fix: Prevent missing certificates

sbernauer · sbernauer · commit c7c4f5964cee · 2025-10-01T11:25:05.000+02:00
diff --git a/rust/operator-binary/src/crd/constants.rs b/rust/operator-binary/src/crd/constants.rs
@@ -38,11 +38,9 @@ pub const METRICS_PROPERTIES_FILE: &str = "metrics.properties";
 pub const ACCESS_KEY_ID: &str = "accessKey";
 pub const SECRET_ACCESS_KEY: &str = "secretKey";
 pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets";
-pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
 pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore";
 pub const STACKABLE_TRUST_STORE_NAME: &str = "stackable-truststore";
 pub const STACKABLE_TLS_STORE_PASSWORD: &str = "changeit";
-pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit";
 pub const STACKABLE_MOUNT_PATH_TLS: &str = "/stackable/mount_server_tls";
 
 pub const MIN_MEMORY_OVERHEAD: u32 = 384;
diff --git a/rust/operator-binary/src/crd/tlscerts.rs b/rust/operator-binary/src/crd/tlscerts.rs
@@ -6,10 +6,7 @@ use stackable_operator::{
 };
 
 use crate::crd::{
-    constants::{
-        STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE,
-        SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD,
-    },
+    constants::{STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE},
     logdir::ResolvedLogDir,
 };
 
@@ -52,20 +49,17 @@ pub fn tls_secret_names<'a>(
     if names.is_empty() { None } else { Some(names) }
 }
 
-pub fn convert_system_trust_store_to_pkcs12() -> Vec<String> {
-    vec![format!(
-        "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"
-    )]
+pub fn convert_system_trust_store_to_pkcs12() -> String {
+    format!(
+        "cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_TRUST_STORE}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}"
+    )
 }
 
-pub fn import_truststore(secret_name: &str) -> Vec<String> {
+pub fn import_truststore(secret_name: &str) -> String {
     let mount_trust_store_path = format!("{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/truststore.p12");
     let trust_store_path = format!("{STACKABLE_TRUST_STORE}/truststore.p12");
 
-    vec![
-        format!("echo Importing [{mount_trust_store_path}] to [{trust_store_path}] ..."),
-        format!(
-            "keytool -importkeystore -srckeystore {mount_trust_store_path} -srcalias 1 -srcstorepass \"\" -destkeystore {trust_store_path} -destalias stackable-{secret_name} -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt"
-        ),
-    ]
+    format!(
+        "cert-tools generate-pkcs12-truststore --pkcs12 {trust_store_path}:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {mount_trust_store_path} --out {trust_store_path} --out-password {STACKABLE_TLS_STORE_PASSWORD}"
+    )
 }
diff --git a/rust/operator-binary/src/history/history_controller.rs b/rust/operator-binary/src/history/history_controller.rs
@@ -720,9 +720,9 @@ fn command_args(logdir: &ResolvedLogDir) -> Vec<String> {
     }
 
     if let Some(secret_name) = logdir.tls_secret_name() {
-        command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]);
-        command.extend(tlscerts::convert_system_trust_store_to_pkcs12());
-        command.extend(tlscerts::import_truststore(secret_name));
+        command.push(format!("mkdir -p {STACKABLE_TRUST_STORE}"));
+        command.push(tlscerts::convert_system_trust_store_to_pkcs12());
+        command.push(tlscerts::import_truststore(secret_name));
     }
 
     command.extend(vec![
diff --git a/rust/operator-binary/src/spark_k8s_controller.rs b/rust/operator-binary/src/spark_k8s_controller.rs
@@ -542,9 +542,9 @@ fn init_containers(
 
     let tls_container = match tlscerts::tls_secret_names(s3conn, logdir) {
         Some(cert_secrets) => {
-            args.extend(tlscerts::convert_system_trust_store_to_pkcs12());
+            args.push(tlscerts::convert_system_trust_store_to_pkcs12());
             for cert_secret in cert_secrets {
-                args.extend(tlscerts::import_truststore(cert_secret));
+                args.push(tlscerts::import_truststore(cert_secret));
                 tcb.add_volume_mount(
                     cert_secret,
                     format!("{STACKABLE_MOUNT_PATH_TLS}/{cert_secret}"),

Original file line number	Diff line number	Diff line change
`@@ -720,9 +720,9 @@ fn command_args(logdir: &ResolvedLogDir) -> Vec<String> {`
`720`	`720`	`}`
`721`	`721`
`722`	`722`	`if let Some(secret_name) = logdir.tls_secret_name() {`
`723`		`- command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]);`
`724`		`- command.extend(tlscerts::convert_system_trust_store_to_pkcs12());`
`725`		`- command.extend(tlscerts::import_truststore(secret_name));`
	`723`	`+ command.push(format!("mkdir -p {STACKABLE_TRUST_STORE}"));`
	`724`	`+ command.push(tlscerts::convert_system_trust_store_to_pkcs12());`
	`725`	`+ command.push(tlscerts::import_truststore(secret_name));`
`726`	`726`	`}`
`727`	`727`
`728`	`728`	`command.extend(vec![`