fix: Prevent missing certificates (#844)

* fix: Prevent missing certificates

* changelog

* chore: Increase test timeouts

Author: sbernauer

CHANGELOG.md

@@ -8,7 +8,16 @@ All notable changes to this project will be documented in this file.
 
 - Helm: Allow Pod `priorityClassName` to be configured ([#840]).
 
+### Fixed
+
+- Previously we had a bug that could lead to missing certificates ([#844]).
+
+  This could be the case when you specified multiple CAs in your SecretClass.
+  We now correctly handle multiple certificates in this cases.
+  See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details
+
 [#840]: https://github.com/stackabletech/nifi-operator/pull/840
+[#844]: https://github.com/stackabletech/nifi-operator/pull/844
 
 ## [25.7.0] - 2025-07-23
 

rust/operator-binary/src/controller.rs

@@ -951,6 +951,9 @@ async fn build_node_rolegroup_statefulset(
         ));
     }
 
+    // Note(sbernauer): In https://github.com/stackabletech/issues/issues/764 we migrated all usages
+    // of keytool to our own cert-utils tool. As it uses the same code as secret-operator, it also
+    // uses RC2. Thus, the keytool usage here LGTM (no alias trickery) and has my nod of approval.
     prepare_args.extend(vec![
         // The source directory is a secret-op mount and we do not want to write / add anything in there
         // Therefore we import all the contents to a truststore in "writeable" empty dirs.

rust/operator-binary/src/security/authentication.rs

@@ -136,22 +136,14 @@ impl NifiAuthenticationConfig {
             }
             Self::Ldap { provider } => {
                 if let Some(ca_path) = provider.tls.tls_ca_cert_mount_path() {
-                    commands.extend(vec![
-                        "echo Adding LDAP tls cert to global truststore".to_string(),
-                        format!("keytool -importcert -file {ca_path} -keystore {STACKABLE_SERVER_TLS_DIR}/truststore.p12 -storetype pkcs12 -noprompt -alias ldap_ca_cert -storepass {STACKABLE_TLS_STORE_PASSWORD}"),
-                    ]);
+                    commands.push(add_cert_to_truststore(&ca_path, STACKABLE_SERVER_TLS_DIR));
                 }
             }
             Self::Oidc { provider, .. } => {
                 let (_, admin_password_file) = self.get_user_and_password_file_paths();
-                commands.extend(vec![
-                format!("export STACKABLE_ADMIN_PASSWORD=\"$(cat {admin_password_file} | java -jar /bin/stackable-bcrypt.jar)\""),
-                ]);
+                commands.push(format!("export STACKABLE_ADMIN_PASSWORD=\"$(cat {admin_password_file} | java -jar /bin/stackable-bcrypt.jar)\""));
                 if let Some(ca_path) = provider.tls.tls_ca_cert_mount_path() {
-                    commands.extend(vec![
-                        "echo Adding OIDC tls cert to global truststore".to_string(),
-                        format!("keytool -importcert -file {ca_path} -keystore {STACKABLE_SERVER_TLS_DIR}/truststore.p12 -storetype pkcs12 -noprompt -alias oidc_ca_cert -storepass {STACKABLE_TLS_STORE_PASSWORD}"),
-                    ]);
+                    commands.push(add_cert_to_truststore(&ca_path, STACKABLE_SERVER_TLS_DIR));
                 }
             }
         }
@@ -259,6 +251,15 @@ impl NifiAuthenticationConfig {
     }
 }
 
+/// Adds a PEM file to configured PKCS12 truststore (using the [`STACKABLE_TLS_STORE_PASSWORD`]
+/// password)
+fn add_cert_to_truststore(cert_file: &str, destination_directory: &str) -> String {
+    let truststore = format!("{destination_directory}/truststore.p12");
+    format!(
+        "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{STACKABLE_TLS_STORE_PASSWORD} --pem {cert_file} --out {truststore} --out-password {STACKABLE_TLS_STORE_PASSWORD}"
+    )
+}
+
 fn get_ldap_login_identity_provider(
     ldap: &ldap::v1alpha1::AuthenticationProvider,
 ) -> Result<String, Error> {

tests/templates/kuttl/external-access/30-assert.yaml

@@ -3,9 +3,9 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 metadata:
   name: install-nifi
-timeout: 300
+timeout: 1200
 commands:
-  - script: kubectl -n $NAMESPACE wait --for=condition=available=true nificlusters.nifi.stackable.tech/test-nifi --timeout 301s
+  - script: kubectl -n $NAMESPACE wait --for=condition=available=true nificlusters.nifi.stackable.tech/test-nifi --timeout 1201s
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/ldap/03-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 1200
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/smoke_v1/50-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 1200
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/smoke_v2/50-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 1200
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/upgrade/03-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 1200
 ---
 apiVersion: apps/v1
 kind: StatefulSet