From ebd64addcd00f20052f254aa2a1a48dcff146a86 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 29 Sep 2025 11:53:07 +0200 Subject: [PATCH 1/5] fix: Auto-create truststore on certificate addition --- rust/operator-binary/src/authentication/ldap.rs | 2 +- rust/operator-binary/src/authentication/oidc.rs | 2 +- rust/operator-binary/src/crd/mod.rs | 2 +- rust/operator-binary/src/crd/security.rs | 10 +++++----- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rust/operator-binary/src/authentication/ldap.rs b/rust/operator-binary/src/authentication/ldap.rs index 863a4186..efc99471 100644 --- a/rust/operator-binary/src/authentication/ldap.rs +++ b/rust/operator-binary/src/authentication/ldap.rs @@ -100,7 +100,7 @@ pub fn prepare_container_commands( command: &mut Vec, ) { if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() { - command.push(add_cert_to_trust_store_cmd( + command.extend(add_cert_to_trust_store_cmd( &tls_ca_cert_mount_path, STACKABLE_TLS_DIR, TLS_STORE_PASSWORD, diff --git a/rust/operator-binary/src/authentication/oidc.rs b/rust/operator-binary/src/authentication/oidc.rs index 22f4f909..c0c1912e 100644 --- a/rust/operator-binary/src/authentication/oidc.rs +++ b/rust/operator-binary/src/authentication/oidc.rs @@ -111,7 +111,7 @@ pub fn main_container_commands( command: &mut Vec, ) { if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() { - command.push(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path)) + command.extend(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path)) } } diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index 18ceae55..ad23203e 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -997,7 +997,7 @@ impl DruidRole { if let Some(s3) = s3 { if let Some(ca_cert_file) = s3.tls.tls_ca_cert_mount_path() { - commands.push(add_cert_to_jvm_trust_store_cmd(&ca_cert_file)); + commands.extend(add_cert_to_jvm_trust_store_cmd(&ca_cert_file)); } } diff --git a/rust/operator-binary/src/crd/security.rs b/rust/operator-binary/src/crd/security.rs index 5ecb4bfd..37f1751b 100644 --- a/rust/operator-binary/src/crd/security.rs +++ b/rust/operator-binary/src/crd/security.rs @@ -475,14 +475,14 @@ pub fn add_cert_to_trust_store_cmd( cert_file: &str, destination_directory: &str, store_password: &str, -) -> String { +) -> Vec { let truststore = format!("{destination_directory}/truststore.p12"); - format!( - "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}" - ) + vec![format!( + "if [ -f {truststore} ]; then cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}; else cert-tools generate-pkcs12-truststore --pem {cert_file} --out {truststore} --out-password {store_password}; fi" // "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}" + )] } /// Generate a bash command to add a CA to the truststore that is passed to the JVM -pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> String { +pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> Vec { add_cert_to_trust_store_cmd(cert_file, "/stackable", STACKABLE_TRUST_STORE_PASSWORD) } From 24198a3d5fb6419cce6315a7a96d92ec7f753992 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 29 Sep 2025 11:54:43 +0200 Subject: [PATCH 2/5] changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5783594..dc2e7eab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file. ### Fixed -- Previously we had a bug that could lead to missing certificates ([#753]). +- Previously we had a bug that could lead to missing certificates ([#753], [#756]). This could be the case when the Stackable PKI rotated its CA certificate or you specified multiple CAs in your SecretClass. @@ -30,6 +30,7 @@ All notable changes to this project will be documented in this file. [#752]: https://github.com/stackabletech/druid-operator/pull/752 [#753]: https://github.com/stackabletech/druid-operator/pull/753 [#755]: https://github.com/stackabletech/druid-operator/pull/755 +[#756]: https://github.com/stackabletech/druid-operator/pull/756 ## [25.7.0] - 2025-07-23 From 2527ab767279605a7bd1f56ce557ca8e0e48acf9 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 30 Sep 2025 07:46:22 +0200 Subject: [PATCH 3/5] Increase test timeout --- tests/templates/kuttl/ldap/20-assert.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/templates/kuttl/ldap/20-assert.yaml b/tests/templates/kuttl/ldap/20-assert.yaml index c947cc92..18d1e259 100644 --- a/tests/templates/kuttl/ldap/20-assert.yaml +++ b/tests/templates/kuttl/ldap/20-assert.yaml @@ -3,4 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert commands: - script: kubectl exec -n $NAMESPACE test-druid-0 -- python /tmp/authcheck.py -timeout: 60 +timeout: 180 From ce38f4ba9c46d559425d98fd0435925fd1510aa4 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 30 Sep 2025 09:43:05 +0200 Subject: [PATCH 4/5] Remove leftover comment --- rust/operator-binary/src/crd/security.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/operator-binary/src/crd/security.rs b/rust/operator-binary/src/crd/security.rs index 37f1751b..cbc783bc 100644 --- a/rust/operator-binary/src/crd/security.rs +++ b/rust/operator-binary/src/crd/security.rs @@ -478,7 +478,7 @@ pub fn add_cert_to_trust_store_cmd( ) -> Vec { let truststore = format!("{destination_directory}/truststore.p12"); vec![format!( - "if [ -f {truststore} ]; then cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}; else cert-tools generate-pkcs12-truststore --pem {cert_file} --out {truststore} --out-password {store_password}; fi" // "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}" + "if [ -f {truststore} ]; then cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}; else cert-tools generate-pkcs12-truststore --pem {cert_file} --out {truststore} --out-password {store_password}; fi" )] } From 17546a8e9e46711a7d6ddca72037b04b9406080c Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 30 Sep 2025 09:43:33 +0200 Subject: [PATCH 5/5] Update CHANGELOG.md Co-authored-by: Malte Sander --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc2e7eab..82c343d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file. ### Fixed -- Previously we had a bug that could lead to missing certificates ([#753], [#756]). +- Fix keytool behavior that could lead to missing certificates ([#753], [#756]). This could be the case when the Stackable PKI rotated its CA certificate or you specified multiple CAs in your SecretClass.