Skip to content

Commit d313a45

Browse files
razvanrazvan
committed
feat: requestedSecretLifetime role group property added
1 parent 197effe commit d313a45

File tree

7 files changed

+60
-23
lines changed

7 files changed

+60
-23
lines changed

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,13 +2,18 @@
22

33
## [Unreleased]
44

5+
### Added
6+
7+
- Lifetime of auto generated certificates is configurable with the `requestedSecretLifetime` role group property ([#598])
8+
59
### Fixed
610

711
- BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be
812
deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after
913
restart ([#594]).
1014

1115
[#594]: https://github.com/stackabletech/hbase-operator/pull/594
16+
[#598]: https://github.com/stackabletech/hbase-operator/pull/598
1217

1318
## [24.11.0] - 2024-11-18
1419

Cargo.lock

Lines changed: 4 additions & 15 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,5 +27,5 @@ strum = { version = "0.26", features = ["derive"] }
2727
tokio = { version = "1.40", features = ["full"] }
2828
tracing = "0.1"
2929

30-
#[patch."https://github.com/stackabletech/operator-rs.git"]
31-
#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
30+
[patch."https://github.com/stackabletech/operator-rs.git"]
31+
stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/request-secret-lifetime" }

deploy/helm/hbase-operator/crds/crds.yaml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -297,6 +297,10 @@ spec:
297297
nullable: true
298298
type: boolean
299299
type: object
300+
requestedSecretLifetime:
301+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
302+
nullable: true
303+
type: string
300304
resources:
301305
default:
302306
cpu:
@@ -520,6 +524,10 @@ spec:
520524
nullable: true
521525
type: boolean
522526
type: object
527+
requestedSecretLifetime:
528+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
529+
nullable: true
530+
type: string
523531
resources:
524532
default:
525533
cpu:
@@ -724,6 +732,10 @@ spec:
724732
nullable: true
725733
type: boolean
726734
type: object
735+
requestedSecretLifetime:
736+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
737+
nullable: true
738+
type: string
727739
resources:
728740
default:
729741
cpu:
@@ -947,6 +959,10 @@ spec:
947959
nullable: true
948960
type: boolean
949961
type: object
962+
requestedSecretLifetime:
963+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
964+
nullable: true
965+
type: string
950966
resources:
951967
default:
952968
cpu:
@@ -1151,6 +1167,10 @@ spec:
11511167
nullable: true
11521168
type: boolean
11531169
type: object
1170+
requestedSecretLifetime:
1171+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
1172+
nullable: true
1173+
type: string
11541174
resources:
11551175
default:
11561176
cpu:
@@ -1374,6 +1394,10 @@ spec:
13741394
nullable: true
13751395
type: boolean
13761396
type: object
1397+
requestedSecretLifetime:
1398+
description: Request secret (currently only auto certificates) lifetime from the secret operator.
1399+
nullable: true
1400+
type: string
13771401
resources:
13781402
default:
13791403
cpu:

rust/crd/src/lib.rs

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,9 @@ const DEFAULT_REGION_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration =
8686
Duration::from_minutes_unchecked(60);
8787
const DEFAULT_REST_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5);
8888

89+
// Auto TLS certificate lifetime
90+
pub const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
91+
8992
#[derive(Snafu, Debug)]
9093
pub enum Error {
9194
#[snafu(display("the role [{role}] is invalid and does not exist in HBase"))]
@@ -316,6 +319,7 @@ impl HbaseRole {
316319
logging: product_logging::spec::default_logging(),
317320
affinity: get_affinity(cluster_name, self, hdfs_discovery_cm_name),
318321
graceful_shutdown_timeout: Some(graceful_shutdown_timeout),
322+
requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME),
319323
}
320324
}
321325

@@ -410,6 +414,10 @@ pub struct HbaseConfig {
410414
/// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
411415
#[fragment_attrs(serde(default))]
412416
pub graceful_shutdown_timeout: Option<Duration>,
417+
418+
/// Request secret (currently only auto certificates) lifetime from the secret operator.
419+
#[fragment_attrs(serde(default))]
420+
pub requested_secret_lifetime: Option<Duration>,
413421
}
414422

415423
impl Configuration for HbaseConfigFragment {

rust/operator-binary/src/hbase_controller.rs

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,10 +67,10 @@ use strum::{EnumDiscriminants, IntoStaticStr, ParseError};
6767

6868
use stackable_hbase_crd::{
6969
merged_env, Container, HbaseCluster, HbaseClusterStatus, HbaseConfig, HbaseConfigFragment,
70-
HbaseRole, APP_NAME, CONFIG_DIR_NAME, HBASE_ENV_SH, HBASE_HEAPSIZE, HBASE_MANAGES_ZK,
71-
HBASE_MASTER_OPTS, HBASE_REGIONSERVER_OPTS, HBASE_REST_OPTS, HBASE_REST_PORT_NAME_HTTP,
72-
HBASE_REST_PORT_NAME_HTTPS, HBASE_SITE_XML, JVM_HEAP_FACTOR, JVM_SECURITY_PROPERTIES_FILE,
73-
METRICS_PORT, SSL_CLIENT_XML, SSL_SERVER_XML,
70+
HbaseRole, APP_NAME, CONFIG_DIR_NAME, DEFAULT_SECRET_LIFETIME, HBASE_ENV_SH, HBASE_HEAPSIZE,
71+
HBASE_MANAGES_ZK, HBASE_MASTER_OPTS, HBASE_REGIONSERVER_OPTS, HBASE_REST_OPTS,
72+
HBASE_REST_PORT_NAME_HTTP, HBASE_REST_PORT_NAME_HTTPS, HBASE_SITE_XML, JVM_HEAP_FACTOR,
73+
JVM_SECURITY_PROPERTIES_FILE, METRICS_PORT, SSL_CLIENT_XML, SSL_SERVER_XML,
7474
};
7575

7676
use crate::product_logging::STACKABLE_LOG_DIR;
@@ -986,8 +986,16 @@ fn build_rolegroup_statefulset(
986986

987987
add_graceful_shutdown_config(config, &mut pod_builder).context(GracefulShutdownSnafu)?;
988988
if hbase.has_kerberos_enabled() {
989-
add_kerberos_pod_config(hbase, hbase_role, &mut hbase_container, &mut pod_builder)
990-
.context(AddKerberosConfigSnafu)?;
989+
add_kerberos_pod_config(
990+
hbase,
991+
hbase_role,
992+
&mut hbase_container,
993+
&mut pod_builder,
994+
config
995+
.requested_secret_lifetime
996+
.unwrap_or(DEFAULT_SECRET_LIFETIME),
997+
)
998+
.context(AddKerberosConfigSnafu)?;
991999
}
9921000
pod_builder.add_container(hbase_container.build());
9931001

rust/operator-binary/src/kerberos.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ use stackable_operator::{
1515
},
1616
},
1717
kube::{runtime::reflector::ObjectRef, ResourceExt},
18+
time::Duration,
1819
utils::cluster_info::KubernetesClusterInfo,
1920
};
2021

@@ -232,6 +233,7 @@ pub fn add_kerberos_pod_config(
232233
role: &HbaseRole,
233234
cb: &mut ContainerBuilder,
234235
pb: &mut PodBuilder,
236+
requested_secret_lifetime: Duration,
235237
) -> Result<(), Error> {
236238
if let Some(kerberos_secret_class) = hbase.kerberos_secret_class() {
237239
// Mount keytab
@@ -270,6 +272,7 @@ pub fn add_kerberos_pod_config(
270272
.with_node_scope()
271273
.with_format(SecretFormat::TlsPkcs12)
272274
.with_tls_pkcs12_password(TLS_STORE_PASSWORD)
275+
.with_auto_tls_cert_lifetime(requested_secret_lifetime)
273276
.build()
274277
.context(AddTlsSecretVolumeSnafu)?,
275278
)

0 commit comments

Comments
 (0)