Skip to content

Commit f707dbd

Browse files
authored
Let secret-operator handle PKCS#12 conversion (#286)
* use secret op truststores * adapted changelog * fix md lint
1 parent 519ec08 commit f707dbd

File tree

6 files changed

+39
-20
lines changed

6 files changed

+39
-20
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ All notable changes to this project will be documented in this file.
1616
- Removed usages of SPARK_DAEMON_JAVA_OPTS since it's not a reliable way to pass extra JVM options ([#272]).
1717
- [BREAKING] use product image selection instead of version ([#275]).
1818
- [BREAKING] refactored application roles to use `CommonConfiguration` structures from the operator framework ([#277]).
19+
- Let secret-operator handle certificate conversion ([#286]).
1920

2021
### Fixed
2122

@@ -28,6 +29,7 @@ All notable changes to this project will be documented in this file.
2829
[#275]: https://github.com/stackabletech/spark-k8s-operator/pull/275
2930
[#277]: https://github.com/stackabletech/spark-k8s-operator/pull/277
3031
[#281]: https://github.com/stackabletech/spark-k8s-operator/pull/281
32+
[#286]: https://github.com/stackabletech/spark-k8s-operator/pull/286
3133

3234
## [23.7.0] - 2023-07-14
3335

rust/crd/src/lib.rs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ use history::LogFileDirectorySpec;
1313
use s3logdir::S3LogDir;
1414
use serde::{Deserialize, Serialize};
1515
use snafu::{OptionExt, ResultExt, Snafu};
16+
use stackable_operator::builder::SecretFormat;
1617
use stackable_operator::product_config::ProductConfigManager;
1718
use stackable_operator::product_config_utils::{
1819
transform_all_roles_to_config, validate_all_roles_and_groups_config,
@@ -266,7 +267,11 @@ impl SparkApplication {
266267
for cert_secret in cert_secrets {
267268
result.push(
268269
VolumeBuilder::new(cert_secret)
269-
.ephemeral(SecretOperatorVolumeSourceBuilder::new(cert_secret).build())
270+
.ephemeral(
271+
SecretOperatorVolumeSourceBuilder::new(cert_secret)
272+
.with_format(SecretFormat::TlsPkcs12)
273+
.build(),
274+
)
270275
.build(),
271276
);
272277
}

rust/crd/src/s3logdir.rs

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ use stackable_operator::{
1818
use std::collections::BTreeMap;
1919

2020
use snafu::{OptionExt, ResultExt, Snafu};
21+
use stackable_operator::builder::SecretFormat;
2122
use strum::{EnumDiscriminants, IntoStaticStr};
2223

2324
#[derive(Snafu, Debug, EnumDiscriminants)]
@@ -184,7 +185,11 @@ impl S3LogDir {
184185
if let Some(secret_name) = tlscerts::tls_secret_name(&self.bucket.connection) {
185186
volumes.push(
186187
VolumeBuilder::new(secret_name)
187-
.ephemeral(SecretOperatorVolumeSourceBuilder::new(secret_name).build())
188+
.ephemeral(
189+
SecretOperatorVolumeSourceBuilder::new(secret_name)
190+
.with_format(SecretFormat::TlsPkcs12)
191+
.build(),
192+
)
188193
.build(),
189194
);
190195
}

rust/crd/src/tlscerts.rs

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
use stackable_operator::commons::authentication::tls::{Tls, TlsServerVerification};
12
use stackable_operator::commons::{
23
authentication::tls::{CaCert, TlsVerification},
34
s3::S3ConnectionSpec,
@@ -12,15 +13,20 @@ use crate::{
1213
};
1314

1415
pub fn tls_secret_name(s3conn: &Option<S3ConnectionSpec>) -> Option<&str> {
15-
if let Some(conn) = s3conn.as_ref() {
16-
if let Some(tls) = &conn.tls {
17-
if let TlsVerification::Server(verification) = &tls.verification {
18-
if let CaCert::SecretClass(secret_name) = &verification.ca_cert {
19-
return Some(secret_name);
20-
}
21-
}
22-
}
16+
if let Some(S3ConnectionSpec {
17+
tls:
18+
Some(Tls {
19+
verification:
20+
TlsVerification::Server(TlsServerVerification {
21+
ca_cert: CaCert::SecretClass(ref secret_name),
22+
}),
23+
}),
24+
..
25+
}) = s3conn
26+
{
27+
return Some(secret_name);
2328
}
29+
2430
None
2531
}
2632

@@ -46,17 +52,18 @@ pub fn tls_secret_names<'a>(
4652
}
4753
}
4854

49-
pub fn create_key_and_trust_store() -> Vec<String> {
55+
pub fn convert_system_trust_store_to_pkcs12() -> Vec<String> {
5056
vec![
5157
format!("keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
5258
]
5359
}
5460

55-
pub fn add_cert_to_stackable_truststore(secret_name: &str) -> Vec<String> {
61+
pub fn import_truststore(secret_name: &str) -> Vec<String> {
62+
let mount_trust_store_path = format!("{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/truststore.p12");
63+
let trust_store_path = format!("{STACKABLE_TRUST_STORE}/truststore.p12");
64+
5665
vec![
57-
format!("echo [{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt] Adding cert..."),
58-
format!("keytool -importcert -file {STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt -alias stackable-{secret_name} -keystore {STACKABLE_TRUST_STORE}/truststore.p12 -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
59-
format!("echo [{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt] Checking for cert..."),
60-
format!("keytool -list -keystore {STACKABLE_TRUST_STORE}/truststore.p12 -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt | grep stackable"),
66+
format!("echo Importing [{mount_trust_store_path}] to [{trust_store_path}] ..."),
67+
format!("keytool -importkeystore -srckeystore {mount_trust_store_path} -srcalias 1 -srcstorepass \"\" -destkeystore {trust_store_path} -destalias stackable-{secret_name} -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
6168
]
6269
}

rust/operator-binary/src/history_controller.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -586,8 +586,8 @@ fn command_args(s3logdir: &S3LogDir) -> Vec<String> {
586586

587587
if let Some(secret_name) = tlscerts::tls_secret_name(&s3logdir.bucket.connection) {
588588
command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]);
589-
command.extend(tlscerts::create_key_and_trust_store());
590-
command.extend(tlscerts::add_cert_to_stackable_truststore(secret_name));
589+
command.extend(tlscerts::convert_system_trust_store_to_pkcs12());
590+
command.extend(tlscerts::import_truststore(secret_name));
591591
}
592592

593593
command.extend(vec![

rust/operator-binary/src/spark_k8s_controller.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -414,9 +414,9 @@ fn init_containers(
414414
let mut args = Vec::new();
415415

416416
let tls_container = tlscerts::tls_secret_names(s3conn, s3logdir).map(|cert_secrets| {
417-
args.extend(tlscerts::create_key_and_trust_store());
417+
args.extend(tlscerts::convert_system_trust_store_to_pkcs12());
418418
for cert_secret in cert_secrets {
419-
args.extend(tlscerts::add_cert_to_stackable_truststore(cert_secret));
419+
args.extend(tlscerts::import_truststore(cert_secret));
420420
tcb.add_volume_mount(
421421
cert_secret,
422422
format!("{STACKABLE_MOUNT_PATH_TLS}/{cert_secret}"),

0 commit comments

Comments
 (0)