stackabletech
diff --git a/‎Cargo.lock‎
Lines changed: 93 additions & 104 deletions b/‎Cargo.lock‎
Lines changed: 93 additions & 104 deletions
diff --git a/‎Cargo.nix‎
Lines changed: 278 additions & 318 deletions b/‎Cargo.nix‎
Lines changed: 278 additions & 318 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crate-hashes.json‎
Lines changed: 7 additions & 7 deletions b/‎crate-hashes.json‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎deploy/helm/druid-operator/crds/crds.yaml‎
Lines changed: 12 additions & 3 deletions b/‎deploy/helm/druid-operator/crds/crds.yaml‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎rust/operator-binary/src/authentication/ldap.rs‎
Lines changed: 8 additions & 10 deletions b/‎rust/operator-binary/src/authentication/ldap.rs‎
Lines changed: 8 additions & 10 deletions
diff --git a/‎rust/operator-binary/src/authentication/mod.rs‎
Lines changed: 13 additions & 19 deletions b/‎rust/operator-binary/src/authentication/mod.rs‎
Lines changed: 13 additions & 19 deletions
diff --git a/‎rust/operator-binary/src/authentication/oidc.rs‎
Lines changed: 22 additions & 18 deletions b/‎rust/operator-binary/src/authentication/oidc.rs‎
Lines changed: 22 additions & 18 deletions
@@ -11,7 +11,7 @@ repository = "https://github.com/stackabletech/druid-operator"
 
 [workspace.dependencies]
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["telemetry", "versioned"], tag = "stackable-operator-0.92.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", features = ["telemetry", "versioned"], tag = "stackable-operator-0.93.0" }
 
 anyhow = "1.0"
 built = { version = "0.7", features = ["chrono", "git2"] }
 
@@ -519,18 +519,27 @@ spec:
                       items:
                         properties:
                           authenticationClass:
-                            description: Name of the [AuthenticationClass](https://docs.stackable.tech/home/nightly/concepts/authentication) used to authenticate users.
+                            description: |-
+                              Name of the [AuthenticationClass](https://docs.stackable.tech/home/nightly/concepts/authentication) used to authenticate users.
+
+                              To get the concrete [`AuthenticationClass`], we must resolve it. This resolution can be achieved by using [`ClientAuthenticationDetails::resolve_class`].
                             type: string
                           oidc:
-                            description: This field contains OIDC-specific configuration. It is only required in case OIDC is used.
+                            description: |-
+                              This field contains OIDC-specific configuration. It is only required in case OIDC is used.
+
+                              Use [`ClientAuthenticationDetails::oidc_or_error`] to get the value or report an error to the user.
                             nullable: true
                             properties:
                               clientCredentialsSecret:
                                 description: A reference to the OIDC client credentials secret. The secret contains the client id and secret.
                                 type: string
                               extraScopes:
                                 default: []
-                                description: An optional list of extra scopes which get merged with the scopes defined in the [`AuthenticationClass`].
+                                description: |-
+                                  An optional list of extra scopes which get merged with the scopes defined in the [`AuthenticationClass`][1].
+
+                                  [1]: crate::crd::authentication::core::v1alpha1::AuthenticationClass
                                 items:
                                   type: string
                                 type: array
 
@@ -3,18 +3,16 @@ use std::collections::BTreeMap;
 use snafu::ResultExt;
 use stackable_operator::{
     builder::pod::{PodBuilder, container::ContainerBuilder},
-    commons::authentication::ldap::AuthenticationProvider,
+    crd::authentication::ldap,
 };
 
-use crate::{
-    authentication::{
-        AddLdapVolumesSnafu, ConstructLdapEndpointUrlSnafu, Error, MissingLdapBindCredentialsSnafu,
-    },
-    crd::security::{STACKABLE_TLS_DIR, TLS_STORE_PASSWORD, add_cert_to_trust_store_cmd},
+use super::{
+    AddLdapVolumesSnafu, ConstructLdapEndpointUrlSnafu, Error, MissingLdapBindCredentialsSnafu,
 };
+use crate::crd::security::{STACKABLE_TLS_DIR, TLS_STORE_PASSWORD, add_cert_to_trust_store_cmd};
 
 fn add_authenticator_config(
-    provider: &AuthenticationProvider,
+    provider: &ldap::v1alpha1::AuthenticationProvider,
     config: &mut BTreeMap<String, Option<String>>,
 ) -> Result<(), Error> {
     config.insert(
@@ -88,7 +86,7 @@ fn add_authorizer_config(config: &mut BTreeMap<String, Option<String>>) {
 }
 
 pub fn generate_runtime_properties_config(
-    provider: &AuthenticationProvider,
+    provider: &ldap::v1alpha1::AuthenticationProvider,
     config: &mut BTreeMap<String, Option<String>>,
 ) -> Result<(), Error> {
     add_authenticator_config(provider, config)?;
@@ -99,7 +97,7 @@ pub fn generate_runtime_properties_config(
 
 pub fn prepare_container_commands(
     auth_class_name: &String,
-    provider: &AuthenticationProvider,
+    provider: &ldap::v1alpha1::AuthenticationProvider,
     command: &mut Vec<String>,
 ) {
     if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() {
@@ -113,7 +111,7 @@ pub fn prepare_container_commands(
 }
 
 pub fn add_volumes_and_mounts(
-    provider: &AuthenticationProvider,
+    provider: &ldap::v1alpha1::AuthenticationProvider,
     pb: &mut PodBuilder,
     cb_druid: &mut ContainerBuilder,
     cb_prepare: &mut ContainerBuilder,
 
@@ -3,15 +3,7 @@ use std::collections::BTreeMap;
 use snafu::Snafu;
 use stackable_operator::{
     builder::pod::{PodBuilder, container::ContainerBuilder},
-    commons::{
-        authentication::{
-            ldap::AuthenticationProvider as LdapAuthenticationProvider,
-            oidc::{
-                AuthenticationProvider as OidcAuthenticationProvider, ClientAuthenticationOptions,
-            },
-        },
-        tls_verification::TlsClientDetailsError,
-    },
+    crd::authentication,
     k8s_openapi::api::core::v1::EnvVar,
 };
 
@@ -34,21 +26,23 @@ type Result<T, E = Error> = std::result::Result<T, E>;
 pub enum Error {
     #[snafu(display("failed to create LDAP endpoint url."))]
     ConstructLdapEndpointUrl {
-        source: stackable_operator::commons::authentication::ldap::Error,
+        source: stackable_operator::crd::authentication::ldap::v1alpha1::Error,
     },
 
     #[snafu(display("failed to create the OIDC well-known url."))]
     ConstructOidcWellKnownUrl {
-        source: stackable_operator::commons::authentication::oidc::Error,
+        source: stackable_operator::crd::authentication::oidc::v1alpha1::Error,
     },
 
     #[snafu(display("failed to add LDAP Volumes and VolumeMounts to the Pod and containers"))]
     AddLdapVolumes {
-        source: stackable_operator::commons::authentication::ldap::Error,
+        source: stackable_operator::crd::authentication::ldap::v1alpha1::Error,
     },
 
     #[snafu(display("failed to add OIDC Volumes and VolumeMounts to the Pod and containers"))]
-    AddOidcVolumes { source: TlsClientDetailsError },
+    AddOidcVolumes {
+        source: stackable_operator::commons::tls_verification::TlsClientDetailsError,
+    },
 
     #[snafu(display(
         "failed to access bind credentials although they are required for LDAP to work"
@@ -61,12 +55,12 @@ pub enum DruidAuthenticationConfig {
     Tls {},
     Ldap {
         auth_class_name: String,
-        provider: LdapAuthenticationProvider,
+        provider: authentication::ldap::v1alpha1::AuthenticationProvider,
     },
     Oidc {
         auth_class_name: String,
-        provider: OidcAuthenticationProvider,
-        oidc: ClientAuthenticationOptions,
+        provider: authentication::oidc::v1alpha1::AuthenticationProvider,
+        oidc: authentication::oidc::v1alpha1::ClientAuthenticationOptions,
     },
 }
 
@@ -252,16 +246,16 @@ impl DruidAuthenticationConfig {
 
 #[cfg(test)]
 mod test {
-    use stackable_operator::commons::authentication::ldap::AuthenticationProvider as LdapAuthenticationProvider;
-
     use super::*;
 
     #[test]
     fn test_ldap_config_is_added() {
         let auth_config = DruidAuthenticationConfig::try_from(AuthenticationClassesResolved {
             auth_classes: vec![AuthenticationClassResolved::Ldap {
                 auth_class_name: "ldap".to_string(),
-                provider: serde_yaml::from_str::<LdapAuthenticationProvider>(
+                provider: serde_yaml::from_str::<
+                    authentication::ldap::v1alpha1::AuthenticationProvider,
+                >(
                     "
                 hostname: openldap
                 searchBase: ou=users,dc=example,dc=org
 
@@ -3,28 +3,30 @@ use std::collections::BTreeMap;
 use snafu::ResultExt;
 use stackable_operator::{
     builder::pod::{PodBuilder, container::ContainerBuilder},
-    commons::authentication::oidc::{AuthenticationProvider, ClientAuthenticationOptions},
+    crd::authentication::oidc,
     k8s_openapi::api::core::v1::EnvVar,
 };
 
+use super::{AddOidcVolumesSnafu, ConstructOidcWellKnownUrlSnafu, Error};
 use crate::{
-    authentication::{AddOidcVolumesSnafu, ConstructOidcWellKnownUrlSnafu, Error},
     crd::{COOKIE_PASSPHRASE_ENV, DruidRole, security::add_cert_to_jvm_trust_store_cmd},
     internal_secret::env_var_from_secret,
 };
 
 /// Creates OIDC authenticator config using the pac4j extension for Druid: <https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j>.
 fn add_authenticator_config(
-    provider: &AuthenticationProvider,
-    oidc: &ClientAuthenticationOptions,
+    provider: &oidc::v1alpha1::AuthenticationProvider,
+    oidc: &oidc::v1alpha1::ClientAuthenticationOptions,
     config: &mut BTreeMap<String, Option<String>>,
 ) -> Result<(), Error> {
     let well_known_url = &provider
         .well_known_config_url()
         .context(ConstructOidcWellKnownUrlSnafu)?;
 
     let (oidc_client_id_env, oidc_client_secret_env) =
-        AuthenticationProvider::client_credentials_env_names(&oidc.client_credentials_secret_ref);
+        oidc::v1alpha1::AuthenticationProvider::client_credentials_env_names(
+            &oidc.client_credentials_secret_ref,
+        );
 
     let mut scopes = provider.scopes.clone();
     scopes.extend_from_slice(&oidc.extra_scopes);
@@ -84,8 +86,8 @@ fn add_authorizer_config(config: &mut BTreeMap<String, Option<String>>) {
 /// OIDC authentication is not configured on middlemanagers, because end users don't interact with them directly using the web console and
 /// turning on OIDC will lead to problems with the communication with coordinators during data ingest.
 pub fn generate_runtime_properties_config(
-    provider: &AuthenticationProvider,
-    oidc: &ClientAuthenticationOptions,
+    provider: &oidc::v1alpha1::AuthenticationProvider,
+    oidc: &oidc::v1alpha1::ClientAuthenticationOptions,
     role: &DruidRole,
     config: &mut BTreeMap<String, Option<String>>,
 ) -> Result<(), Error> {
@@ -106,7 +108,7 @@ pub fn generate_runtime_properties_config(
 
 pub fn main_container_commands(
     auth_class_name: &String,
-    provider: &AuthenticationProvider,
+    provider: &oidc::v1alpha1::AuthenticationProvider,
     command: &mut Vec<String>,
 ) {
     if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() {
@@ -121,16 +123,18 @@ pub fn main_container_commands(
 /// Not necessary on middlemanagers, because OIDC is not configured on them.
 pub fn get_env_var_mounts(
     role: &DruidRole,
-    oidc: &ClientAuthenticationOptions,
+    oidc: &oidc::v1alpha1::ClientAuthenticationOptions,
     internal_secret_name: &str,
 ) -> Vec<EnvVar> {
     let mut envs = vec![];
     match role {
         DruidRole::MiddleManager => (),
         _ => {
-            envs.extend(AuthenticationProvider::client_credentials_env_var_mounts(
-                oidc.client_credentials_secret_ref.to_owned(),
-            ));
+            envs.extend(
+                oidc::v1alpha1::AuthenticationProvider::client_credentials_env_var_mounts(
+                    oidc.client_credentials_secret_ref.to_owned(),
+                ),
+            );
             envs.push(env_var_from_secret(
                 internal_secret_name,
                 None,
@@ -142,7 +146,7 @@ pub fn get_env_var_mounts(
 }
 
 pub fn add_volumes_and_mounts(
-    provider: &AuthenticationProvider,
+    provider: &oidc::v1alpha1::AuthenticationProvider,
     pb: &mut PodBuilder,
     cb_druid: &mut ContainerBuilder,
     cb_prepare: &mut ContainerBuilder,
@@ -165,13 +169,13 @@ mod tests {
     #[case("/realms/sdp/")]
     #[case("/realms/sdp/////")]
     fn test_add_authenticator_config(#[case] root_path: String) {
-        use stackable_operator::commons::{
-            authentication::oidc,
-            tls_verification::{CaCert, TlsServerVerification, TlsVerification},
+        use stackable_operator::{
+            commons::tls_verification::{CaCert, TlsServerVerification, TlsVerification},
+            crd::authentication::oidc,
         };
 
         let mut properties = BTreeMap::new();
-        let provider = oidc::AuthenticationProvider::new(
+        let provider = oidc::v1alpha1::AuthenticationProvider::new(
             "keycloak.mycorp.org".to_owned().try_into().unwrap(),
             Some(443),
             root_path,
@@ -186,7 +190,7 @@ mod tests {
             vec!["openid".to_owned()],
             None,
         );
-        let oidc = ClientAuthenticationOptions {
+        let oidc = oidc::v1alpha1::ClientAuthenticationOptions {
             client_credentials_secret_ref: "nifi-keycloak-client".to_owned(),
             extra_scopes: vec![],
             product_specific_fields: (),