diff --git a/CHANGELOG.md b/CHANGELOG.md index 13f30106..342467ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,11 @@ All notable changes to this project will be documented in this file. ### Fixed - SparkConnectServer: The `imagePullSecret` is now correctly passed to Spark executor pods ([#603]). +- Previously we had a bug that could lead to missing certificates ([#611]). + + This could be the case when you specified multiple CAs in your SecretClass. + We now correctly handle multiple certificates in this cases. + See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details ### Removed @@ -22,6 +27,7 @@ All notable changes to this project will be documented in this file. [#603]: https://github.com/stackabletech/spark-k8s-operator/pull/603 [#608]: https://github.com/stackabletech/spark-k8s-operator/pull/608 [#610]: https://github.com/stackabletech/spark-k8s-operator/pull/610 +[#611]: https://github.com/stackabletech/spark-k8s-operator/pull/611 ## [25.7.0] - 2025-07-23 diff --git a/rust/operator-binary/src/crd/constants.rs b/rust/operator-binary/src/crd/constants.rs index 7e32e392..a278d973 100644 --- a/rust/operator-binary/src/crd/constants.rs +++ b/rust/operator-binary/src/crd/constants.rs @@ -38,11 +38,9 @@ pub const METRICS_PROPERTIES_FILE: &str = "metrics.properties"; pub const ACCESS_KEY_ID: &str = "accessKey"; pub const SECRET_ACCESS_KEY: &str = "secretKey"; pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets"; -pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts"; pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore"; pub const STACKABLE_TRUST_STORE_NAME: &str = "stackable-truststore"; pub const STACKABLE_TLS_STORE_PASSWORD: &str = "changeit"; -pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit"; pub const STACKABLE_MOUNT_PATH_TLS: &str = "/stackable/mount_server_tls"; pub const MIN_MEMORY_OVERHEAD: u32 = 384; diff --git a/rust/operator-binary/src/crd/tlscerts.rs b/rust/operator-binary/src/crd/tlscerts.rs index ab2be779..6de932aa 100644 --- a/rust/operator-binary/src/crd/tlscerts.rs +++ b/rust/operator-binary/src/crd/tlscerts.rs @@ -6,10 +6,7 @@ use stackable_operator::{ }; use crate::crd::{ - constants::{ - STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE, - SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD, - }, + constants::{STACKABLE_MOUNT_PATH_TLS, STACKABLE_TLS_STORE_PASSWORD, STACKABLE_TRUST_STORE}, logdir::ResolvedLogDir, }; @@ -52,20 +49,17 @@ pub fn tls_secret_names<'a>( if names.is_empty() { None } else { Some(names) } } -pub fn convert_system_trust_store_to_pkcs12() -> Vec { - vec![format!( - "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt" - )] +pub fn convert_system_trust_store_to_pkcs12() -> String { + format!( + "cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_TRUST_STORE}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}" + ) } -pub fn import_truststore(secret_name: &str) -> Vec { +pub fn import_truststore(secret_name: &str) -> String { let mount_trust_store_path = format!("{STACKABLE_MOUNT_PATH_TLS}/{secret_name}/truststore.p12"); let trust_store_path = format!("{STACKABLE_TRUST_STORE}/truststore.p12"); - vec![ - format!("echo Importing [{mount_trust_store_path}] to [{trust_store_path}] ..."), - format!( - "keytool -importkeystore -srckeystore {mount_trust_store_path} -srcalias 1 -srcstorepass \"\" -destkeystore {trust_store_path} -destalias stackable-{secret_name} -storepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt" - ), - ] + format!( + "cert-tools generate-pkcs12-truststore --pkcs12 {trust_store_path}:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {mount_trust_store_path} --out {trust_store_path} --out-password {STACKABLE_TLS_STORE_PASSWORD}" + ) } diff --git a/rust/operator-binary/src/history/history_controller.rs b/rust/operator-binary/src/history/history_controller.rs index b49513c2..7bf6cadf 100644 --- a/rust/operator-binary/src/history/history_controller.rs +++ b/rust/operator-binary/src/history/history_controller.rs @@ -720,9 +720,9 @@ fn command_args(logdir: &ResolvedLogDir) -> Vec { } if let Some(secret_name) = logdir.tls_secret_name() { - command.extend(vec![format!("mkdir -p {STACKABLE_TRUST_STORE}")]); - command.extend(tlscerts::convert_system_trust_store_to_pkcs12()); - command.extend(tlscerts::import_truststore(secret_name)); + command.push(format!("mkdir -p {STACKABLE_TRUST_STORE}")); + command.push(tlscerts::convert_system_trust_store_to_pkcs12()); + command.push(tlscerts::import_truststore(secret_name)); } command.extend(vec![ diff --git a/rust/operator-binary/src/spark_k8s_controller.rs b/rust/operator-binary/src/spark_k8s_controller.rs index 44e52329..6619d813 100644 --- a/rust/operator-binary/src/spark_k8s_controller.rs +++ b/rust/operator-binary/src/spark_k8s_controller.rs @@ -542,9 +542,9 @@ fn init_containers( let tls_container = match tlscerts::tls_secret_names(s3conn, logdir) { Some(cert_secrets) => { - args.extend(tlscerts::convert_system_trust_store_to_pkcs12()); + args.push(tlscerts::convert_system_trust_store_to_pkcs12()); for cert_secret in cert_secrets { - args.extend(tlscerts::import_truststore(cert_secret)); + args.push(tlscerts::import_truststore(cert_secret)); tcb.add_volume_mount( cert_secret, format!("{STACKABLE_MOUNT_PATH_TLS}/{cert_secret}"), diff --git a/tests/templates/kuttl/delta-lake/40-assert.yaml b/tests/templates/kuttl/delta-lake/40-assert.yaml index f9d38189..291073dc 100644 --- a/tests/templates/kuttl/delta-lake/40-assert.yaml +++ b/tests/templates/kuttl/delta-lake/40-assert.yaml @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 300 +timeout: 900 --- # The Job starting the whole process apiVersion: spark.stackable.tech/v1alpha1 diff --git a/tests/templates/kuttl/iceberg/10-assert.yaml.j2 b/tests/templates/kuttl/iceberg/10-assert.yaml.j2 index 0881ff10..40c9d4d2 100644 --- a/tests/templates/kuttl/iceberg/10-assert.yaml.j2 +++ b/tests/templates/kuttl/iceberg/10-assert.yaml.j2 @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 300 +timeout: 900 --- # The Job starting the whole process apiVersion: spark.stackable.tech/v1alpha1 diff --git a/tests/templates/kuttl/overrides/06-assert.yaml b/tests/templates/kuttl/overrides/06-assert.yaml index 9cbc442a..6d0f090a 100644 --- a/tests/templates/kuttl/overrides/06-assert.yaml +++ b/tests/templates/kuttl/overrides/06-assert.yaml @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 300 +timeout: 900 --- apiVersion: apps/v1 kind: StatefulSet diff --git a/tests/templates/kuttl/overrides/10-assert.yaml b/tests/templates/kuttl/overrides/10-assert.yaml index d9397361..785637fb 100644 --- a/tests/templates/kuttl/overrides/10-assert.yaml +++ b/tests/templates/kuttl/overrides/10-assert.yaml @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 300 +timeout: 600 --- apiVersion: spark.stackable.tech/v1alpha1 kind: SparkApplication diff --git a/tests/templates/kuttl/resources/10-assert.yaml.j2 b/tests/templates/kuttl/resources/10-assert.yaml.j2 index 55c9e63c..4afdc9c5 100644 --- a/tests/templates/kuttl/resources/10-assert.yaml.j2 +++ b/tests/templates/kuttl/resources/10-assert.yaml.j2 @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 240 +timeout: 600 --- apiVersion: v1 kind: Pod diff --git a/tests/templates/kuttl/resources/12-assert.yaml.j2 b/tests/templates/kuttl/resources/12-assert.yaml.j2 index 35ef7245..39d11548 100644 --- a/tests/templates/kuttl/resources/12-assert.yaml.j2 +++ b/tests/templates/kuttl/resources/12-assert.yaml.j2 @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 240 +timeout: 900 --- apiVersion: v1 kind: Pod diff --git a/tests/templates/kuttl/spark-connect/10-assert.yaml b/tests/templates/kuttl/spark-connect/10-assert.yaml index 6e2bd2a2..87f18f8a 100644 --- a/tests/templates/kuttl/spark-connect/10-assert.yaml +++ b/tests/templates/kuttl/spark-connect/10-assert.yaml @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 600 +timeout: 900 --- apiVersion: apps/v1 kind: StatefulSet diff --git a/tests/templates/kuttl/spark-ny-public-s3/10-assert.yaml b/tests/templates/kuttl/spark-ny-public-s3/10-assert.yaml index 6148e6a0..6e532520 100644 --- a/tests/templates/kuttl/spark-ny-public-s3/10-assert.yaml +++ b/tests/templates/kuttl/spark-ny-public-s3/10-assert.yaml @@ -1,7 +1,7 @@ --- apiVersion: kuttl.dev/v1beta1 kind: TestAssert -timeout: 300 +timeout: 900 --- # The Job starting the whole process apiVersion: spark.stackable.tech/v1alpha1