recfactor: OPA tls mount helper method

dervoeti · dervoeti · commit 707fc8fbc9ee · 2025-10-31T19:18:32.000+01:00
diff --git a/rust/operator-binary/src/authorization/opa.rs b/rust/operator-binary/src/authorization/opa.rs
@@ -9,6 +9,8 @@ use stackable_operator::{
 
 use crate::crd::v1alpha1::TrinoCluster;
 
+pub const OPA_TLS_VOLUME_NAME: &str = "opa-tls";
+
 pub struct TrinoOpaConfig {
     /// URI for OPA policies, e.g.
     /// `http://localhost:8081/v1/data/trino/allow`
@@ -125,4 +127,10 @@ impl TrinoOpaConfig {
         }
         config
     }
+
+    pub fn tls_mount_path(&self) -> Option<String> {
+        self.tls_secret_class
+            .as_ref()
+            .map(|_| format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}"))
+    }
 }
diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
@@ -76,10 +76,10 @@ use strum::{EnumDiscriminants, IntoStaticStr};
 
 use crate::{
     authentication::{TrinoAuthenticationConfig, TrinoAuthenticationTypes},
-    authorization::opa::TrinoOpaConfig,
+    authorization::opa::{OPA_TLS_VOLUME_NAME, TrinoOpaConfig},
     catalog::{FromTrinoCatalogError, config::CatalogConfig},
-    command, config,
-    config::{client_protocol, fault_tolerant_execution},
+    command,
+    config::{self, client_protocol, fault_tolerant_execution},
     crd::{
         ACCESS_CONTROL_PROPERTIES, APP_NAME, CONFIG_DIR_NAME, CONFIG_PROPERTIES, Container,
         DISCOVERY_URI, ENV_INTERNAL_SECRET, ENV_SPOOLING_SECRET, EXCHANGE_MANAGER_PROPERTIES,
@@ -123,7 +123,6 @@ pub const MAX_PREPARE_LOG_FILE_SIZE: MemoryQuantity = MemoryQuantity {
 };
 
 const DOCKER_IMAGE_BASE_NAME: &str = "trino";
-const OPA_TLS_VOLUME_NAME: &str = "opa-tls";
 
 #[derive(Snafu, Debug, EnumDiscriminants)]
 #[strum_discriminants(derive(IntoStaticStr))]
@@ -1170,13 +1169,12 @@ fn build_rolegroup_statefulset(
         .extend(trino_authentication_config.commands(&TrinoRole::Coordinator, &Container::Prepare));
 
     // Add OPA TLS certificate to truststore if configured
-    if trino_opa_config
+    if let Some(tls_mount_path) = trino_opa_config
         .as_ref()
-        .and_then(|c| c.tls_secret_class.as_ref())
-        .is_some()
+        .and_then(|opa_config| opa_config.tls_mount_path())
     {
         prepare_args.extend(command::add_cert_to_truststore(
-            &format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}/ca.crt"),
+            format!("{}/ca.crt", tls_mount_path).as_str(),
             STACKABLE_CLIENT_TLS_DIR,
         ));
     }
@@ -1806,26 +1804,32 @@ fn tls_volume_mounts(
             .context(AddVolumeSnafu)?;
     }
 
-    if let Some(opa_config) = trino_opa_config {
-        if let Some(opa_tls_secret_class) = &opa_config.tls_secret_class {
-            let opa_tls_mount_path = format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}");
 
-            cb_prepare
-                .add_volume_mount(OPA_TLS_VOLUME_NAME, &opa_tls_mount_path)
-                .context(AddVolumeMountSnafu)?;
+    // Add OPA TLS certs if configured
+    if let Some((tls_secret_class, tls_mount_path)) = trino_opa_config
+        .as_ref()
+        .and_then(|opa_config| {
+            opa_config
+                .tls_secret_class
+                .as_ref()
+                .zip(opa_config.tls_mount_path())
+        })
+    {
+        cb_prepare
+            .add_volume_mount(OPA_TLS_VOLUME_NAME, &tls_mount_path)
+            .context(AddVolumeMountSnafu)?;
 
-            let opa_tls_volume = VolumeBuilder::new(OPA_TLS_VOLUME_NAME)
-                .ephemeral(
-                    SecretOperatorVolumeSourceBuilder::new(opa_tls_secret_class)
-                        .build()
-                        .context(TlsCertSecretClassVolumeBuildSnafu)?,
-                )
-                .build();
+        let opa_tls_volume = VolumeBuilder::new(OPA_TLS_VOLUME_NAME)
+            .ephemeral(
+                SecretOperatorVolumeSourceBuilder::new(tls_secret_class)
+                    .build()
+                    .context(TlsCertSecretClassVolumeBuildSnafu)?,
+            )
+            .build();
 
-            pod_builder
-                .add_volume(opa_tls_volume)
-                .context(AddVolumeSnafu)?;
-        }
+        pod_builder
+            .add_volume(opa_tls_volume)
+            .context(AddVolumeSnafu)?;
     }
 
     // fault tolerant execution S3 credentials and other resources

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ use stackable_operator::{`
`9`	`9`
`10`	`10`	`use crate::crd::v1alpha1::TrinoCluster;`
`11`	`11`
	`12`	`+pub const OPA_TLS_VOLUME_NAME: &str = "opa-tls";`
	`13`	`+`
`12`	`14`	`pub struct TrinoOpaConfig {`
`13`	`15`	`/// URI for OPA policies, e.g.`
`14`	`16`	/// `http://localhost:8081/v1/data/trino/allow`
`@@ -125,4 +127,10 @@ impl TrinoOpaConfig {`
`125`	`127`	`}`
`126`	`128`	`config`
`127`	`129`	`}`
	`130`	`+`
	`131`	`+ pub fn tls_mount_path(&self) -> Option<String> {`
	`132`	`+ self.tls_secret_class`
	`133`	`+ .as_ref()`
	`134`	`+ .map(\|_\| format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}"))`
	`135`	`+ }`
`128`	`136`	`}`