fix: Auto-create truststore on certificate addition (#756)

* fix: Auto-create truststore on certificate addition

* changelog

* Increase test timeout

* Remove leftover comment

* Update CHANGELOG.md

Co-authored-by: Malte Sander <[email protected]>

---------

Co-authored-by: Malte Sander <[email protected]>

Author: sbernauer

CHANGELOG.md

@@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file.
 
 ### Fixed
 
-- Previously we had a bug that could lead to missing certificates ([#753]).
+- Fix keytool behavior that could lead to missing certificates ([#753], [#756]).
 
   This could be the case when the Stackable PKI rotated its CA certificate or you specified multiple
   CAs in your SecretClass.
@@ -30,6 +30,7 @@ All notable changes to this project will be documented in this file.
 [#752]: https://github.com/stackabletech/druid-operator/pull/752
 [#753]: https://github.com/stackabletech/druid-operator/pull/753
 [#755]: https://github.com/stackabletech/druid-operator/pull/755
+[#756]: https://github.com/stackabletech/druid-operator/pull/756
 
 ## [25.7.0] - 2025-07-23
 

rust/operator-binary/src/authentication/ldap.rs

@@ -100,7 +100,7 @@ pub fn prepare_container_commands(
     command: &mut Vec<String>,
 ) {
     if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() {
-        command.push(add_cert_to_trust_store_cmd(
+        command.extend(add_cert_to_trust_store_cmd(
             &tls_ca_cert_mount_path,
             STACKABLE_TLS_DIR,
             TLS_STORE_PASSWORD,

rust/operator-binary/src/authentication/oidc.rs

@@ -111,7 +111,7 @@ pub fn main_container_commands(
     command: &mut Vec<String>,
 ) {
     if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() {
-        command.push(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path))
+        command.extend(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path))
     }
 }
 

rust/operator-binary/src/crd/mod.rs

@@ -997,7 +997,7 @@ impl DruidRole {
 
         if let Some(s3) = s3 {
             if let Some(ca_cert_file) = s3.tls.tls_ca_cert_mount_path() {
-                commands.push(add_cert_to_jvm_trust_store_cmd(&ca_cert_file));
+                commands.extend(add_cert_to_jvm_trust_store_cmd(&ca_cert_file));
             }
         }
 

rust/operator-binary/src/crd/security.rs

@@ -475,14 +475,14 @@ pub fn add_cert_to_trust_store_cmd(
     cert_file: &str,
     destination_directory: &str,
     store_password: &str,
-) -> String {
+) -> Vec<String> {
     let truststore = format!("{destination_directory}/truststore.p12");
-    format!(
-        "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}"
-    )
+    vec![format!(
+        "if [ -f {truststore} ]; then cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}; else cert-tools generate-pkcs12-truststore --pem {cert_file} --out {truststore} --out-password {store_password}; fi"
+    )]
 }
 
 /// Generate a bash command to add a CA to the truststore that is passed to the JVM
-pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> String {
+pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> Vec<String> {
     add_cert_to_trust_store_cmd(cert_file, "/stackable", STACKABLE_TRUST_STORE_PASSWORD)
 }

tests/templates/kuttl/ldap/20-assert.yaml

@@ -3,4 +3,4 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 commands:
   - script: kubectl exec -n $NAMESPACE test-druid-0 -- python /tmp/authcheck.py
-timeout: 60
+timeout: 180