stackabletech · Techassi · Mar 15, 2024 · Feb 13, 2024 · Feb 14, 2024 · Feb 14, 2024
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,7 @@ Cargo.lock
 .idea/
 *.iws
 *.iml
+
+# TLS certificates for testing
+*.crt
+*.key
diff --git a/Cargo.toml b/Cargo.toml
@@ -67,4 +67,4 @@ rstest = "0.18.1"
 tempfile = "3.7.1"
 
 [workspace]
-members = ["stackable-operator-derive", "stackable-webhook"]
+members = ["stackable-certs", "stackable-operator-derive", "stackable-webhook"]
diff --git a/src/commons/mod.rs b/src/commons/mod.rs
@@ -11,4 +11,5 @@ pub mod product_image_selection;
 pub mod rbac;
 pub mod resources;
 pub mod s3;
+pub mod secret;
 pub mod secret_class;
diff --git a/src/commons/secret.rs b/src/commons/secret.rs
@@ -0,0 +1,45 @@
+use std::fmt::Display;
+
+use k8s_openapi::api::core::v1::Secret;
+use kube::runtime::reflector::ObjectRef;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+/// [`SecretReference`] represents a Kubernetes [`Secret`] reference.
+///
+/// In order to use this struct, the following two requirements must be met:
+///
+/// - Must only be used in cluster-scoped objects
+/// - Namespaced objects must not be able to define cross-namespace secret
+///   references
+///
+/// This struct is a redefinition of the one provided by k8s-openapi to make
+/// name and namespace mandatory.
+#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
+#[serde(rename_all = "camelCase")]
+pub struct SecretReference {
+    /// Namespace of the Secret being referred to.
+    pub namespace: String,
+
+    /// Name of the Secret being referred to.
+    pub name: String,
+}
+
+// Use ObjectRef for logging/errors
+impl Display for SecretReference {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        ObjectRef::<Secret>::from(self).fmt(f)
+    }
+}
+
+impl From<SecretReference> for ObjectRef<Secret> {
+    fn from(val: SecretReference) -> Self {
+        ObjectRef::<Secret>::from(&val)
+    }
+}
+
+impl From<&SecretReference> for ObjectRef<Secret> {
+    fn from(val: &SecretReference) -> Self {
+        ObjectRef::<Secret>::new(&val.name).within(&val.namespace)
+    }
+}
diff --git a/stackable-certs/Cargo.toml b/stackable-certs/Cargo.toml
@@ -0,0 +1,37 @@
+[package]
+name = "stackable-certs"
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+edition.workspace = true
+repository.workspace = true
+
+[features]
+default = []
+rustls = ["dep:tokio-rustls", "dep:rustls-pemfile"]
+
+[dependencies]
+stackable-operator = { path = ".." }
+
+const-oid = "0.9.6"
+ecdsa = { version = "0.16.9", features = ["digest", "pem"] }
+p256 = { version = "0.13.2", features = ["ecdsa"] }
+k8s-openapi = { version = "0.21.0", default-features = false, features = [
+  "v1_28",
+] }
+kube = { version = "0.88.1", default-features = false, features = [
+  "client",
+  "rustls-tls",
+] }
+tracing = "0.1.40"
+tokio = { version = "1.29.1", features = ["fs"] }
+tokio-rustls = { version = "0.25.0", optional = true }
+rand = "0.8.5"
+rand_core = "0.6.4"
+rsa = { version = "0.9.6", features = ["sha2"] }
+rustls-pemfile = { version = "2.0.0", optional = true }
+sha2 = { version = "0.10.8", features = ["oid"] }
+signature = "2.2.0"
+snafu = "0.8.0"
+x509-cert = { version = "0.2.5", features = ["builder"] }
+zeroize = "1.7.0"
diff --git a/stackable-certs/src/ca/consts.rs b/stackable-certs/src/ca/consts.rs
@@ -0,0 +1,5 @@
+/// The default CA validity time span of one hour (3600 seconds).
+pub const DEFAULT_CA_VALIDITY_SECONDS: u64 = 3600;
+
+/// The root CA subject name containing only the common name.
+pub const ROOT_CA_SUBJECT: &str = "CN=Stackable Data Platform Internal CA";
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,3 +6,7 @@ Cargo.lock @@
     .idea/
     *.iws
     *.iml
+    # TLS certificates for testing
+    *.crt
+    *.key