stackabletech · razvan · Dec 4, 2024 · Nov 28, 2024 · Nov 29, 2024 · Nov 29, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,13 +2,18 @@
 
 ## [Unreleased]
 
+### Added
+
+- Lifetime of auto generated certificates is configurable with the `requestedSecretLifetime` role group property ([#598])
+
 ### Fixed
 
 - BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be
   deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after
   restart ([#594]).
 
 [#594]: https://github.com/stackabletech/hbase-operator/pull/594
+[#598]: https://github.com/stackabletech/hbase-operator/pull/598
 
 ## [24.11.0] - 2024-11-18
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,5 +27,5 @@ strum = { version = "0.26", features = ["derive"] }
 tokio = { version = "1.40", features = ["full"] }
 tracing = "0.1"
 
-#[patch."https://github.com/stackabletech/operator-rs.git"]
-#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+[patch."https://github.com/stackabletech/operator-rs.git"]
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/request-secret-lifetime" }
diff --git a/deploy/helm/hbase-operator/crds/crds.yaml b/deploy/helm/hbase-operator/crds/crds.yaml
@@ -297,6 +297,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -520,6 +524,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -724,6 +732,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -947,6 +959,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -1151,6 +1167,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1374,6 +1394,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only auto certificates) lifetime from the secret operator.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:

diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -86,6 +86,9 @@ const DEFAULT_REGION_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration =
     Duration::from_minutes_unchecked(60);
 const DEFAULT_REST_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5);
 
+// Auto TLS certificate lifetime
+pub const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+
 #[derive(Snafu, Debug)]
 pub enum Error {
     #[snafu(display("the role [{role}] is invalid and does not exist in HBase"))]
@@ -316,6 +319,7 @@ impl HbaseRole {
             logging: product_logging::spec::default_logging(),
             affinity: get_affinity(cluster_name, self, hdfs_discovery_cm_name),
             graceful_shutdown_timeout: Some(graceful_shutdown_timeout),
+            requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME),
         }
     }
 
@@ -410,6 +414,10 @@ pub struct HbaseConfig {
     /// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
     #[fragment_attrs(serde(default))]
     pub graceful_shutdown_timeout: Option<Duration>,
+
+    /// Request secret (currently only auto certificates) lifetime from the secret operator.
+    #[fragment_attrs(serde(default))]
+    pub requested_secret_lifetime: Option<Duration>,
 }
 
 impl Configuration for HbaseConfigFragment {

diff --git a/rust/operator-binary/src/hbase_controller.rs b/rust/operator-binary/src/hbase_controller.rs
@@ -67,10 +67,10 @@ use strum::{EnumDiscriminants, IntoStaticStr, ParseError};
 
 use stackable_hbase_crd::{
     merged_env, Container, HbaseCluster, HbaseClusterStatus, HbaseConfig, HbaseConfigFragment,
-    HbaseRole, APP_NAME, CONFIG_DIR_NAME, HBASE_ENV_SH, HBASE_HEAPSIZE, HBASE_MANAGES_ZK,
-    HBASE_MASTER_OPTS, HBASE_REGIONSERVER_OPTS, HBASE_REST_OPTS, HBASE_REST_PORT_NAME_HTTP,
-    HBASE_REST_PORT_NAME_HTTPS, HBASE_SITE_XML, JVM_HEAP_FACTOR, JVM_SECURITY_PROPERTIES_FILE,
-    METRICS_PORT, SSL_CLIENT_XML, SSL_SERVER_XML,
+    HbaseRole, APP_NAME, CONFIG_DIR_NAME, DEFAULT_SECRET_LIFETIME, HBASE_ENV_SH, HBASE_HEAPSIZE,
+    HBASE_MANAGES_ZK, HBASE_MASTER_OPTS, HBASE_REGIONSERVER_OPTS, HBASE_REST_OPTS,
+    HBASE_REST_PORT_NAME_HTTP, HBASE_REST_PORT_NAME_HTTPS, HBASE_SITE_XML, JVM_HEAP_FACTOR,
+    JVM_SECURITY_PROPERTIES_FILE, METRICS_PORT, SSL_CLIENT_XML, SSL_SERVER_XML,
 };
 
 use crate::product_logging::STACKABLE_LOG_DIR;
@@ -986,8 +986,16 @@ fn build_rolegroup_statefulset(
 
     add_graceful_shutdown_config(config, &mut pod_builder).context(GracefulShutdownSnafu)?;
     if hbase.has_kerberos_enabled() {
-        add_kerberos_pod_config(hbase, hbase_role, &mut hbase_container, &mut pod_builder)
-            .context(AddKerberosConfigSnafu)?;
+        add_kerberos_pod_config(
+            hbase,
+            hbase_role,
+            &mut hbase_container,
+            &mut pod_builder,
+            config
+                .requested_secret_lifetime
+                .unwrap_or(DEFAULT_SECRET_LIFETIME),
+        )
+        .context(AddKerberosConfigSnafu)?;
     }
     pod_builder.add_container(hbase_container.build());
 

diff --git a/rust/operator-binary/src/kerberos.rs b/rust/operator-binary/src/kerberos.rs
@@ -15,6 +15,7 @@ use stackable_operator::{
         },
     },
     kube::{runtime::reflector::ObjectRef, ResourceExt},
+    time::Duration,
     utils::cluster_info::KubernetesClusterInfo,
 };
 
@@ -232,6 +233,7 @@ pub fn add_kerberos_pod_config(
     role: &HbaseRole,
     cb: &mut ContainerBuilder,
     pb: &mut PodBuilder,
+    requested_secret_lifetime: Duration,
 ) -> Result<(), Error> {
     if let Some(kerberos_secret_class) = hbase.kerberos_secret_class() {
         // Mount keytab
@@ -270,6 +272,7 @@ pub fn add_kerberos_pod_config(
                         .with_node_scope()
                         .with_format(SecretFormat::TlsPkcs12)
                         .with_tls_pkcs12_password(TLS_STORE_PASSWORD)
+                        .with_auto_tls_cert_lifetime(requested_secret_lifetime)
                         .build()
                         .context(AddTlsSecretVolumeSnafu)?,
                 )