -38,7 +38,7 @@ pub enum Error {
     #[snafu(display("failed to generate RSA signing key"))]
     GenerateRsaSigningKey { source: rsa::Error },
 
-    #[snafu(display("failed to generate ECDSA signign key"))]
+    #[snafu(display("failed to generate ECDSA signing key"))]
     GenerateEcdsaSigningKey { source: ecdsa::Error },
 
     #[snafu(display("failed to parse {subject:?} as subject"))]

crates/stackable-certs/src/ca/mod.rs

@@ -7,16 +7,22 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Add `ProbeBuilder` to build Kubernetes container probes ([#1078]).
+- BREAKING: Add two new required CLI arguments: `--operator-namespace` and `--operator-service-name`.
+  These two values are used to construct the service name in the CRD conversion webhook ([#1066]).
 
 ### Changed
 
 - BREAKING: The `ResolvedProductImage` field `app_version_label` was renamed to `app_version_label_value` to match changes to its type ([#1076]).
+- BREAKING: Rename two fields of the `ProductOperatorRun` struct for consistency and clarity ([#1066]):
+  - `telemetry_arguments` -> `telemetry`
+  - `cluster_info_opts` -> `cluster_info`
 
 ### Fixed
 
 - BREAKING: Fix bug where `ResolvedProductImage::app_version_label` could not be used as a label value because it can contain invalid characters.
   This is the case when referencing custom images via a `@sha256:...` hash. As such, the `product_image_selection::resolve` function is now fallible ([#1076]).
 
+[#1066]: https://github.com/stackabletech/operator-rs/pull/1066
 [#1076]: https://github.com/stackabletech/operator-rs/pull/1076
 [#1078]: https://github.com/stackabletech/operator-rs/pull/1078
 

crates/stackable-operator/CHANGELOG.md

@@ -116,7 +116,7 @@ use product_config::ProductConfigManager;
 use snafu::{ResultExt, Snafu};
 use stackable_telemetry::tracing::TelemetryOptions;
 
-use crate::{namespace::WatchNamespace, utils::cluster_info::KubernetesClusterInfoOpts};
+use crate::{namespace::WatchNamespace, utils::cluster_info::KubernetesClusterInfoOptions};
 
 pub const AUTHOR: &str = "Stackable GmbH - [email protected]";
 
@@ -163,10 +163,10 @@ pub enum Command<Run: Args = ProductOperatorRun> {
 /// Can be embedded into an extended argument set:
 ///
 /// ```rust
-/// # use stackable_operator::cli::{Command, ProductOperatorRun, ProductConfigPath};
+/// # use stackable_operator::cli::{Command, OperatorEnvironmentOptions, ProductOperatorRun, ProductConfigPath};
+/// # use stackable_operator::{namespace::WatchNamespace, utils::cluster_info::KubernetesClusterInfoOptions};
+/// # use stackable_telemetry::tracing::TelemetryOptions;
 /// use clap::Parser;
-/// use stackable_operator::{namespace::WatchNamespace, utils::cluster_info::KubernetesClusterInfoOpts};
-/// use stackable_telemetry::tracing::TelemetryOptions;
 ///
 /// #[derive(clap::Parser, Debug, PartialEq, Eq)]
 /// struct Run {
@@ -176,17 +176,36 @@ pub enum Command<Run: Args = ProductOperatorRun> {
 ///     common: ProductOperatorRun,
 /// }
 ///
-/// let opts = Command::<Run>::parse_from(["foobar-operator", "run", "--name", "foo", "--product-config", "bar", "--watch-namespace", "foobar", "--kubernetes-node-name", "baz"]);
+/// let opts = Command::<Run>::parse_from([
+///     "foobar-operator",
+///     "run",
+///     "--name",
+///     "foo",
+///     "--product-config",
+///     "bar",
+///     "--watch-namespace",
+///     "foobar",
+///     "--operator-namespace",
+///     "stackable-operators",
+///     "--operator-service-name",
+///     "foo-operator",
+///     "--kubernetes-node-name",
+///     "baz",
+/// ]);
 /// assert_eq!(opts, Command::Run(Run {
 ///     name: "foo".to_string(),
 ///     common: ProductOperatorRun {
 ///         product_config: ProductConfigPath::from("bar".as_ref()),
 ///         watch_namespace: WatchNamespace::One("foobar".to_string()),
-///         telemetry_arguments: TelemetryOptions::default(),
-///         cluster_info_opts: KubernetesClusterInfoOpts {
+///         telemetry: TelemetryOptions::default(),
+///         cluster_info: KubernetesClusterInfoOptions {
 ///             kubernetes_cluster_domain: None,
 ///             kubernetes_node_name: "baz".to_string(),
 ///         },
+///         operator_environment: OperatorEnvironmentOptions {
+///             operator_namespace: "stackable-operators".to_string(),
+///             operator_service_name: "foo-operator".to_string(),
+///         },
 ///     },
 /// }));
 /// ```
@@ -220,10 +239,13 @@ pub struct ProductOperatorRun {
     pub watch_namespace: WatchNamespace,
 
     #[command(flatten)]
-    pub telemetry_arguments: TelemetryOptions,
+    pub operator_environment: OperatorEnvironmentOptions,
+
+    #[command(flatten)]
+    pub telemetry: TelemetryOptions,
 
     #[command(flatten)]
-    pub cluster_info_opts: KubernetesClusterInfoOpts,
+    pub cluster_info: KubernetesClusterInfoOptions,
 }
 
 /// A path to a [`ProductConfigManager`] spec file
@@ -281,11 +303,26 @@ impl ProductConfigPath {
     }
 }
 
+#[derive(clap::Parser, Debug, PartialEq, Eq)]
+pub struct OperatorEnvironmentOptions {
+    /// The namespace the operator is running in, usually `stackable-operators`.
+    ///
+    /// Note that when running the operator on Kubernetes we recommend to use the
+    /// [downward API](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/)
+    /// to let Kubernetes project the namespace as the `OPERATOR_NAMESPACE` env variable.
+    #[arg(long, env)]
+    pub operator_namespace: String,
+
+    /// The name of the service the operator is reachable at, usually
+    /// something like `<product>-operator`.
+    #[arg(long, env)]
+    pub operator_service_name: String,
+}
+
 #[cfg(test)]
 mod tests {
-    use std::{env, fs::File};
+    use std::fs::File;
 
-    use clap::Parser;
     use rstest::*;
     use tempfile::tempdir;
 
@@ -294,7 +331,6 @@ mod tests {
     const USER_PROVIDED_PATH: &str = "user_provided_path_properties.yaml";
     const DEPLOY_FILE_PATH: &str = "deploy_config_spec_properties.yaml";
     const DEFAULT_FILE_PATH: &str = "default_file_path_properties.yaml";
-    const WATCH_NAMESPACE: &str = "WATCH_NAMESPACE";
 
     #[test]
     fn verify_cli() {
@@ -378,76 +414,4 @@ mod tests {
             panic!("must return RequiredFileMissing when file was not found")
         }
     }
-
-    #[test]
-    fn product_operator_run_watch_namespace() {
-        // clean env var to not interfere if already set
-        unsafe { env::remove_var(WATCH_NAMESPACE) };
-
-        // cli with namespace
-        let opts = ProductOperatorRun::parse_from([
-            "run",
-            "--product-config",
-            "bar",
-            "--watch-namespace",
-            "foo",
-            "--kubernetes-node-name",
-            "baz",
-        ]);
-        assert_eq!(
-            opts,
-            ProductOperatorRun {
-                product_config: ProductConfigPath::from("bar".as_ref()),
-                watch_namespace: WatchNamespace::One("foo".to_string()),
-                cluster_info_opts: KubernetesClusterInfoOpts {
-                    kubernetes_cluster_domain: None,
-                    kubernetes_node_name: "baz".to_string()
-                },
-                telemetry_arguments: Default::default(),
-            }
-        );
-
-        // no cli / no env
-        let opts = ProductOperatorRun::parse_from([
-            "run",
-            "--product-config",
-            "bar",
-            "--kubernetes-node-name",
-            "baz",
-        ]);
-        assert_eq!(
-            opts,
-            ProductOperatorRun {
-                product_config: ProductConfigPath::from("bar".as_ref()),
-                watch_namespace: WatchNamespace::All,
-                cluster_info_opts: KubernetesClusterInfoOpts {
-                    kubernetes_cluster_domain: None,
-                    kubernetes_node_name: "baz".to_string()
-                },
-                telemetry_arguments: Default::default(),
-            }
-        );
-
-        // env with namespace
-        unsafe { env::set_var(WATCH_NAMESPACE, "foo") };
-        let opts = ProductOperatorRun::parse_from([
-            "run",
-            "--product-config",
-            "bar",
-            "--kubernetes-node-name",
-            "baz",
-        ]);
-        assert_eq!(
-            opts,
-            ProductOperatorRun {
-                product_config: ProductConfigPath::from("bar".as_ref()),
-                watch_namespace: WatchNamespace::One("foo".to_string()),
-                cluster_info_opts: KubernetesClusterInfoOpts {
-                    kubernetes_cluster_domain: None,
-                    kubernetes_node_name: "baz".to_string()
-                },
-                telemetry_arguments: Default::default(),
-            }
-        );
-    }
 }

crates/stackable-operator/src/cli.rs

@@ -21,7 +21,7 @@ use tracing::trace;
 
 use crate::{
     kvp::LabelSelectorExt,
-    utils::cluster_info::{KubernetesClusterInfo, KubernetesClusterInfoOpts},
+    utils::cluster_info::{KubernetesClusterInfo, KubernetesClusterInfoOptions},
 };
 
 pub type Result<T, E = Error> = std::result::Result<T, E>;
@@ -529,13 +529,13 @@ impl Client {
     /// use k8s_openapi::api::core::v1::Pod;
     /// use stackable_operator::{
     ///     client::{Client, initialize_operator},
-    ///     utils::cluster_info::KubernetesClusterInfoOpts,
+    ///     utils::cluster_info::KubernetesClusterInfoOptions,
     /// };
     ///
     /// #[tokio::main]
     /// async fn main() {
-    /// let cluster_info_opts = KubernetesClusterInfoOpts::parse();
-    /// let client = initialize_operator(None, &cluster_info_opts)
+    /// let cluster_info_options = KubernetesClusterInfoOptions::parse();
+    /// let client = initialize_operator(None, &cluster_info_options)
     ///     .await
     ///     .expect("Unable to construct client.");
     /// let watcher_config: watcher::Config =
@@ -652,7 +652,7 @@ where
 
 pub async fn initialize_operator(
     field_manager: Option<String>,
-    cluster_info_opts: &KubernetesClusterInfoOpts,
+    cluster_info_opts: &KubernetesClusterInfoOptions,
 ) -> Result<Client> {
     let kubeconfig: Config = kube::Config::infer()
         .await
@@ -687,10 +687,10 @@ mod tests {
     };
     use tokio::time::error::Elapsed;
 
-    use crate::utils::cluster_info::KubernetesClusterInfoOpts;
+    use crate::utils::cluster_info::KubernetesClusterInfoOptions;
 
-    async fn test_cluster_info_opts() -> KubernetesClusterInfoOpts {
-        KubernetesClusterInfoOpts {
+    async fn test_cluster_info_opts() -> KubernetesClusterInfoOptions {
+        KubernetesClusterInfoOptions {
             // We have to hard-code a made-up cluster domain,
             // since kubernetes_node_name (probably) won't be a valid Node that we can query.
             kubernetes_cluster_domain: Some(

crates/stackable-operator/src/client.rs

@@ -16,32 +16,36 @@ pub struct KubernetesClusterInfo {
 }
 
 #[derive(clap::Parser, Debug, PartialEq, Eq)]
-pub struct KubernetesClusterInfoOpts {
+pub struct KubernetesClusterInfoOptions {
     /// Kubernetes cluster domain, usually this is `cluster.local`.
     // We are not using a default value here, as we query the cluster if it is not specified.
     #[arg(long, env)]
     pub kubernetes_cluster_domain: Option<DomainName>,
 
     /// Name of the Kubernetes Node that the operator is running on.
+    ///
+    /// Note that when running the operator on Kubernetes we recommend to use the
+    /// [downward API](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/)
+    /// to let Kubernetes project the namespace as the `KUBERNETES_NODE_NAME` env variable.
     #[arg(long, env)]
     pub kubernetes_node_name: String,
 }
 
 impl KubernetesClusterInfo {
     pub async fn new(
         client: &Client,
-        cluster_info_opts: &KubernetesClusterInfoOpts,
+        cluster_info_opts: &KubernetesClusterInfoOptions,
     ) -> Result<Self, Error> {
         let cluster_domain = match cluster_info_opts {
-            KubernetesClusterInfoOpts {
+            KubernetesClusterInfoOptions {
                 kubernetes_cluster_domain: Some(cluster_domain),
                 ..
             } => {
                 tracing::info!(%cluster_domain, "Using configured Kubernetes cluster domain");
 
                 cluster_domain.clone()
             }
-            KubernetesClusterInfoOpts {
+            KubernetesClusterInfoOptions {
                 kubernetes_node_name: node_name,
                 ..
             } => {

crates/stackable-operator/src/utils/cluster_info.rs

@@ -73,22 +73,6 @@ const OTEL_TRACE_ID_TO: &str = "opentelemetry.trace_id.to";
 /// # let _: Router = router;
 /// ```
 ///
-/// ### Example with Webhook
-///
-/// The usage is even simpler when combined with the `stackable_webhook` crate.
-/// The webhook server has built-in support to automatically emit HTTP spans on
-/// every incoming request.
-///
-/// ```
-/// use stackable_webhook::{WebhookServer, Options};
-/// use axum::Router;
-///
-/// let router = Router::new();
-/// let server = WebhookServer::new(router, Options::default());
-///
-/// # let _: WebhookServer = server;
-/// ```
-///
 /// This layer is implemented based on [this][1] official Tower guide.
 ///
 /// [1]: https://github.com/tower-rs/tower/blob/master/guides/building-a-middleware-from-scratch.md