fix: For cluster internal scopes also add variant without trailing dot

docs/modules/secret-operator/pages/scope.adoc

@@ -59,5 +59,6 @@ For example, a TLS certificate provisioned by the xref:secretclass.adoc#backend-
 xref:#node[] and xref:#pod[] would contain the following values in its `subjectAlternateName` (SAN) extension field:
 
 * The node's IP address
-* The node's fully qualified domain name (`my-node.example.com`)
-* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`)
+* The node's domain name (`my-node.example.com`)
+* The pod's domain name (`my-pod.my-service.my-namespace.svc.cluster.local`)
+* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local.`)

rust/operator-binary/Cargo.toml

@@ -23,6 +23,7 @@ p12.workspace = true
 pin-project.workspace = true
 prost-types.workspace = true
 prost.workspace = true
+rand.workspace = true
 serde_json.workspace = true
 serde.workspace = true
 snafu.workspace = true
@@ -39,7 +40,6 @@ tonic.workspace = true
 tracing.workspace = true
 uuid.workspace = true
 yasna.workspace = true
-rand.workspace = true
 
 [dev-dependencies]
 serde_yaml.workspace = true

rust/operator-binary/src/backend/kerberos_keytab.rs

@@ -140,43 +140,13 @@ impl SecretBackend for KerberosKeytab {
         pod_info: super::pod_info::PodInfo,
     ) -> Result<super::SecretContents, Self::Error> {
         let Self {
-            profile:
-                KerberosProfile {
-                    realm_name,
-                    kdc,
-                    admin,
-                },
-            admin_keytab,
             admin_principal,
+            admin_keytab,
+            profile: KerberosProfile { admin, .. },
         } = self;
-
-        let admin_server_clause = match admin {
-            KerberosKeytabBackendAdmin::Mit { kadmin_server } => {
-                format!("  admin_server = {kadmin_server}")
-            }
-            KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
-        };
+        let profile = self.kerberos_profile(&pod_info.kubernetes_cluster_domain);
 
         let tmp = tempdir().context(TempSetupSnafu)?;
-        let profile = format!(
-            r#"
-[libdefaults]
-default_realm = {realm_name}
-rdns = false
-dns_canonicalize_hostnames = false
-udp_preference_limit = 1
-
-[realms]
-{realm_name} = {{
-  kdc = {kdc}
-{admin_server_clause}
-}}
-
-[domain_realm]
-cluster.local = {realm_name}
-.cluster.local = {realm_name}
-"#
-        );
         let profile_file_path = tmp.path().join("krb5.conf");
         {
             let mut profile_file = File::create(&profile_file_path)
@@ -280,3 +250,133 @@ cluster.local = {realm_name}
         )))
     }
 }
+
+impl KerberosKeytab {
+    fn kerberos_profile(&self, cluster_domain: &str) -> String {
+        let Self {
+            profile:
+                KerberosProfile {
+                    realm_name,
+                    kdc,
+                    admin,
+                },
+            ..
+        } = self;
+
+        let admin_server_clause = match admin {
+            KerberosKeytabBackendAdmin::Mit { kadmin_server } => {
+                format!("  admin_server = {kadmin_server}")
+            }
+            KerberosKeytabBackendAdmin::ActiveDirectory { .. } => String::new(),
+        };
+
+        let mut domain_realm_section = "[domain_realm]".to_owned();
+        domain_realm_section.push_str(&format!(
+            "
+{cluster_domain} = {realm_name}
+.{cluster_domain} = {realm_name}
+"
+        ));
+        if let Some(cluster_domain_without_trailing_dot) = cluster_domain.strip_suffix('.') {
+            domain_realm_section.push_str(&format!(
+                "{cluster_domain_without_trailing_dot} = {realm_name}
+.{cluster_domain_without_trailing_dot} = {realm_name}
+"
+            ));
+        }
+
+        format!(
+            r#"
+[libdefaults]
+default_realm = {realm_name}
+rdns = false
+dns_canonicalize_hostnames = false
+udp_preference_limit = 1
+
+[realms]
+{realm_name} = {{
+kdc = {kdc}
+{admin_server_clause}
+}}
+
+{domain_realm_section}
+"#
+        )
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_kerberos_profile_without_trailing_dot() {
+        let kerberos_keytab = construct_kerberos_keytab();
+        let kerberos_profile = kerberos_keytab.kerberos_profile("cluster.local");
+        assert_eq!(
+            kerberos_profile,
+            "
+[libdefaults]
+default_realm = MY.CORP
+rdns = false
+dns_canonicalize_hostnames = false
+udp_preference_limit = 1
+
+[realms]
+MY.CORP = {
+kdc = krb5-kdc
+  admin_server = krb5-kdc
+}
+
+[domain_realm]
+cluster.local = MY.CORP
+.cluster.local = MY.CORP
+
+"
+        );
+    }
+
+    #[test]
+    fn test_kerberos_profile_with_trailing_dot() {
+        let kerberos_keytab = construct_kerberos_keytab();
+        let kerberos_profile = kerberos_keytab.kerberos_profile("custom.cluster.local.");
+        assert_eq!(
+            kerberos_profile,
+            "
+[libdefaults]
+default_realm = MY.CORP
+rdns = false
+dns_canonicalize_hostnames = false
+udp_preference_limit = 1
+
+[realms]
+MY.CORP = {
+kdc = krb5-kdc
+  admin_server = krb5-kdc
+}
+
+[domain_realm]
+custom.cluster.local. = MY.CORP
+.custom.cluster.local. = MY.CORP
+custom.cluster.local = MY.CORP
+.custom.cluster.local = MY.CORP
+
+"
+        );
+    }
+
+    fn construct_kerberos_keytab() -> KerberosKeytab {
+        KerberosKeytab {
+            profile: KerberosProfile {
+                realm_name: KerberosRealmName::try_from("MY.CORP".to_owned()).unwrap(),
+                kdc: "krb5-kdc".parse().unwrap(),
+                admin: KerberosKeytabBackendAdmin::Mit {
+                    kadmin_server: "krb5-kdc".parse().unwrap(),
+                },
+            },
+            admin_keytab: Unloggable(vec![]),
+            admin_principal: KerberosPrincipal::try_from("stackable-secret-operator".to_owned())
+                .unwrap(),
+        }
+    }
+}