From 558afa8020afe525030916540014048de727579b Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 17 Jul 2025 08:50:55 +0200 Subject: [PATCH 1/3] fix: Add metrics Service SAN to NiFis certificate --- rust/operator-binary/src/controller.rs | 7 +++++-- rust/operator-binary/src/reporting_task/mod.rs | 2 +- rust/operator-binary/src/security/mod.rs | 2 +- rust/operator-binary/src/security/tls.rs | 4 ++-- rust/operator-binary/src/service.rs | 3 ++- 5 files changed, 11 insertions(+), 7 deletions(-) diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 100b22a0..35c95933 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -109,7 +109,7 @@ use crate::{ }, service::{ build_rolegroup_headless_service, build_rolegroup_metrics_service, metrics_service_port, - rolegroup_headless_service_name, + rolegroup_headless_service_name, rolegroup_metrics_service_name, }, }; @@ -1347,7 +1347,10 @@ async fn build_node_rolegroup_statefulset( build_tls_volume( nifi, KEYSTORE_VOLUME_NAME, - vec![&build_reporting_task_service_name(&nifi_cluster_name)], + [ + rolegroup_metrics_service_name(rolegroup_ref.object_name()), + build_reporting_task_service_name(&nifi_cluster_name), + ], SecretFormat::TlsPkcs12, &requested_secret_lifetime, Some(LISTENER_VOLUME_NAME), diff --git a/rust/operator-binary/src/reporting_task/mod.rs b/rust/operator-binary/src/reporting_task/mod.rs index d2cc9360..d164332d 100644 --- a/rust/operator-binary/src/reporting_task/mod.rs +++ b/rust/operator-binary/src/reporting_task/mod.rs @@ -350,7 +350,7 @@ fn build_reporting_task_job( build_tls_volume( nifi, REPORTING_TASK_CERT_VOLUME_NAME, - vec![], + Vec::::new(), SecretFormat::TlsPem, // The certificate is only used for the REST API call, so a short lifetime is sufficient. // There is no correct way to configure this job since it's an implementation detail. diff --git a/rust/operator-binary/src/security/mod.rs b/rust/operator-binary/src/security/mod.rs index f1fdcc0e..a130b439 100644 --- a/rust/operator-binary/src/security/mod.rs +++ b/rust/operator-binary/src/security/mod.rs @@ -47,7 +47,7 @@ pub async fn check_or_generate_oidc_admin_password( pub fn build_tls_volume( nifi: &v1alpha1::NifiCluster, volume_name: &str, - service_scopes: Vec<&str>, + service_scopes: impl IntoIterator>, secret_format: SecretFormat, requested_secret_lifetime: &Duration, listener_scope: Option<&str>, diff --git a/rust/operator-binary/src/security/tls.rs b/rust/operator-binary/src/security/tls.rs index 73413eaa..15b19742 100644 --- a/rust/operator-binary/src/security/tls.rs +++ b/rust/operator-binary/src/security/tls.rs @@ -24,7 +24,7 @@ pub enum Error { pub(crate) fn build_tls_volume( nifi: &v1alpha1::NifiCluster, volume_name: &str, - service_scopes: Vec<&str>, + service_scopes: impl IntoIterator>, secret_format: SecretFormat, requested_secret_lifetime: &Duration, listener_scope: Option<&str>, @@ -36,7 +36,7 @@ pub(crate) fn build_tls_volume( secret_volume_source_builder.with_tls_pkcs12_password(STACKABLE_TLS_STORE_PASSWORD); } for scope in service_scopes { - secret_volume_source_builder.with_service_scope(scope); + secret_volume_source_builder.with_service_scope(scope.as_ref()); } if let Some(listener_scope) = listener_scope { secret_volume_source_builder.with_listener_volume_scope(listener_scope); diff --git a/rust/operator-binary/src/service.rs b/rust/operator-binary/src/service.rs index b217953c..391ca1bd 100644 --- a/rust/operator-binary/src/service.rs +++ b/rust/operator-binary/src/service.rs @@ -127,7 +127,8 @@ pub fn metrics_service_port(product_version: &str) -> ServicePort { } /// Returns the metrics rolegroup service name `---`. -fn rolegroup_metrics_service_name(role_group_ref_object_name: &str) -> String { +pub fn rolegroup_metrics_service_name(role_group_ref_object_name: impl AsRef) -> String { + let role_group_ref_object_name = role_group_ref_object_name.as_ref(); format!("{role_group_ref_object_name}-{METRICS_SERVICE_SUFFIX}") } From 86534755a401f4b78347c6c14b5bd318b80e3a90 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 17 Jul 2025 08:55:01 +0200 Subject: [PATCH 2/3] changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d0bdf982..3471d3dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ All notable changes to this project will be documented in this file. ### Added - Add rolling upgrade support for upgrades between NiFi 2 versions ([#771]). -- BREAKING: Added Listener support for NiFi ([#784], [#818], [#819]). +- BREAKING: Added Listener support for NiFi ([#784], [#818], [#819], [#822]). - Adds new telemetry CLI arguments and environment variables ([#782]). - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept. - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation. @@ -71,6 +71,7 @@ All notable changes to this project will be documented in this file. [#817]: https://github.com/stackabletech/nifi-operator/pull/817 [#818]: https://github.com/stackabletech/nifi-operator/pull/818 [#819]: https://github.com/stackabletech/nifi-operator/pull/819 +[#822]: https://github.com/stackabletech/nifi-operator/pull/822 ## [25.3.0] - 2025-03-21 From cbef79eda3958cbec65a3e94bd059d6dd7d9cffb Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 17 Jul 2025 09:15:21 +0200 Subject: [PATCH 3/3] clippy --- rust/operator-binary/src/service.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rust/operator-binary/src/service.rs b/rust/operator-binary/src/service.rs index 391ca1bd..a403d3a2 100644 --- a/rust/operator-binary/src/service.rs +++ b/rust/operator-binary/src/service.rs @@ -74,9 +74,7 @@ pub fn build_rolegroup_metrics_service( Ok(Service { metadata: ObjectMetaBuilder::new() .name_and_namespace(nifi) - .name(rolegroup_metrics_service_name( - &role_group_ref.object_name(), - )) + .name(rolegroup_metrics_service_name(role_group_ref.object_name())) .ownerreference_from_resource(nifi, None, Some(true)) .context(ObjectMissingMetadataForOwnerRefSnafu)? .with_recommended_labels(object_labels)