Let secret-operator handle PKCS#12 conversion

CHANGELOG.md

@@ -16,6 +16,7 @@ All notable changes to this project will be documented in this file.
 - Removed usages of SPARK_DAEMON_JAVA_OPTS since it's not a reliable way to pass extra JVM options ([#272]).
 - [BREAKING] use product image selection instead of version ([#275]).
 - [BREAKING] refactored application roles to use `CommonConfiguration` structures from the operator framework ([#277]).
+- Let secret-operator handle certificate conversion ([#286]).
 
 ### Fixed
 
@@ -28,6 +29,7 @@ All notable changes to this project will be documented in this file.
 [#275]: https://github.com/stackabletech/spark-k8s-operator/pull/275
 [#277]: https://github.com/stackabletech/spark-k8s-operator/pull/277
 [#281]: https://github.com/stackabletech/spark-k8s-operator/pull/281
+[#286]: https://github.com/stackabletech/spark-k8s-operator/pull/286
 
 ## [23.7.0] - 2023-07-14
 

rust/crd/src/lib.rs

@@ -13,6 +13,7 @@ use history::LogFileDirectorySpec;
 use s3logdir::S3LogDir;
 use serde::{Deserialize, Serialize};
 use snafu::{OptionExt, ResultExt, Snafu};
+use stackable_operator::builder::SecretFormat;
 use stackable_operator::product_config::ProductConfigManager;
 use stackable_operator::product_config_utils::{
     transform_all_roles_to_config, validate_all_roles_and_groups_config,
@@ -266,7 +267,11 @@ impl SparkApplication {
             for cert_secret in cert_secrets {
                 result.push(
                     VolumeBuilder::new(cert_secret)
-                        .ephemeral(SecretOperatorVolumeSourceBuilder::new(cert_secret).build())
+                        .ephemeral(
+                            SecretOperatorVolumeSourceBuilder::new(cert_secret)
+                                .with_format(SecretFormat::TlsPkcs12)
+                                .build(),
+                        )
                         .build(),
                 );
             }

rust/crd/src/s3logdir.rs

@@ -18,6 +18,7 @@ use stackable_operator::{
 use std::collections::BTreeMap;
 
 use snafu::{OptionExt, ResultExt, Snafu};
+use stackable_operator::builder::SecretFormat;
 use strum::{EnumDiscriminants, IntoStaticStr};
 
 #[derive(Snafu, Debug, EnumDiscriminants)]
@@ -184,7 +185,11 @@ impl S3LogDir {
         if let Some(secret_name) = tlscerts::tls_secret_name(&self.bucket.connection) {
             volumes.push(
                 VolumeBuilder::new(secret_name)
-                    .ephemeral(SecretOperatorVolumeSourceBuilder::new(secret_name).build())
+                    .ephemeral(
+                        SecretOperatorVolumeSourceBuilder::new(secret_name)
+                            .with_format(SecretFormat::TlsPkcs12)
+                            .build(),
+                    )
                     .build(),
             );
         }

rust/crd/src/tlscerts.rs

@@ -1,3 +1,4 @@
+use stackable_operator::commons::authentication::tls::{Tls, TlsServerVerification};
 use stackable_operator::commons::{
     authentication::tls::{CaCert, TlsVerification},
     s3::S3ConnectionSpec,
@@ -12,15 +13,20 @@ use crate::{
 };
 
 pub fn tls_secret_name(s3conn: &Option<S3ConnectionSpec>) -> Option<&str> {
-    if let Some(conn) = s3conn.as_ref() {
-        if let Some(tls) = &conn.tls {
-            if let TlsVerification::Server(verification) = &tls.verification {
-                if let CaCert::SecretClass(secret_name) = &verification.ca_cert {
-                    return Some(secret_name);
-                }
-            }
-        }
+    if let Some(S3ConnectionSpec {
+        tls:
+            Some(Tls {
+                verification:
+                    TlsVerification::Server(TlsServerVerification {
+                        ca_cert: CaCert::SecretClass(ref secret_name),
+                    }),
+            }),
+        ..
+    }) = s3conn
+    {
+        return Some(secret_name);
     }
+
     None
 }
 
@@ -46,17 +52,18 @@ pub fn tls_secret_names<'a>(
     }
 }
 
-pub fn create_key_and_trust_store() -> Vec<String> {
+pub fn convert_system_trust_store_to_pkcs12() -> Vec<String> {
     vec![
         format!("keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
     ]
 }
 
-pub fn add_cert_to_stackable_truststore(secret_name: &str) -> Vec<String> {
+pub fn import_truststore(secret_name: &str) -> Vec<String> {
+    let mount_trust_store_path = format!("{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/truststore.p12");
+    let trust_store_path = format!("{STACKABLE_TRUST_STORE}/truststore.p12");
+
     vec![
-        format!("echo [{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt] Adding cert..."),
-        format!("keytool -importcert -file {STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt -alias stackable-{secret_name} -keystore {STACKABLE_TRUST_STORE}/truststore.p12 -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
-        format!("echo [{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/ca.crt] Checking for cert..."),
-        format!("keytool -list -keystore {STACKABLE_TRUST_STORE}/truststore.p12 -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt | grep stackable"),
+        format!("echo Importing [{mount_trust_store_path}] to [{trust_store_path}] ..."),
+        format!("keytool -importkeystore -srckeystore {mount_trust_store_path} -srcalias 1 -srcstorepass \"\" -destkeystore {trust_store_path} -destalias stackable-{secret_name} -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"),
     ]
 }

rust/operator-binary/src/history_controller.rs

@@ -586,8 +586,8 @@ fn command_args(s3logdir: &S3LogDir) -> Vec<String> {
 
     if let Some(secret_name) = tlscerts::tls_secret_name(&s3logdir.bucket.connection) {
         command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]);
-        command.extend(tlscerts::create_key_and_trust_store());
-        command.extend(tlscerts::add_cert_to_stackable_truststore(secret_name));
+        command.extend(tlscerts::convert_system_trust_store_to_pkcs12());
+        command.extend(tlscerts::import_truststore(secret_name));
     }
 
     command.extend(vec![

rust/operator-binary/src/spark_k8s_controller.rs

@@ -414,9 +414,9 @@ fn init_containers(
     let mut args = Vec::new();
 
     let tls_container = tlscerts::tls_secret_names(s3conn, s3logdir).map(|cert_secrets| {
-        args.extend(tlscerts::create_key_and_trust_store());
+        args.extend(tlscerts::convert_system_trust_store_to_pkcs12());
         for cert_secret in cert_secrets {
-            args.extend(tlscerts::add_cert_to_stackable_truststore(cert_secret));
+            args.extend(tlscerts::import_truststore(cert_secret));
             tcb.add_volume_mount(
                 cert_secret,
                 format!("{STACKABLE_MOUNT_PATH_TLS}/{cert_secret}"),