diff --git a/CHANGELOG.md b/CHANGELOG.md index 956fd192..958124b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,16 @@ All notable changes to this project will be documented in this file. - Helm: Allow Pod `priorityClassName` to be configured ([#633]). +### Fixed + +- Previously we had a bug that could lead to missing certificates ([#636]). + + This could be the case when you specified multiple CAs in your SecretClass. + We now correctly handle multiple certificates in this cases. + See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details + [#633]: https://github.com/stackabletech/hive-operator/pull/633 +[#636]: https://github.com/stackabletech/hive-operator/pull/636 ## [25.7.0] - 2025-07-23 diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index 6e2ee9b3..4f8d1135 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -4,7 +4,7 @@ use crate::crd::{ DB_PASSWORD_ENV, DB_PASSWORD_PLACEHOLDER, DB_USERNAME_ENV, DB_USERNAME_PLACEHOLDER, HIVE_METASTORE_LOG4J2_PROPERTIES, HIVE_SITE_XML, STACKABLE_CONFIG_DIR, STACKABLE_CONFIG_MOUNT_DIR, STACKABLE_LOG_CONFIG_MOUNT_DIR, STACKABLE_TRUST_STORE, - STACKABLE_TRUST_STORE_PASSWORD, SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD, v1alpha1, + STACKABLE_TRUST_STORE_PASSWORD, v1alpha1, }; pub fn build_container_command_args( @@ -32,7 +32,7 @@ pub fn build_container_command_args( ), // Copy system truststore to stackable truststore format!( - "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE} -deststoretype pkcs12 -deststorepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt" + "cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_TRUST_STORE} --out-password {STACKABLE_TRUST_STORE_PASSWORD}" ), ]; @@ -44,9 +44,10 @@ pub fn build_container_command_args( } if let Some(s3) = s3_connection_spec { - if let Some(ca_cert) = s3.tls.tls_ca_cert_mount_path() { - // The alias can not clash, as we only support a single S3Connection - args.push(format!("keytool -importcert -file {ca_cert} -alias stackable-s3-ca-cert -keystore {STACKABLE_TRUST_STORE} -storepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt")); + if let Some(ca_cert_file) = s3.tls.tls_ca_cert_mount_path() { + args.push(format!( + "cert-tools generate-pkcs12-truststore --pkcs12 {STACKABLE_TRUST_STORE}:{STACKABLE_TRUST_STORE_PASSWORD} --pem {ca_cert_file} --out {STACKABLE_TRUST_STORE} --out-password {STACKABLE_TRUST_STORE_PASSWORD}" + )); } } diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index 79f8db40..8af89d72 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -62,8 +62,6 @@ pub const METRICS_PORT_NAME: &str = "metrics"; pub const METRICS_PORT: u16 = 9084; // Certificates and trust stores -pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts"; -pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit"; pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore.p12"; pub const STACKABLE_TRUST_STORE_PASSWORD: &str = "changeit";