fix: move logic to tls module

dervoeti · dervoeti · commit 114343bff07e · 2025-02-14T18:23:29.000+01:00
diff --git a/docs/modules/secret-operator/pages/scope.adoc b/docs/modules/secret-operator/pages/scope.adoc
@@ -59,5 +59,5 @@ For example, a TLS certificate provisioned by the xref:secretclass.adoc#backend-
 xref:#node[] and xref:#pod[] would contain the following values in its `subjectAlternateName` (SAN) extension field:
 
 * The node's IP address
-* The node's fully qualified domain name (`my-node.example.com`, trailing dots are removed)
-* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`, trailing dots are removed)
+* The node's fully qualified domain name (`my-node.example.com`, without a trailing dot)
+* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`, without a trailing dot)
diff --git a/rust/operator-binary/src/backend/mod.rs b/rust/operator-binary/src/backend/mod.rs
@@ -179,12 +179,11 @@ impl SecretVolumeSelector {
         scope: &scope::SecretScope,
     ) -> Result<Vec<Address>, ScopeAddressesError> {
         use scope_addresses_error::*;
-        // Turn FQDNs into bare domain names by removing the trailing dots
-        let cluster_domain = pod_info.kubernetes_cluster_domain.trim_end_matches(".");
+        let cluster_domain = &pod_info.kubernetes_cluster_domain;
         let namespace = &self.namespace;
         Ok(match scope {
             scope::SecretScope::Node => {
-                let mut addrs = vec![Address::Dns(pod_info.node_name.trim_end_matches(".").to_owned())];
+                let mut addrs = vec![Address::Dns(pod_info.node_name.clone())];
                 addrs.extend(pod_info.node_ips.iter().copied().map(Address::Ip));
                 addrs
             }
@@ -209,13 +208,7 @@ impl SecretVolumeSelector {
                 .listener_addresses
                 .get(name)
                 .context(NoListenerAddressesSnafu { listener: name })?
-                .iter()
-                .map(|addr| match addr {
-                    // Turn FQDNs into bare domain names by removing the trailing dots
-                    Address::Dns(dns) => Address::Dns(dns.trim_end_matches(".").to_string()),
-                    _ => addr.clone(),
-                })
-                .collect(),
+                .to_vec(),
         })
     }
 
@@ -304,114 +297,3 @@ impl SecretBackendError for Infallible {
         match *self {}
     }
 }
-
-#[cfg(test)]
-mod tests {
-    use std::collections::HashMap;
-
-    use pod_info::PodInfo;
-
-    use super::*;
-
-    #[test]
-    fn test_scope_addresses_without_trailing_dot() {
-        let pod_info = construct_pod_info("cluster.local");
-
-        assert_eq!(
-            calculate_scope(&pod_info, &SecretScope::Pod),
-            vec![
-                dns("my-sts.default.svc.cluster.local"),
-                dns("my-sts-0.my-sts.default.svc.cluster.local"),
-                ip("10.0.0.42"),
-            ]
-        );
-
-        assert_eq!(
-            calculate_scope(
-                &pod_info,
-                &SecretScope::Service {
-                    name: "my-service".to_owned()
-                }
-            ),
-            vec![dns("my-service.default.svc.cluster.local"),]
-        );
-
-        assert_eq!(
-            calculate_scope(&pod_info, &SecretScope::Node),
-            vec![dns("my-node"), ip("192.168.0.1"),]
-        );
-    }
-
-    #[test]
-    fn test_scope_addresses_with_trailing_dot() {
-        let pod_info = construct_pod_info("custom.cluster.local.");
-
-        assert_eq!(
-            calculate_scope(&pod_info, &SecretScope::Pod),
-            vec![
-                dns("my-sts.default.svc.custom.cluster.local"),
-                dns("my-sts-0.my-sts.default.svc.custom.cluster.local"),
-                ip("10.0.0.42"),
-            ]
-        );
-
-        assert_eq!(
-            calculate_scope(
-                &pod_info,
-                &SecretScope::Service {
-                    name: "my-service".to_owned()
-                }
-            ),
-            vec![
-                dns("my-service.default.svc.custom.cluster.local")
-            ]
-        );
-
-        assert_eq!(
-            calculate_scope(&pod_info, &SecretScope::Node),
-            vec![dns("my-node"), ip("192.168.0.1"),]
-        );
-    }
-
-    fn construct_pod_info(cluster_domain: &str) -> PodInfo {
-        PodInfo {
-            pod_ips: vec!["10.0.0.42".parse().unwrap()],
-            service_name: Some("my-sts".to_owned()),
-            node_name: "my-node".to_owned(),
-            node_ips: vec!["192.168.0.1".parse().unwrap()],
-            listener_addresses: HashMap::from([]),
-            kubernetes_cluster_domain: cluster_domain.parse().unwrap(),
-            scheduling: SchedulingPodInfo {
-                namespace: "default".to_owned(),
-                volume_listener_names: HashMap::new(),
-                has_node_scope: false,
-            },
-        }
-    }
-
-    fn calculate_scope(pod_info: &PodInfo, scope: &SecretScope) -> Vec<Address> {
-        let secret_volume_selector = construct_secret_volume_selector();
-        secret_volume_selector
-            .scope_addresses(pod_info, scope)
-            .unwrap()
-    }
-
-    fn dns(dns: &str) -> Address {
-        Address::Dns(dns.to_owned())
-    }
-
-    fn ip(ip: &str) -> Address {
-        Address::Ip(ip.parse().unwrap())
-    }
-
-    fn construct_secret_volume_selector() -> SecretVolumeSelector {
-        serde_yaml::from_str(
-            r#"
-secrets.stackable.tech/class: tls
-csi.storage.k8s.io/pod.name: my-sts-0
-csi.storage.k8s.io/pod.namespace: default
-        "#,
-        )
-        .unwrap()
-    }
-}
diff --git a/rust/operator-binary/src/backend/pod_info.rs b/rust/operator-binary/src/backend/pod_info.rs
@@ -175,7 +175,7 @@ impl PodInfo {
     }
 }
 
-#[derive(Debug, Clone, PartialEq)]
+#[derive(Debug, Clone)]
 pub enum Address {
     Dns(String),
     Ip(IpAddr),
diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
@@ -252,6 +252,14 @@ impl SecretBackend for TlsGenerate {
                     .context(ScopeAddressesSnafu { scope })?,
             );
         }
+        for address in &mut addresses {
+            if let Address::Dns(dns) = address {
+                // Turn FQDNs into bare domain names by removing the trailing dot
+                if dns.ends_with('.') {
+                    dns.pop();
+                }
+            }
+        }
         let ca = self
             .ca_manager
             .find_certificate_authority_for_signing(not_after)

Original file line number	Diff line number	Diff line change
`@@ -175,7 +175,7 @@ impl PodInfo {`
`175`	`175`	`}`
`176`	`176`	`}`
`177`	`177`
`178`		`-#[derive(Debug, Clone, PartialEq)]`
	`178`	`+#[derive(Debug, Clone)]`
`179`	`179`	`pub enum Address {`
`180`	`180`	`Dns(String),`
`181`	`181`	`Ip(IpAddr),`