From 431b8f780c9dc576eb1d58657db8f33643ce4fcf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= <nat@nullable.se>
Date: Thu, 23 Jan 2025 14:22:55 +0100
Subject: [PATCH 1/4] Provision principals for IP addresses

---
 .../src/backend/kerberos_keytab.rs            | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs
index 9bce7f3f..71f48076 100644
--- a/rust/operator-binary/src/backend/kerberos_keytab.rs
+++ b/rust/operator-binary/src/backend/kerberos_keytab.rs
@@ -208,13 +208,18 @@ cluster.local = {realm_name}
                             scope: scope.clone(),
                         })?
                 {
-                    if let Address::Dns(hostname) = addr {
-                        pod_principals.push(
-                            format!("{service_name}/{hostname}")
-                                .try_into()
-                                .context(PodPrincipalSnafu)?,
-                        );
-                    }
+                    pod_principals.push(
+                        match addr {
+                            Address::Dns(hostname) => {
+                                format!("{service_name}/{hostname}")
+                            }
+                            Address::Ip(ip) => {
+                                format!("{service_name}/{ip}")
+                            }
+                        }
+                        .try_into()
+                        .context(PodPrincipalSnafu)?,
+                    );
                 }
             }
         }

From f064b6ab9b0db0f841d065383ba480cce5409736 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= <nat@nullable.se>
Date: Thu, 23 Jan 2025 14:36:56 +0100
Subject: [PATCH 2/4] Add nodeport IP listener volume test

---
 .../kuttl/kerberos/01-install-kdc.yaml.j2     |  1 +
 .../kuttl/kerberos/kinit-client.yaml.j2       | 24 ++++++++++++++++++-
 .../kuttl/kerberos/listenerclass.yaml         |  9 +++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 tests/templates/kuttl/kerberos/listenerclass.yaml

diff --git a/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2 b/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2
index 703b6808..ade1705e 100644
--- a/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2
+++ b/tests/templates/kuttl/kerberos/01-install-kdc.yaml.j2
@@ -3,6 +3,7 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   - script: envsubst '$NAMESPACE' < secretclass.yaml | kubectl apply -f -
+  - script: envsubst '$NAMESPACE' < listenerclass.yaml | kubectl apply -f -
 ---
 apiVersion: apps/v1
 kind: StatefulSet
diff --git a/tests/templates/kuttl/kerberos/kinit-client.yaml.j2 b/tests/templates/kuttl/kerberos/kinit-client.yaml.j2
index 2c6a134a..250f3d2a 100644
--- a/tests/templates/kuttl/kerberos/kinit-client.yaml.j2
+++ b/tests/templates/kuttl/kerberos/kinit-client.yaml.j2
@@ -21,6 +21,10 @@ spec:
               klist -k /stackable/krb/keytab -teKC
               echo kiniting node
               kinit -kt /stackable/krb/keytab -p HTTP/$NODE_NAME
+              echo kiniting node ip
+              NODE_IP="$(cat /stackable/listener/nodeport-ip/default-address/address)"
+              echo node ip is "$NODE_IP"
+              kinit -kt /stackable/krb/keytab -p "HTTP/$NODE_IP"
               echo kiniting service
               kinit -kt /stackable/krb/keytab -p HTTP/krb5-client.$NAMESPACE.svc.cluster.local
               echo kiniting pod
@@ -39,6 +43,11 @@ spec:
           volumeMounts:
             - mountPath: /stackable/krb
               name: kerberos
+            - mountPath: /stackable/listener/nodeport-ip
+              name: listener-nodeport-ip
+          ports:
+            - name: dummy
+              containerPort: 9999
       volumes:
         - name: kerberos
           ephemeral:
@@ -46,7 +55,7 @@ spec:
               metadata:
                 annotations:
                   secrets.stackable.tech/class: kerberos-$NAMESPACE
-                  secrets.stackable.tech/scope: node,pod
+                  secrets.stackable.tech/scope: node,pod,listener-volume=listener-nodeport-ip
               spec:
                 storageClassName: secrets.stackable.tech
                 accessModes:
@@ -54,6 +63,19 @@ spec:
                 resources:
                   requests:
                     storage: "1"
+        - name: listener-nodeport-ip
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  listeners.stackable.tech/listener-class: nodeport-ip-$NAMESPACE
+              spec:
+                storageClassName: listeners.stackable.tech
+                accessModes:
+                  - ReadWriteOnce
+                resources:
+                  requests:
+                    storage: "1"
       restartPolicy: Never
       terminationGracePeriodSeconds: 0
       subdomain: krb5-client
diff --git a/tests/templates/kuttl/kerberos/listenerclass.yaml b/tests/templates/kuttl/kerberos/listenerclass.yaml
new file mode 100644
index 00000000..c15a4ad3
--- /dev/null
+++ b/tests/templates/kuttl/kerberos/listenerclass.yaml
@@ -0,0 +1,9 @@
+# $NAMESPACE will be replaced with the namespace of the test case.
+---
+apiVersion: listeners.stackable.tech/v1alpha1
+kind: ListenerClass
+metadata:
+  name: nodeport-ip-$NAMESPACE
+spec:
+  serviceType: NodePort
+  preferredAddressType: IP

From 58b52725c493e176d091808128a43842fd3863b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= <nat@nullable.se>
Date: Thu, 23 Jan 2025 14:50:32 +0100
Subject: [PATCH 3/4] Changelog

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13fe4e16..64981663 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
+- Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
 
 ### Changed
 
@@ -28,6 +29,7 @@ All notable changes to this project will be documented in this file.
 [#536]: https://github.com/stackabletech/secret-operator/pull/536
 [#543]: https://github.com/stackabletech/secret-operator/pull/543
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
+[#552]: https://github.com/stackabletech/secret-operator/pull/552
 
 ## [24.11.0] - 2024-11-18
 

From 0f6f8c5c92b4872279f8e3950d0038dbffcc8641 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= <nat@nullable.se>
Date: Thu, 23 Jan 2025 14:50:47 +0100
Subject: [PATCH 4/4] Remove FQDNization from changelog

It was reverted in #551
---
 CHANGELOG.md | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 64981663..48bc752f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,10 +14,6 @@ All notable changes to this project will be documented in this file.
 - Made RSA key length configurable for certificates issued by cert-manager ([#528]).
 - Kerberos principal backends now also provision principals for IP address, not just DNS hostnames ([#552]).
 
-### Changed
-
-- Append a dot (`.`) to the default cluster domain to reduce DNS requests ([#543]).
-
 ### Fixed
 
 - Helm chart: The secret migration job can be omitted via Helm values ([#536]).
@@ -27,7 +23,6 @@ All notable changes to this project will be documented in this file.
 
 [#528]: https://github.com/stackabletech/secret-operator/pull/528
 [#536]: https://github.com/stackabletech/secret-operator/pull/536
-[#543]: https://github.com/stackabletech/secret-operator/pull/543
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552