Skip to content

feat: Support setting TLS certificate lifetimes #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
razvan merged 8 commits into from
Dec 4, 2024
Merged

feat: Support setting TLS certificate lifetimes #676

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5a3449e
feat: Support setting TLS certificate lifetimes
razvan Dec 2, 2024
091a63d
typo
razvan Dec 2, 2024
0dc741c
Merge branch 'main' into feat/issue-586
razvan Dec 3, 2024
ae8061d
chore: bump op-rs
razvan Dec 3, 2024
814df33
cargo update -p rustls
razvan Dec 4, 2024
ce04a18
Update rust/crd/src/lib.rs
razvan Dec 4, 2024
564b1bf
Merge branch 'main' into feat/issue-586
razvan Dec 4, 2024
1e74dab
rustfmt
razvan Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.

## [Unreleased]

### Added

- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup
config property `requestedSecretLifetime`. This helps reduce frequent Pod restarts ([#676]).

### Fixed

- Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]).
Expand All @@ -13,6 +18,7 @@ All notable changes to this project will be documented in this file.

[#672]: https://github.com/stackabletech/trino-operator/pull/672
[#673]: https://github.com/stackabletech/trino-operator/pull/673
[#676]: https://github.com/stackabletech/trino-operator/pull/676

## [24.11.0] - 2024-11-18

Expand Down
25 changes: 7 additions & 18 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
serde_yaml = "0.9"
snafu = "0.8"
stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" }
stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.83.0" }
product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
strum = { version = "0.26", features = ["derive"] }
tokio = { version = "1.40", features = ["full"] }
tracing = "0.1"

# [patch."https://github.com/stackabletech/operator-rs.git"]
# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
#[patch."https://github.com/stackabletech/operator-rs.git"]
#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
# stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
16 changes: 16 additions & 0 deletions deploy/helm/trino-operator/crds/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,10 @@ spec:
queryMaxMemoryPerNode:
nullable: true
type: string
requestedSecretLifetime:
description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
nullable: true
type: string
resources:
default:
cpu:
Expand Down Expand Up @@ -566,6 +570,10 @@ spec:
queryMaxMemoryPerNode:
nullable: true
type: string
requestedSecretLifetime:
description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
nullable: true
type: string
resources:
default:
cpu:
Expand Down Expand Up @@ -864,6 +872,10 @@ spec:
queryMaxMemoryPerNode:
nullable: true
type: string
requestedSecretLifetime:
description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
nullable: true
type: string
resources:
default:
cpu:
Expand Down Expand Up @@ -1133,6 +1145,10 @@ spec:
queryMaxMemoryPerNode:
nullable: true
type: string
requestedSecretLifetime:
description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
nullable: true
type: string
resources:
default:
cpu:
Expand Down
6 changes: 6 additions & 0 deletions rust/crd/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,9 +432,14 @@ pub struct TrinoConfig {
/// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
#[fragment_attrs(serde(default))]
pub graceful_shutdown_timeout: Option<Duration>,
/// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`.
/// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
#[fragment_attrs(serde(default))]
pub requested_secret_lifetime: Option<Duration>,
}

impl TrinoConfig {
const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
fn default_config(
cluster_name: &str,
role: &TrinoRole,
Expand Down Expand Up @@ -472,6 +477,7 @@ impl TrinoConfig {
query_max_memory: None,
query_max_memory_per_node: None,
graceful_shutdown_timeout: Some(graceful_shutdown_timeout),
requested_secret_lifetime: Some(Self::DEFAULT_SECRET_LIFETIME),
}
}
}
Expand Down
27 changes: 24 additions & 3 deletions rust/operator-binary/src/controller.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,9 @@ const DOCKER_IMAGE_BASE_NAME: &str = "trino";
#[strum_discriminants(derive(IntoStaticStr))]
#[allow(clippy::enum_variant_names)]
pub enum Error {
#[snafu(display("missing secret lifetime"))]
MissingSecretLifetime,

#[snafu(display("object defines no namespace"))]
ObjectHasNoNamespace,

Expand Down Expand Up @@ -944,13 +947,17 @@ fn build_rolegroup_statefulset(
}),
);

let requested_secret_lifetime = merged_config
.requested_secret_lifetime
.context(MissingSecretLifetimeSnafu)?;
// add volume mounts depending on the client tls, internal tls, catalogs and authentication
tls_volume_mounts(
trino,
&mut pod_builder,
&mut cb_prepare,
&mut cb_trino,
catalogs,
&requested_secret_lifetime,
)?;

let mut prepare_args = vec![];
Expand Down Expand Up @@ -1486,13 +1493,18 @@ fn liveness_probe(trino: &TrinoCluster) -> Probe {
}
}

fn create_tls_volume(volume_name: &str, tls_secret_class: &str) -> Result<Volume> {
fn create_tls_volume(
volume_name: &str,
tls_secret_class: &str,
requested_secret_lifetime: &Duration,
) -> Result<Volume> {
Ok(VolumeBuilder::new(volume_name)
.ephemeral(
SecretOperatorVolumeSourceBuilder::new(tls_secret_class)
.with_pod_scope()
.with_node_scope()
.with_format(SecretFormat::TlsPkcs12)
.with_auto_tls_cert_lifetime(*requested_secret_lifetime)
.build()
.context(TlsCertSecretClassVolumeBuildSnafu)?,
)
Expand All @@ -1505,6 +1517,7 @@ fn tls_volume_mounts(
cb_prepare: &mut ContainerBuilder,
cb_trino: &mut ContainerBuilder,
catalogs: &[CatalogConfig],
requested_secret_lifetime: &Duration,
) -> Result<()> {
if let Some(server_tls) = trino.get_server_tls() {
cb_prepare
Expand All @@ -1514,7 +1527,11 @@ fn tls_volume_mounts(
.add_volume_mount("server-tls-mount", STACKABLE_MOUNT_SERVER_TLS_DIR)
.context(AddVolumeMountSnafu)?;
pod_builder
.add_volume(create_tls_volume("server-tls-mount", server_tls)?)
.add_volume(create_tls_volume(
"server-tls-mount",
server_tls,
requested_secret_lifetime,
)?)
.context(AddVolumeSnafu)?;
}

Expand Down Expand Up @@ -1546,7 +1563,11 @@ fn tls_volume_mounts(
.add_volume_mount("internal-tls-mount", STACKABLE_MOUNT_INTERNAL_TLS_DIR)
.context(AddVolumeMountSnafu)?;
pod_builder
.add_volume(create_tls_volume("internal-tls-mount", internal_tls)?)
.add_volume(create_tls_volume(
"internal-tls-mount",
internal_tls,
requested_secret_lifetime,
)?)
.context(AddVolumeSnafu)?;

cb_prepare
Expand Down
Loading