fix: Prevent missing certificates

[sbernauer]

Description

Part of stackabletech/issues#764

How to test

Create problem

stackablectl op in commons listener secret trino
# kind load docker-image oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger
kubectl apply -f _WORK/trino.yaml

_WORK/trino.yaml:

apiVersion: trino.stackable.tech/v1alpha1
kind: TrinoCluster
metadata:
  name: trino
spec:
  image:
    productVersion: "476"
    # custom: oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger
    # pullPolicy: Never
  clusterConfig:
    tls:
      serverSecretClass: short-tls
    catalogLabelSelector:
      matchLabels:
        trino: simple-trino
  coordinators:
    roleConfig:
      listenerClass: external-unstable
    roleGroups:
      default:
        replicas: 1
  workers:
    roleGroups:
      default:
        replicas: 1
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: short-tls
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-short-tls-ca
          namespace: stackable-operators
        autoGenerate: true
        caCertificateLifetime: 1m

The Trino Pod will not come up because of backend failed to get secret data: failed to pick a CA: no CA in Secret.v1./secret-provisioner-short-tls-ca.stackable-operators will live until at least 2025-09-04 8:03:42.030007063 +00:00:00.
That's totally expected!

Let's wait until the CA certificate Secrets have the desired amount of rotated certificates.

Afterwards increase the ca cert lifetime to start the Pod:

kubectl patch secretclass short-tls --type=merge --patch '{"spec": {"backend": {"autoTls": {"ca": {"caCertificateLifetime": "365d"}}}}}'

Congrats, your secret-op now did a certificate rotation and your Pod should start up (after some time for retries)!

Debug commands

keytool -list -storepass "" -keystore /certs/pkcs12-1/truststore.p12
openssl pkcs12 -password pass: -in /certs/pkcs12-1/truststore.p12

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

• Changes are OpenShift compatible
• CRD changes approved
• CRD documentation for all fields, following the style guide.
• Helm chart can be installed and deployed operator works
• Integration tests passed (for non trivial changes)
• Changes need to be "offline" compatible
• Links to generated (nightly) docs added
• Release note snippet added

Reviewer

• Code contains useful comments
• Code contains useful logging statements
• (Integration-)Test cases added
• Documentation added or updated. Follows the style guide.
• Changelog updated
• Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

• Feature Tracker has been updated
• Proper release label has been added
• Links to generated (nightly) docs added
• Release note snippet added
• Add type/deprecation label & add to the deprecation schedule
• Add type/experimental label & add to the experimental features tracker

[sbernauer]

Started https://github.com/stackabletech/trino-operator/actions/runs/17795367015/job/50581727097

[adwk67]

Just nits, really. Ran the nightly tests locally and all 👍

[adwk67]

LGTM