Listener scope

.github/pull_request_template.md

@@ -7,7 +7,7 @@
 
 - Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
 - Please make sure all these things are done and tick the boxes
- 
+
 ```[tasklist]
 # Author
 - [ ] Changes are OpenShift compatible

.gitignore

@@ -14,4 +14,4 @@ crate-hashes.json
 result
 image.tar
 
-tilt_options.json
+tilt_options.json

.readme/partials/borrowed/documentation.md.j2

@@ -5,4 +5,4 @@ If you are interested in the most recent state of this repository, check out the
 
 The documentation for all Stackable products can be found at [docs.stackable.tech](https://docs.stackable.tech).
 
-If you have a question about the Stackable Data Platform contact us via our [homepage](https://stackable.tech/) or ask a public questions in our [Discussions forum](https://github.com/orgs/stackabletech/discussions).
+If you have a question about the Stackable Data Platform contact us via our [homepage](https://stackable.tech/) or ask a public questions in our [Discussions forum](https://github.com/orgs/stackabletech/discussions).

.readme/partials/borrowed/header.md.j2

@@ -2,4 +2,4 @@
   <img width="150" src="./.readme/static/borrowed/Icon_Stackable.svg" alt="Stackable Logo"/>
 </p>
 
-<h1 align="center">{{title}}</h1>
+<h1 align="center">{{title}}</h1>

.readme/partials/borrowed/links.md.j2

@@ -4,4 +4,4 @@
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-green.svg)](https://docs.stackable.tech/home/stable/contributor/index.html)
 [![License OSL3.0](https://img.shields.io/badge/license-OSL3.0-green)](./LICENSE)
 
-[Documentation](https://docs.stackable.tech/{{operator_docs_slug}}/stable/index.html) {% if quickstart_link %}| [Quickstart]({{quickstart_link}}) {% endif %}| [Stackable Data Platform](https://stackable.tech/) | [Platform Docs](https://docs.stackable.tech/) | [Discussions](https://github.com/orgs/stackabletech/discussions) | [Discord](https://discord.gg/7kZ3BNnCAF)
+[Documentation](https://docs.stackable.tech/{{operator_docs_slug}}/stable/index.html) {% if quickstart_link %}| [Quickstart]({{quickstart_link}}) {% endif %}| [Stackable Data Platform](https://stackable.tech/) | [Platform Docs](https://docs.stackable.tech/) | [Discussions](https://github.com/orgs/stackabletech/discussions) | [Discord](https://discord.gg/7kZ3BNnCAF)

.readme/partials/borrowed/overview_blurb.md.j2

@@ -1 +1 @@
-It is part of the Stackable Data Platform, a curated selection of the best open source data apps like Apache Kafka, Apache Druid, Trino or Apache Spark, [all](#our-operators) working together seamlessly. Based on Kubernetes, it runs everywhere – [on prem or in the cloud](#supported-platforms).
+It is part of the Stackable Data Platform, a curated selection of the best open source data apps like Apache Kafka, Apache Druid, Trino or Apache Spark, [all](#our-operators) working together seamlessly. Based on Kubernetes, it runs everywhere – [on prem or in the cloud](#supported-platforms).

.readme/partials/borrowed/related_reading.md.j2

@@ -3,4 +3,4 @@
 {% for (text, link) in related_reading_links %}
 * [{{text}}]({{link}})
 {%- endfor %}
-{%- endif -%}
+{%- endif -%}

.readme/partials/main.md.j2

@@ -27,4 +27,4 @@ The Secret Operator is deployed as a DaemonSet and provides a CSI to mount files
   <img width="500" src="./.readme/static/secret-operator.drawio.svg" alt="A diagram overview of the workings of the operator"/>
 
 The Secret Operator by [Stackable](https://stackable.tech/).
-This is a Kubernetes Operator to provision and inject secrets for Kubernetes Pods. It is part of the [Stackable Data Platform](https://stackable.tech/), a curated selection of the best open source data apps like Kafka, Druid, Trino or Spark, all working together seamlessly. Based on Kubernetes, it runs everywhere – on prem or in the cloud.
+This is a Kubernetes Operator to provision and inject secrets for Kubernetes Pods. It is part of the [Stackable Data Platform](https://stackable.tech/), a curated selection of the best open source data apps like Kafka, Druid, Trino or Spark, all working together seamlessly. Based on Kubernetes, it runs everywhere – on prem or in the cloud.

CHANGELOG.md

@@ -7,7 +7,9 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Added support for encrypting PKCS#12 keystores ([#314]).
+- Added listener scope for provisioned secrets ([#310]).
 
+[#310]: https://github.com/stackabletech/secret-operator/pull/310
 [#314]: https://github.com/stackabletech/secret-operator/pull/314
 
 ## [23.7.0] - 2023-07-14
@@ -121,11 +123,13 @@ The easiest way to fix this is to perform a rolling reboot of all nodes after th
 This is a one-time migration.
 
 ### Changed
+
 - Store secrets on tmpfs ([#37]).
 - Locked down secret permissions by default ([#37]).
 - Operator-rs: 0.8.0 -> 0.10.0 ([#49]).
 
 ### Bugfixes
+
 - Fixed thread starvation and slow shutdowns ([#47]).
 
 [#37]: https://github.com/stackabletech/secret-operator/pull/37
@@ -135,4 +139,5 @@ This is a one-time migration.
 ## [0.1.0] - 2022-02-03
 
 ### Added
+
 - Initial release

Cargo.toml

@@ -52,5 +52,6 @@ yasna = "0.5"
 # Workaround for https://github.com/hyperium/tonic/issues/243
 h2 = { git = "https://github.com/stackabletech/h2.git", branch = "feature/grpc-uds" }
 
-# [patch."https://github.com/stackabletech/operator-rs.git"]
+[patch."https://github.com/stackabletech/operator-rs.git"]
+# stackable-operator = { path = "../operator-rs" }
 # stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }

README.md

@@ -5,16 +5,19 @@
 <h1 align="center">Stackable Secret Operator</h1>
 
 
+
 [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/stackabletech/secret-operator/graphs/commit-activity)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-green.svg)](https://docs.stackable.tech/home/stable/contributor/index.html)
 [![License OSL3.0](https://img.shields.io/badge/license-OSL3.0-green)](./LICENSE)
 
 [Documentation](https://docs.stackable.tech/secret-operator/stable/index.html) | [Stackable Data Platform](https://stackable.tech/) | [Platform Docs](https://docs.stackable.tech/) | [Discussions](https://github.com/orgs/stackabletech/discussions) | [Discord](https://discord.gg/7kZ3BNnCAF)
 
+
 This is a Kubernetes Operator to provision and inject secrets for Kubernetes pods. Compared to Kubernetes' native secret mounts, this permits secrets to be selected dynamically based on properties of the `Pod`.
 
 It is part of the Stackable Data Platform, a curated selection of the best open source data apps like Apache Kafka, Apache Druid, Trino or Apache Spark, [all](#our-operators) working together seamlessly. Based on Kubernetes, it runs everywhere – [on prem or in the cloud](#supported-platforms).
 
+
 ## Installation
 
 You can install the operator using [stackablectl or helm](https://docs.stackable.tech/secret-operator/stable/installation.html).
@@ -34,6 +37,7 @@ The documentation for all Stackable products can be found at [docs.stackable.tec
 
 If you have a question about the Stackable Data Platform contact us via our [homepage](https://stackable.tech/) or ask a public questions in our [Discussions forum](https://github.com/orgs/stackabletech/discussions).
 
+
 ## What does it do?
 
 The Secret Operator provisions and mounts secrets, but unlike the default Kubernetes Secret mechanism, Secrets can be created and mounted dynamically based on Pod properties. The Operator supports:
@@ -49,6 +53,7 @@ The Secret Operator is deployed as a DaemonSet and provides a CSI to mount files
 The Secret Operator by [Stackable](https://stackable.tech/).
 This is a Kubernetes Operator to provision and inject secrets for Kubernetes Pods. It is part of the [Stackable Data Platform](https://stackable.tech/), a curated selection of the best open source data apps like Kafka, Druid, Trino or Spark, all working together seamlessly. Based on Kubernetes, it runs everywhere – on prem or in the cloud.
 
+
 ## About The Stackable Data Platform
 
 This operator is written and maintained by [Stackable](https://stackable.tech) and it is part of a larger data platform.

deploy/helm/secret-operator/templates/roles.yaml

@@ -56,6 +56,13 @@ rules:
       - secretclasses
     verbs:
       - get
+  - apiGroups:
+      - listeners.stackable.tech
+    resources:
+      - listenerclasses
+      - podlisteners
+    verbs:
+      - get
   - apiGroups:
     - security.openshift.io
     resourceNames:

docs/modules/secret-operator/pages/commandline_args.adoc

@@ -8,4 +8,3 @@
 
 The path to the https://github.com/container-storage-interface/spec/blob/master/spec.md[Container Storage Interface] Unix Domain Socket
 that the operator should listen on.
-

docs/modules/secret-operator/pages/index.adoc

@@ -2,12 +2,11 @@
 
 This is an operator for Kubernetes that provisions and injects secrets into Kubernetes Pods.
 
-Kubernetes `Secret` objects contain sensitive payloads such as passwords, tokens or keys. These objects
+Kubernetes Secret objects contain sensitive payloads such as passwords, tokens or keys. These objects
 are usually self-contained and static in the sense that their contents remain unchanged as long as their owners
 do not update them.
 
 The Stackable Secret Operator enhances the functionality of Kubernetes Secrets by introducing the concept of a
-`SecretClass`. A `SecretClass` represents a reference to a source of sensitive data. In addition to Kubernetes
-`Secret` objects, the operator can provision Pods with TLS Certificates, Kerberos keytabs or authentication
+SecretClass. A SecretClass represents a reference to a source of sensitive data. In addition to Kubernetes
+Secret objects, the operator can provision Pods with TLS Certificates, Kerberos keytabs or authentication
 tokens from external services.
-

docs/modules/secret-operator/pages/scope.adoc

@@ -13,19 +13,30 @@ include this extra context. The exact effect of the scope depends on which xref:
 [#node]
 === `node`
 
-The `node` scope is resolved to the name of the Kubernetes `Node` object that the `Pod` is running on. This will typically
+The `node` scope is resolved to the name of the Kubernetes Node object that the Pod is running on. This will typically
 be the DNS name of the node.
 
 [#pod]
 === `pod`
 
-The `pod` scope is resolved to the name of the Kubernetes `Pod`. This allows the secret to differentiate between `StatefulSet` replicas.
+The `pod` scope is resolved to the name of the Kubernetes Pod. This allows the secret to differentiate between StatefulSet replicas.
 
 [#service]
 === `service`
 
-The `service` scope allows `Pod` objects to specify custom scopes. This should typically correspond to `Service` objects that the
-`Pod` participate in.
+The `service` scope allows Pod objects to specify custom scopes. This should typically correspond to Service objects that the
+Pod participate in.
+
+[#listener-volume]
+=== `listener-volume`
+
+The `listener-volume` scope allows Pod objects to request secrets corresponding to a xref:listener-operator:volume.adoc[listener volume] that is bound to the same Pod.
+
+The `listener-volume` scope takes the name of the listener volume as a paremeter.
+
+note:: The parameter is the name of the Pod's _volume_, not the name of the PersistentVolumeClaim, PersistentVolume, or xref:listener-operator:listener.adoc[Listener].
+
+note:: The `listener-volume` scope also implies the xref:#node[] scope for xref:listener-operator:listenerclass.adoc#servicetype-nodeport[NodePort] listeners.
 
 == Example
 

docs/modules/secret-operator/pages/troubleshooting.adoc

@@ -2,17 +2,17 @@
 
 == My secret-consuming Pods get stuck `Pending`!
 
-. Does the `Pod` have any events relating to scheduling? (`kubectl describe pod/$POD_NAME`)
-. Is the `PersistentVolumeClaim` being created? It should have the name `$POD_NAME-$VOLUME_NAME`.
-. Is the `PersistentVolumeClaim` bound to a `PersistentVolume`? If not:
-.. Does the `PersistentVolumeClaim` have any relevant events? (`kubectl describe pvc/$PVC_NAME`)
-.. If the `PersistentVolumeClaim` has no relevant events (or only an event that it is waiting for a volume to be provisioned),
+. Does the Pod have any events relating to scheduling? (`kubectl describe pod/$POD_NAME`)
+. Is the PersistentVolumeClaim being created? It should have the name `$POD_NAME-$VOLUME_NAME`.
+. Is the PersistentVolumeClaim bound to a PersistentVolume? If not:
+.. Does the PersistentVolumeClaim have any relevant events? (`kubectl describe pvc/$PVC_NAME`)
+.. If the PersistentVolumeClaim has no relevant events (or only an event that it is waiting for a volume to be provisioned),
    check the logs of the secret-operator sidecar container named `external-provisioner`.
-.. Does the `PersistentVolumeClaim` have a `StorageClass` set?
-.. Is the `StorageClass` configured to use the provisioner named `secrets.stackable.tech`?
-. Does the `PersistentVolume` have any relevant events? (`kubectl describe pv/$PV_NAME`)
-. Is the `CSIDriver` object named `secrets.stackable.tech` configured correctly?
-. Is the CSI driver registered on the relevant `CSINode` objects? (`kubectl get csinode/$NODE_NAME -o yaml` should contain the driver `secrets.stackable.tech`)
+.. Does the PersistentVolumeClaim have a StorageClass set?
+.. Is the StorageClass configured to use the provisioner named `secrets.stackable.tech`?
+. Does the PersistentVolume have any relevant events? (`kubectl describe pv/$PV_NAME`)
+. Is the CSIDriver object named `secrets.stackable.tech` configured correctly?
+. Is the CSI driver registered on the relevant CSINode objects? (`kubectl get csinode/$NODE_NAME -o yaml` should contain the driver `secrets.stackable.tech`)
 . Does the secret-operator sidecar container named `node-driver-registrar` have any relevant log entries?
 . Does the kubelet have any relevant log entries?
 . When running on OpenShift also have a look at the xref:openshift.adoc[OpenShift documentation].

docs/modules/secret-operator/pages/usage.adoc

@@ -1,16 +1,16 @@
 = Usage
 
 The operator injects secret data into xref:volume.adoc[] mounts that declare a CSI volume with `driver: secrets.stackable.tech`.
-  
-A minimal secret-consuming `Pod` looks like this:
+
+A minimal secret-consuming Pod looks like this:
 
 [source,yaml]
 ----
 include::example$usage-pod.yaml[]
 ----
 
-xref:secretclass.adoc[] defines where the secrets come from. For example, the following `SecretClass`
-issues TLS certificates, storing its CA certificate in the Kubernetes `Secret` object named `secret-provisioner-tls-ca`:
+xref:secretclass.adoc[] defines where the secrets come from. For example, the following SecretClass
+issues TLS certificates, storing its CA certificate in the Kubernetes Secret object named `secret-provisioner-tls-ca`:
 
 [source,yaml]
 ----

docs/modules/secret-operator/pages/volume.adoc

@@ -1,6 +1,6 @@
 = Volume
 
-The primary entry point for applications is by mounting a secret into a `Pod` object's `volume` set. This is done by using Kubernetes'
+The primary entry point for applications is by mounting a secret into a Pod object's `volume` set. This is done by using Kubernetes'
 https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#ephemeralvolumesource-v1-core[`EphemeralVolumeSource`] type.
 For example:
 

docs/modules/secret-operator/partials/nav.adoc

@@ -10,4 +10,3 @@
 ** xref:secret-operator:volume.adoc[]
 * xref:secret-operator:security.adoc[]
 * xref:secret-operator:troubleshooting.adoc[]
-

rust/operator-binary/src/backend/dynamic.rs

@@ -7,7 +7,7 @@ use std::{collections::HashSet, fmt::Display};
 
 use super::{
     kerberos_keytab::{self, KerberosProfile},
-    pod_info::PodInfo,
+    pod_info::{PodInfo, SchedulingPodInfo},
     tls, SecretBackend, SecretBackendError, SecretVolumeSelector,
 };
 use crate::crd::{self, SecretClass};
@@ -51,9 +51,10 @@ impl<B: SecretBackend + Send + Sync> SecretBackend for DynamicAdapter<B> {
     async fn get_qualified_node_names(
         &self,
         selector: &SecretVolumeSelector,
+        pod_info: SchedulingPodInfo,
     ) -> Result<Option<HashSet<String>>, Self::Error> {
         self.0
-            .get_qualified_node_names(selector)
+            .get_qualified_node_names(selector, pod_info)
             .await
             .map_err(|err| DynError(Box::new(err)))
     }