fix: Prevent missing certificates (#611)

* fix: Prevent missing certificates

* changelog

* test: Increase timeouts

Author: sbernauer

CHANGELOG.md

@@ -13,6 +13,11 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 
 - SparkConnectServer: The `imagePullSecret` is now correctly passed to Spark executor pods ([#603]).
+- Previously we had a bug that could lead to missing certificates ([#611]).
+
+  This could be the case when you specified multiple CAs in your SecretClass.
+  We now correctly handle multiple certificates in this cases.
+  See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details
 
 ### Removed
 
@@ -22,6 +27,7 @@ All notable changes to this project will be documented in this file.
 [#603]: https://github.com/stackabletech/spark-k8s-operator/pull/603
 [#608]: https://github.com/stackabletech/spark-k8s-operator/pull/608
 [#610]: https://github.com/stackabletech/spark-k8s-operator/pull/610
+[#611]: https://github.com/stackabletech/spark-k8s-operator/pull/611
 
 ## [25.7.0] - 2025-07-23
 

rust/operator-binary/src/crd/constants.rs

@@ -38,11 +38,9 @@ pub const METRICS_PROPERTIES_FILE: &str = "metrics.properties";
 pub const ACCESS_KEY_ID: &str = "accessKey";
 pub const SECRET_ACCESS_KEY: &str = "secretKey";
 pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets";
-pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
 pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore";
 pub const STACKABLE_TRUST_STORE_NAME: &str = "stackable-truststore";
 pub const STACKABLE_TLS_STORE_PASSWORD: &str = "changeit";
-pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit";
 pub const STACKABLE_MOUNT_PATH_TLS: &str = "/stackable/mount_server_tls";
 
 pub const MIN_MEMORY_OVERHEAD: u32 = 384;

rust/operator-binary/src/crd/tlscerts.rs

@@ -6,10 +6,7 @@ use stackable_operator::{
 };
 
 use crate::crd::{
-    constants::{
-        STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE,
-        SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD,
-    },
+    constants::{STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE},
     logdir::ResolvedLogDir,
 };
 
@@ -52,20 +49,17 @@ pub fn tls_secret_names<'a>(
     if names.is_empty() { None } else { Some(names) }
 }
 
-pub fn convert_system_trust_store_to_pkcs12() -> Vec<String> {
-    vec![format!(
-        "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"
-    )]
+pub fn convert_system_trust_store_to_pkcs12() -> String {
+    format!(
+        "cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_TRUST_STORE}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}"
+    )
 }
 
-pub fn import_truststore(secret_name: &str) -> Vec<String> {
+pub fn import_truststore(secret_name: &str) -> String {
     let mount_trust_store_path = format!("{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/truststore.p12");
     let trust_store_path = format!("{STACKABLE_TRUST_STORE}/truststore.p12");
 
-    vec![
-        format!("echo Importing [{mount_trust_store_path}] to [{trust_store_path}] ..."),
-        format!(
-            "keytool -importkeystore -srckeystore {mount_trust_store_path} -srcalias 1 -srcstorepass \"\" -destkeystore {trust_store_path} -destalias stackable-{secret_name} -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"
-        ),
-    ]
+    format!(
+        "cert-tools generate-pkcs12-truststore --pkcs12 {trust_store_path}:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {mount_trust_store_path} --out {trust_store_path} --out-password {STACKABLE_TLS_STORE_PASSWORD}"
+    )
 }

rust/operator-binary/src/history/history_controller.rs

@@ -720,9 +720,9 @@ fn command_args(logdir: &ResolvedLogDir) -> Vec<String> {
     }
 
     if let Some(secret_name) = logdir.tls_secret_name() {
-        command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]);
-        command.extend(tlscerts::convert_system_trust_store_to_pkcs12());
-        command.extend(tlscerts::import_truststore(secret_name));
+        command.push(format!("mkdir -p {STACKABLE_TRUST_STORE}"));
+        command.push(tlscerts::convert_system_trust_store_to_pkcs12());
+        command.push(tlscerts::import_truststore(secret_name));
     }
 
     command.extend(vec![

rust/operator-binary/src/spark_k8s_controller.rs

@@ -542,9 +542,9 @@ fn init_containers(
 
     let tls_container = match tlscerts::tls_secret_names(s3conn, logdir) {
         Some(cert_secrets) => {
-            args.extend(tlscerts::convert_system_trust_store_to_pkcs12());
+            args.push(tlscerts::convert_system_trust_store_to_pkcs12());
             for cert_secret in cert_secrets {
-                args.extend(tlscerts::import_truststore(cert_secret));
+                args.push(tlscerts::import_truststore(cert_secret));
                 tcb.add_volume_mount(
                     cert_secret,
                     format!("{STACKABLE_MOUNT_PATH_TLS}/{cert_secret}"),

tests/templates/kuttl/delta-lake/40-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 900
 ---
 # The Job starting the whole process
 apiVersion: spark.stackable.tech/v1alpha1

tests/templates/kuttl/iceberg/10-assert.yaml.j2

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 900
 ---
 # The Job starting the whole process
 apiVersion: spark.stackable.tech/v1alpha1

tests/templates/kuttl/overrides/06-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 900
 ---
 apiVersion: apps/v1
 kind: StatefulSet

tests/templates/kuttl/overrides/10-assert.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 300
+timeout: 600
 ---
 apiVersion: spark.stackable.tech/v1alpha1
 kind: SparkApplication

tests/templates/kuttl/resources/10-assert.yaml.j2

@@ -1,7 +1,7 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 240
+timeout: 600
 ---
 apiVersion: v1
 kind: Pod