diff --git a/CHANGELOG.md b/CHANGELOG.md index d5783594..82c343d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file. ### Fixed -- Previously we had a bug that could lead to missing certificates ([#753]). +- Fix keytool behavior that could lead to missing certificates ([#753], [#756]). This could be the case when the Stackable PKI rotated its CA certificate or you specified multiple CAs in your SecretClass. @@ -30,6 +30,7 @@ All notable changes to this project will be documented in this file. [#752]: https://github.com/stackabletech/druid-operator/pull/752 [#753]: https://github.com/stackabletech/druid-operator/pull/753 [#755]: https://github.com/stackabletech/druid-operator/pull/755 +[#756]: https://github.com/stackabletech/druid-operator/pull/756 ## [25.7.0] - 2025-07-23 diff --git a/rust/operator-binary/src/authentication/ldap.rs b/rust/operator-binary/src/authentication/ldap.rs index 863a4186..efc99471 100644 --- a/rust/operator-binary/src/authentication/ldap.rs +++ b/rust/operator-binary/src/authentication/ldap.rs @@ -100,7 +100,7 @@ pub fn prepare_container_commands( command: &mut Vec, ) { if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() { - command.push(add_cert_to_trust_store_cmd( + command.extend(add_cert_to_trust_store_cmd( &tls_ca_cert_mount_path, STACKABLE_TLS_DIR, TLS_STORE_PASSWORD, diff --git a/rust/operator-binary/src/authentication/oidc.rs b/rust/operator-binary/src/authentication/oidc.rs index 22f4f909..c0c1912e 100644 --- a/rust/operator-binary/src/authentication/oidc.rs +++ b/rust/operator-binary/src/authentication/oidc.rs @@ -111,7 +111,7 @@ pub fn main_container_commands( command: &mut Vec, ) { if let Some(tls_ca_cert_mount_path) = provider.tls.tls_ca_cert_mount_path() { - command.push(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path)) + command.extend(add_cert_to_jvm_trust_store_cmd(&tls_ca_cert_mount_path)) } } diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index 18ceae55..ad23203e 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -997,7 +997,7 @@ impl DruidRole { if let Some(s3) = s3 { if let Some(ca_cert_file) = s3.tls.tls_ca_cert_mount_path() { - commands.push(add_cert_to_jvm_trust_store_cmd(&ca_cert_file)); + commands.extend(add_cert_to_jvm_trust_store_cmd(&ca_cert_file)); } } diff --git a/rust/operator-binary/src/crd/security.rs b/rust/operator-binary/src/crd/security.rs index 5ecb4bfd..cbc783bc 100644 --- a/rust/operator-binary/src/crd/security.rs +++ b/rust/operator-binary/src/crd/security.rs @@ -475,14 +475,14 @@ pub fn add_cert_to_trust_store_cmd( cert_file: &str, destination_directory: &str, store_password: &str, -) -> String { +) -> Vec { let truststore = format!("{destination_directory}/truststore.p12"); - format!( - "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}" - ) + vec![format!( + "if [ -f {truststore} ]; then cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{store_password} --pem {cert_file} --out {truststore} --out-password {store_password}; else cert-tools generate-pkcs12-truststore --pem {cert_file} --out {truststore} --out-password {store_password}; fi" + )] } /// Generate a bash command to add a CA to the truststore that is passed to the JVM -pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> String { +pub fn add_cert_to_jvm_trust_store_cmd(cert_file: &str) -> Vec { add_cert_to_trust_store_cmd(cert_file, "/stackable", STACKABLE_TRUST_STORE_PASSWORD) } diff --git a/tests/templates/kuttl/ldap/20-assert.yaml b/tests/templates/kuttl/ldap/20-assert.yaml index c947cc92..18d1e259 100644 --- a/tests/templates/kuttl/ldap/20-assert.yaml +++ b/tests/templates/kuttl/ldap/20-assert.yaml @@ -3,4 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert commands: - script: kubectl exec -n $NAMESPACE test-druid-0 -- python /tmp/authcheck.py -timeout: 60 +timeout: 180