feat: Add annotation to provision non-sensitive data only (#676)

* feat: Add annotation to provision public secret data only

* chore: Rename tls module to auto_tls

* feat: Add relaxed file loading

* feat: Conditionally generate Kerberos keytab

* test: Add non-sensitive-data integration test

* test: Add PKCS#12 format volume + mount

* chore: Rename annotation

* docs: Add section for new annotation

* chore: Remove outdated TODO comment

* chore: Add doc comment explaining the default variant

* test: Use updated annotation in integration test

* chore: Apply suggestion

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* docs: Fix typo

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* refactor: Slightly optimize conditional leaf cert generation

* refactor: Slightly optimize conditional kerberos keytab generation

* test: Increase second step timeout to 30 seconds

Sometimes, this step takes slightly longer than the default timeout
of ten seconds and therefore fails.

---------

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

Author: Techassi

docs/modules/secret-operator/pages/volume.adoc

@@ -50,6 +50,23 @@ The xref:secretclass.adoc#format[format] that the secret should be written as.
 
 This can be either the default output format of the xref:secretclass.adoc#backend[backend], or a format that it defines a conversion into.
 
+=== `secrets.stackable.tech/provision-parts`
+
+*Required*: false
+
+*Default value*: `public-private`
+
+*Backend*: All
+
+This annotation allows configuring which parts of the secret material should be provisioned.
+Supported values are `public` and `public-private`, provisioning only public or public+private data respectively.
+Using this annotation enables the following use-cases:
+
+* Use the `autoTls` backend, but only provision the `ca.crt`/`truststore.p12` for the consumer.
+* Use the `kerberosKeytab` backend, but only provision the `krb5.conf` for the consumer.
+* Use the `k8sSearch` backend to select Secrets which contain public data only and support parsing the partial set of files.
+  Using this annotation disables the strict parsing of files when an explicit format is requested.
+
 === `secrets.stackable.tech/format.tls-pkcs12.keystore-name`
 
 *Required*: false

rust/krb5-provision-keytab/src/lib.rs

@@ -68,7 +68,10 @@ pub enum Error {
 /// Provisions a Kerberos Keytab based on the [`Request`].
 ///
 /// This function assumes that the binary produced by this crate is on the `$PATH`, and will fail otherwise.
-pub async fn provision_keytab(krb5_config_path: &Path, req: &Request) -> Result<Response, Error> {
+pub async fn provision_keytab_file(
+    krb5_config_path: &Path,
+    req: &Request,
+) -> Result<Response, Error> {
     let req_str = serde_json::to_vec(&req).context(SerializeRequestSnafu)?;
 
     let mut child = Command::new("stackable-krb5-provision-keytab")

…st/operator-binary/src/backend/tls/ca.rs …erator-binary/src/backend/auto_tls/ca.rsrust/operator-binary/src/backend/tls/ca.rs renamed to rust/operator-binary/src/backend/auto_tls/ca.rs rust/operator-binary/src/backend/tls/ca.rs renamed to rust/operator-binary/src/backend/auto_tls/ca.rs

@@ -25,12 +25,13 @@ use snafu::{OptionExt, ResultExt, Snafu, ensure};
 use stackable_operator::{kube::runtime::reflector::ObjectRef, shared::time::Duration};
 use time::OffsetDateTime;
 
-use super::{
-    ScopeAddressesError, SecretBackend, SecretBackendError, SecretContents,
-    pod_info::{Address, PodInfo},
-    scope::SecretScope,
-};
 use crate::{
+    backend::{
+        ProvisionParts, ScopeAddressesError, SecretBackend, SecretBackendError, SecretContents,
+        SecretVolumeSelector,
+        pod_info::{Address, PodInfo},
+        scope::SecretScope,
+    },
     crd::v1alpha2,
     format::{SecretData, WellKnownSecretData, well_known},
     utils::iterator_try_concat_bytes,
@@ -257,7 +258,7 @@ impl SecretBackend for TlsGenerate {
     /// Then add the ca certificate and return these files for provisioning to the volume.
     async fn get_secret_data(
         &self,
-        selector: &super::SecretVolumeSelector,
+        selector: &SecretVolumeSelector,
         pod_info: PodInfo,
     ) -> Result<SecretContents, Self::Error> {
         let now = OffsetDateTime::now_utc();
@@ -295,6 +296,7 @@ impl SecretBackend for TlsGenerate {
         let jitter_amount = Duration::from(cert_lifetime.mul_f64(jitter_factor));
         let unjittered_cert_lifetime = cert_lifetime;
         let cert_lifetime = cert_lifetime - jitter_amount;
+
         tracing::info!(
             certificate.lifetime.requested = %unjittered_cert_lifetime,
             certificate.lifetime.jitter = %jitter_amount,
@@ -314,112 +316,133 @@ impl SecretBackend for TlsGenerate {
             .fail()?;
         }
 
-        let conf =
-            Conf::new(ConfMethod::default()).expect("failed to initialize OpenSSL configuration");
-
-        let pod_key_length = match self.key_generation {
-            v1alpha2::CertificateKeyGeneration::Rsa { length } => length,
-        };
-
-        let pod_key = Rsa::generate(pod_key_length)
-            .and_then(PKey::try_from)
-            .context(GenerateKeySnafu)?;
-        let mut addresses = Vec::new();
-        for scope in &selector.scope {
-            addresses.extend(
-                selector
-                    .scope_addresses(&pod_info, scope)
-                    .context(ScopeAddressesSnafu { scope })?,
-            );
-        }
-        for address in &mut addresses {
-            if let Address::Dns(dns) = address {
-                // Turn FQDNs into bare domain names by removing the trailing dot
-                if dns.ends_with('.') {
-                    dns.pop();
-                }
-            }
-        }
         let ca = self
             .ca_manager
             .find_certificate_authority_for_signing(not_after)
             .context(PickCaSnafu)?;
-        let pod_cert = X509Builder::new()
-            .and_then(|mut x509| {
-                let subject_name = X509NameBuilder::new()
-                    .and_then(|mut name| {
-                        name.append_entry_by_nid(Nid::COMMONNAME, "generated certificate for pod")?;
-                        Ok(name)
-                    })?
-                    .build();
-                x509.set_subject_name(&subject_name)?;
-                x509.set_issuer_name(ca.certificate.subject_name())?;
-                x509.set_not_before(Asn1Time::from_unix(not_before.unix_timestamp())?.as_ref())?;
-                x509.set_not_after(Asn1Time::from_unix(not_after.unix_timestamp())?.as_ref())?;
-                x509.set_pubkey(&pod_key)?;
-                x509.set_version(
-                    3 - 1, // zero-indexed
-                )?;
-                let mut serial = BigNum::new()?;
-                serial.rand(64, MsbOption::MAYBE_ZERO, false)?;
-                x509.set_serial_number(Asn1Integer::from_bn(&serial)?.as_ref())?;
-                let ctx = x509.x509v3_context(Some(&ca.certificate), Some(&conf));
-                let mut exts = vec![
-                    BasicConstraints::new().critical().build()?,
-                    KeyUsage::new()
-                        .key_encipherment()
-                        .digital_signature()
-                        .build()?,
-                    ExtendedKeyUsage::new()
-                        .server_auth()
-                        .client_auth()
-                        .build()?,
-                    SubjectKeyIdentifier::new().build(&ctx)?,
-                    AuthorityKeyIdentifier::new()
-                        .issuer(true)
-                        .keyid(true)
-                        .build(&ctx)?,
-                ];
-                let mut san_ext = SubjectAlternativeName::new();
-                san_ext.critical();
-                let mut has_san = false;
-                for addr in addresses {
-                    has_san = true;
-                    match addr {
-                        Address::Dns(dns) => san_ext.dns(&dns),
-                        Address::Ip(ip) => san_ext.ip(&ip.to_string()),
-                    };
-                }
-                if has_san {
-                    exts.push(san_ext.build(&ctx)?);
+
+        // Only run leaf certificate generation if it was requested based on the
+        // secret volume selector. Otherwise only a ca.crt file as a PEM envelope
+        // will be available (to be mounted).
+        let (certificate_pem, key_pem) = match selector.provision_parts {
+            ProvisionParts::Public => (None, None),
+            ProvisionParts::PublicPrivate => {
+                let conf = Conf::new(ConfMethod::default())
+                    .expect("failed to initialize OpenSSL configuration");
+
+                let pod_key_length = match self.key_generation {
+                    v1alpha2::CertificateKeyGeneration::Rsa { length } => length,
+                };
+
+                let pod_key = Rsa::generate(pod_key_length)
+                    .and_then(PKey::try_from)
+                    .context(GenerateKeySnafu)?;
+
+                let mut addresses = Vec::new();
+                for scope in &selector.scope {
+                    addresses.extend(
+                        selector
+                            .scope_addresses(&pod_info, scope)
+                            .context(ScopeAddressesSnafu { scope })?,
+                    );
                 }
-                for ext in exts {
-                    x509.append_extension(ext)?;
+                for address in &mut addresses {
+                    if let Address::Dns(dns) = address {
+                        // Turn FQDNs into bare domain names by removing the trailing dot
+                        if dns.ends_with('.') {
+                            dns.pop();
+                        }
+                    }
                 }
-                x509.sign(&ca.private_key, MessageDigest::sha256())?;
-                Ok(x509)
-            })
-            .context(BuildCertificateSnafu)?
-            .build();
+
+                let pod_cert = X509Builder::new()
+                    .and_then(|mut x509| {
+                        let subject_name = X509NameBuilder::new()
+                            .and_then(|mut name| {
+                                name.append_entry_by_nid(
+                                    Nid::COMMONNAME,
+                                    "generated certificate for pod",
+                                )?;
+                                Ok(name)
+                            })?
+                            .build();
+                        x509.set_subject_name(&subject_name)?;
+                        x509.set_issuer_name(ca.certificate.subject_name())?;
+                        x509.set_not_before(
+                            Asn1Time::from_unix(not_before.unix_timestamp())?.as_ref(),
+                        )?;
+                        x509.set_not_after(
+                            Asn1Time::from_unix(not_after.unix_timestamp())?.as_ref(),
+                        )?;
+                        x509.set_pubkey(&pod_key)?;
+                        x509.set_version(
+                            3 - 1, // zero-indexed
+                        )?;
+                        let mut serial = BigNum::new()?;
+                        serial.rand(64, MsbOption::MAYBE_ZERO, false)?;
+                        x509.set_serial_number(Asn1Integer::from_bn(&serial)?.as_ref())?;
+                        let ctx = x509.x509v3_context(Some(&ca.certificate), Some(&conf));
+                        let mut exts = vec![
+                            BasicConstraints::new().critical().build()?,
+                            KeyUsage::new()
+                                .key_encipherment()
+                                .digital_signature()
+                                .build()?,
+                            ExtendedKeyUsage::new()
+                                .server_auth()
+                                .client_auth()
+                                .build()?,
+                            SubjectKeyIdentifier::new().build(&ctx)?,
+                            AuthorityKeyIdentifier::new()
+                                .issuer(true)
+                                .keyid(true)
+                                .build(&ctx)?,
+                        ];
+                        let mut san_ext = SubjectAlternativeName::new();
+                        san_ext.critical();
+                        let mut has_san = false;
+                        for addr in addresses {
+                            has_san = true;
+                            match addr {
+                                Address::Dns(dns) => san_ext.dns(&dns),
+                                Address::Ip(ip) => san_ext.ip(&ip.to_string()),
+                            };
+                        }
+                        if has_san {
+                            exts.push(san_ext.build(&ctx)?);
+                        }
+                        for ext in exts {
+                            x509.append_extension(ext)?;
+                        }
+                        x509.sign(&ca.private_key, MessageDigest::sha256())?;
+                        Ok(x509)
+                    })
+                    .context(BuildCertificateSnafu)?
+                    .build();
+
+                let certificate_pem = pod_cert
+                    .to_pem()
+                    .context(SerializeCertificateSnafu { tpe: CertType::Pod })?;
+                let key_pem = pod_key
+                    .private_key_to_pem_pkcs8()
+                    .context(SerializeCertificateSnafu { tpe: CertType::Pod })?;
+
+                (Some(certificate_pem), Some(key_pem))
+            }
+        };
+
+        let ca_pem =
+            iterator_try_concat_bytes(self.ca_manager.trust_roots(now).into_iter().map(|ca| {
+                ca.to_pem()
+                    .context(SerializeCertificateSnafu { tpe: CertType::Ca })
+            }))?;
+
         Ok(
             SecretContents::new(SecretData::WellKnown(WellKnownSecretData::TlsPem(
                 well_known::TlsPem {
-                    ca_pem: iterator_try_concat_bytes(
-                        self.ca_manager.trust_roots(now).into_iter().map(|ca| {
-                            ca.to_pem()
-                                .context(SerializeCertificateSnafu { tpe: CertType::Ca })
-                        }),
-                    )?,
-                    certificate_pem: Some(
-                        pod_cert
-                            .to_pem()
-                            .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
-                    ),
-                    key_pem: Some(
-                        pod_key
-                            .private_key_to_pem_pkcs8()
-                            .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
-                    ),
+                    certificate_pem,
+                    key_pem,
+                    ca_pem,
                 },
             )))
             .expires_after(

…t/operator-binary/src/backend/tls/mod.rs …rator-binary/src/backend/auto_tls/mod.rsrust/operator-binary/src/backend/tls/mod.rs renamed to rust/operator-binary/src/backend/auto_tls/mod.rs rust/operator-binary/src/backend/tls/mod.rs renamed to rust/operator-binary/src/backend/auto_tls/mod.rs

@@ -10,10 +10,9 @@ use snafu::{ResultExt, Snafu};
 use stackable_operator::kube::runtime::reflector::ObjectRef;
 
 use super::{
-    SecretBackend, SecretBackendError, SecretVolumeSelector,
+    SecretBackend, SecretBackendError, SecretVolumeSelector, auto_tls,
     kerberos_keytab::{self, KerberosProfile},
     pod_info::{PodInfo, SchedulingPodInfo},
-    tls,
 };
 use crate::{crd::v1alpha2, utils::Unloggable};
 
@@ -99,7 +98,7 @@ pub fn from(backend: impl SecretBackend + 'static) -> Box<Dynamic> {
 #[snafu(module)]
 pub enum FromClassError {
     #[snafu(display("failed to initialize TLS backend"), context(false))]
-    Tls { source: tls::Error },
+    Tls { source: auto_tls::Error },
 
     #[snafu(
         display("failed to initialize Kerberos Keytab backend"),