From 019d17132412ec6f53bf26795dd2e1fc1d7cbe0a Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Mon, 23 Mar 2026 17:08:14 +0100 Subject: [PATCH 1/3] test: Enable hot reloading in password files --- .../11-create-authentication-classes.yaml | 4 +++- .../authentication/30-hot-reloading-add-user.yaml | 4 +++- .../authentication/32-hot-reloading-remove-user.yaml | 4 +++- tests/templates/kuttl/authentication/33-assert.yaml | 10 +++++++++- tests/templates/kuttl/authentication/add_user.yaml.j2 | 2 ++ .../create-authentication-classes.yaml.j2 | 2 ++ .../templates/kuttl/authentication/remove_user.yaml.j2 | 2 ++ 7 files changed, 24 insertions(+), 4 deletions(-) diff --git a/tests/templates/kuttl/authentication/11-create-authentication-classes.yaml b/tests/templates/kuttl/authentication/11-create-authentication-classes.yaml index 90d7622d3..4185b141f 100644 --- a/tests/templates/kuttl/authentication/11-create-authentication-classes.yaml +++ b/tests/templates/kuttl/authentication/11-create-authentication-classes.yaml @@ -5,4 +5,6 @@ metadata: name: create-ldap-user commands: # We need to replace $NAMESPACE (by KUTTL) in the create-authentication-classes.yaml(.j2) - - script: eval "echo \"$(cat create-authentication-classes.yaml)\"" | kubectl apply -f - + - script: > + envsubst '$NAMESPACE' < create-authentication-classes.yaml | + kubectl apply --filename=- diff --git a/tests/templates/kuttl/authentication/30-hot-reloading-add-user.yaml b/tests/templates/kuttl/authentication/30-hot-reloading-add-user.yaml index e4aa018bd..f057d4654 100644 --- a/tests/templates/kuttl/authentication/30-hot-reloading-add-user.yaml +++ b/tests/templates/kuttl/authentication/30-hot-reloading-add-user.yaml @@ -3,4 +3,6 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: # We need to replace $NAMESPACE (by KUTTL) in the add_user.yaml(.j2) - - script: eval "echo \"$(cat add_user.yaml)\"" | kubectl replace -f - + - script: > + envsubst '$NAMESPACE' < add_user.yaml | + kubectl replace --filename=- diff --git a/tests/templates/kuttl/authentication/32-hot-reloading-remove-user.yaml b/tests/templates/kuttl/authentication/32-hot-reloading-remove-user.yaml index 1dd355acc..5601faced 100644 --- a/tests/templates/kuttl/authentication/32-hot-reloading-remove-user.yaml +++ b/tests/templates/kuttl/authentication/32-hot-reloading-remove-user.yaml @@ -3,4 +3,6 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: # We need to replace $NAMESPACE (by KUTTL) in the remove_user.yaml(.j2) - - script: eval "echo \"$(cat remove_user.yaml)\"" | kubectl replace -f - + - script: > + envsubst '$NAMESPACE' < remove_user.yaml | + kubectl replace --filename=- diff --git a/tests/templates/kuttl/authentication/33-assert.yaml b/tests/templates/kuttl/authentication/33-assert.yaml index f8c36c72b..1ced76eb0 100644 --- a/tests/templates/kuttl/authentication/33-assert.yaml +++ b/tests/templates/kuttl/authentication/33-assert.yaml @@ -5,4 +5,12 @@ timeout: 600 commands: # We use the check-active-workers script for the login. Since we do want to wait until we cannot log in anymore # we flip the return value in the end. - - script: kubectl exec -n $NAMESPACE trino-test-helper-0 -- python /tmp/check-active-workers.py -u hot_reloaded -p hot_reloaded -c trino-coordinator-default-headless.$NAMESPACE.svc.cluster.local -w 1; if [ $? -eq 0 ]; then exit 1; fi + - script: | + set +e + kubectl exec -n $NAMESPACE trino-test-helper-0 -- \ + python /tmp/check-active-workers.py -u hot_reloaded -p hot_reloaded -c trino-coordinator-default-headless.$NAMESPACE.svc.cluster.local -w 1 + if [ $? -eq 1 ]; then + exit 0 + else + exit 1 + fi diff --git a/tests/templates/kuttl/authentication/add_user.yaml.j2 b/tests/templates/kuttl/authentication/add_user.yaml.j2 index d799a491d..8b59548ea 100644 --- a/tests/templates/kuttl/authentication/add_user.yaml.j2 +++ b/tests/templates/kuttl/authentication/add_user.yaml.j2 @@ -4,6 +4,8 @@ kind: Secret metadata: name: password-file-users namespace: $NAMESPACE + annotations: + restarter.stackable.tech/ignore: "true" stringData: test_user_1: test_user_1 test_user_2: test_user_2 diff --git a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 index 2c90ac43d..b225d2acc 100644 --- a/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 +++ b/tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2 @@ -43,6 +43,8 @@ kind: Secret metadata: name: password-file-users namespace: $NAMESPACE + annotations: + restarter.stackable.tech/ignore: "true" stringData: test_user_1: test_user_1 test_user_2: test_user_2 diff --git a/tests/templates/kuttl/authentication/remove_user.yaml.j2 b/tests/templates/kuttl/authentication/remove_user.yaml.j2 index 9c7ab6c7a..bb9c7a607 100644 --- a/tests/templates/kuttl/authentication/remove_user.yaml.j2 +++ b/tests/templates/kuttl/authentication/remove_user.yaml.j2 @@ -4,6 +4,8 @@ kind: Secret metadata: name: password-file-users namespace: $NAMESPACE + annotations: + restarter.stackable.tech/ignore: "true" stringData: test_user_1: test_user_1 test_user_2: test_user_2 From 5854fe7e5ad0b43a8260450c606fda8eda44efaa Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Tue, 31 Mar 2026 17:06:57 +0200 Subject: [PATCH 2/3] doc: Explain the annotation restarter.stackable.tech/ignore in the security documentation --- .../trino/examples/usage-guide/trino-file-auth-snippet.yaml | 2 ++ docs/modules/trino/pages/usage-guide/security.adoc | 1 + 2 files changed, 3 insertions(+) diff --git a/docs/modules/trino/examples/usage-guide/trino-file-auth-snippet.yaml b/docs/modules/trino/examples/usage-guide/trino-file-auth-snippet.yaml index d08d9d48a..bdf5c2f41 100644 --- a/docs/modules/trino/examples/usage-guide/trino-file-auth-snippet.yaml +++ b/docs/modules/trino/examples/usage-guide/trino-file-auth-snippet.yaml @@ -17,6 +17,8 @@ apiVersion: v1 kind: Secret metadata: name: trino-users + annotations: + restarter.stackable.tech/ignore: "true" type: kubernetes.io/opaque stringData: admin: admin diff --git a/docs/modules/trino/pages/usage-guide/security.adoc b/docs/modules/trino/pages/usage-guide/security.adoc index c94679bea..c65986ccf 100644 --- a/docs/modules/trino/pages/usage-guide/security.adoc +++ b/docs/modules/trino/pages/usage-guide/security.adoc @@ -52,6 +52,7 @@ IMPORTANT: Due to Kubernetes restrictions, the name of the AuthenticationClass m Changes to the referenced user Secret (e.g. adding or removing a user) are updated in Trino without restarts but after a small delay. This heavily depends on Kubernetes and may take a couple of minutes. +To prevent restarts triggered by the restart controller, the Secret must be annotated with `restarter.stackable.tech/ignore: "true"`. Adding or removing an AuthenticationClass will however result in a Pod restart. From e732d5b6827a808946666b2741d19b5a76b3d7df Mon Sep 17 00:00:00 2001 From: Siegfried Weber Date: Tue, 31 Mar 2026 17:16:44 +0200 Subject: [PATCH 3/3] chore: Update changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47d2bf5c4..f3eaafc4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Fixed + +- Re-enable hot-reloading in password file Secrets with the annotation + `restarter.stackable.tech/ignore: "true"` ([#868]). + +[#868]: https://github.com/stackabletech/trino-operator/pull/868 + ## [26.3.0] - 2026-03-16 ## [26.3.0-rc1] - 2026-03-16