From 40862c0f3b4bcccafa2b6911161b54a02cce8b08 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 11 Sep 2025 08:56:07 +0200 Subject: [PATCH 01/10] fix: Certificate handling in case SecretClass has multiple CAs --- _WORK/Dockerfile | 42 +++++++ _WORK/README.md | 27 ++++ _WORK/trino.yaml | 39 ++++++ .../src/authentication/oidc/mod.rs | 2 +- rust/operator-binary/src/catalog/commons.rs | 8 +- rust/operator-binary/src/command.rs | 116 +++--------------- rust/operator-binary/src/controller.rs | 3 +- .../src/crd/fault_tolerant_execution.rs | 6 +- rust/operator-binary/src/crd/mod.rs | 2 - 9 files changed, 131 insertions(+), 114 deletions(-) create mode 100644 _WORK/Dockerfile create mode 100644 _WORK/README.md create mode 100644 _WORK/trino.yaml diff --git a/_WORK/Dockerfile b/_WORK/Dockerfile new file mode 100644 index 00000000..bedac681 --- /dev/null +++ b/_WORK/Dockerfile @@ -0,0 +1,42 @@ +# FROM stackable/image/stackable-devel AS truststore-merger +FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:383329bf9c4f968e87e85d30ba3a5cb988a3bbde28b8e4932dcd3a025fd9c98c AS truststore-merger + + +RUN microdnf update -y +RUN microdnf install -y gcc findutils git +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + +ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.7 +ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.6 +RUN . "$HOME/.cargo/env" && cargo --locked --quiet install cargo-cyclonedx@"$CARGO_CYCLONEDX_CRATE_VERSION" cargo-auditable@"$CARGO_AUDITABLE_CRATE_VERSION" && rustup toolchain install + +RUN microdnf install -y openssl-devel pkg-config + + + + + + + + + + + + + +# TRASH ABOVE!!! + +# docker build . -t oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger + +RUN echo "invalidate cache 2 :)" + +RUN <, client: &Client, trino_version: u16, @@ -151,11 +151,7 @@ impl ExtendCatalogConfig for s3::v1alpha1::InlineConnectionOrReference { }) => { if let Some(ca_cert) = s3.tls.tls_ca_cert_mount_path() { catalog_config.init_container_extra_start_commands.extend( - command::add_cert_to_truststore( - &ca_cert, - STACKABLE_CLIENT_TLS_DIR, - &format!("{catalog_name}-ca-cert"), - ), + command::add_cert_to_truststore(&ca_cert, STACKABLE_CLIENT_TLS_DIR), ); } } diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index 4b6791d5..f2e1a6f7 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -14,8 +14,7 @@ use crate::{ CONFIG_DIR_NAME, Container, LOG_PROPERTIES, RW_CONFIG_DIR_NAME, STACKABLE_CLIENT_TLS_DIR, STACKABLE_INTERNAL_TLS_DIR, STACKABLE_MOUNT_INTERNAL_TLS_DIR, STACKABLE_MOUNT_SERVER_TLS_DIR, STACKABLE_SERVER_TLS_DIR, STACKABLE_TLS_STORE_PASSWORD, - SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD, TrinoRole, - fault_tolerant_execution::ResolvedFaultTolerantExecutionConfig, v1alpha1, + TrinoRole, fault_tolerant_execution::ResolvedFaultTolerantExecutionConfig, v1alpha1, }, }; @@ -43,38 +42,23 @@ pub fn container_prepare_args( )); } + // Create truststore that will be used when talking to external tools like S3 + // It will be populated from the system truststore so that connections against public services like AWS S3 are still possible + args.push(format!("truststore-merger --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_CLIENT_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); + if trino.tls_enabled() { - args.extend(import_truststore( - STACKABLE_MOUNT_SERVER_TLS_DIR, - STACKABLE_SERVER_TLS_DIR, - )); - args.extend(import_keystore( - STACKABLE_MOUNT_SERVER_TLS_DIR, - STACKABLE_SERVER_TLS_DIR, - )); + args.push(format!("cp {STACKABLE_MOUNT_SERVER_TLS_DIR}/truststore.p12 {STACKABLE_SERVER_TLS_DIR}/truststore.p12")); + args.push(format!("cp {STACKABLE_MOUNT_SERVER_TLS_DIR}/keystore.p12 {STACKABLE_SERVER_TLS_DIR}/keystore.p12")); } if trino.get_internal_tls().is_some() { - args.extend(import_truststore( - STACKABLE_MOUNT_INTERNAL_TLS_DIR, - STACKABLE_INTERNAL_TLS_DIR, - )); - args.extend(import_keystore( - STACKABLE_MOUNT_INTERNAL_TLS_DIR, - STACKABLE_INTERNAL_TLS_DIR, - )); + args.push(format!("cp {STACKABLE_MOUNT_INTERNAL_TLS_DIR}/truststore.p12 {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12")); + args.push(format!("cp {STACKABLE_MOUNT_INTERNAL_TLS_DIR}/keystore.p12 {STACKABLE_INTERNAL_TLS_DIR}/keystore.p12")); if trino.tls_enabled() { - args.extend(import_truststore( - STACKABLE_MOUNT_SERVER_TLS_DIR, - STACKABLE_INTERNAL_TLS_DIR, - )) + args.push(format!("truststore-merger --pkcs12 {STACKABLE_MOUNT_SERVER_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --out {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); } } - // Create truststore that will be used when talking to external tools like S3 - // It will be populated from the system truststore so that connections against public services like AWS S3 are still possible - args.extend(import_system_truststore(STACKABLE_CLIENT_TLS_DIR)); - // Add the commands that are needed to set up the catalogs catalogs.iter().for_each(|catalog| { args.extend_from_slice(&catalog.init_container_extra_start_commands); @@ -148,77 +132,11 @@ wait_for_termination $! args } -/// Adds a CA file from `cert_file` into a truststore named `truststore.p12` in `destination_directory` -/// under the alias `alias_name`. -pub fn add_cert_to_truststore( - cert_file: &str, - destination_directory: &str, - alias_name: &str, -) -> Vec { - vec![ - format!( - "echo Adding cert from {cert_file} to truststore {destination_directory}/truststore.p12" - ), - format!( - "keytool -importcert -file {cert_file} -keystore {destination_directory}/truststore.p12 -storetype pkcs12 -noprompt -alias {alias_name} -storepass {STACKABLE_TLS_STORE_PASSWORD}" - ), - ] -} - -/// Generates the shell script to import a secret operator provided keystore without password -/// into a new keystore with password in a writeable empty dir -/// -/// # Arguments -/// - `source_directory`: The directory of the source keystore. Should usually be a secret operator volume mount. -/// - `destination_directory`: The directory of the destination keystore. Should usually be an empty dir. -fn import_keystore(source_directory: &str, destination_directory: &str) -> Vec { - vec![ - // The source directory is a secret-op mount and we do not want to write / add anything in there - // Therefore we import all the contents to a keystore in "writeable" empty dirs. - // Keytool is only barking if a password is not set for the destination keystore (which we set) - // and do provide an empty password for the source keystore coming from the secret-operator. - // Using no password will result in a warning. - format!( - "echo Importing {source_directory}/keystore.p12 to {destination_directory}/keystore.p12" - ), - format!( - "keytool -importkeystore -srckeystore {source_directory}/keystore.p12 -srcstoretype PKCS12 -srcstorepass \"\" -destkeystore {destination_directory}/keystore.p12 -deststoretype PKCS12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt" - ), - ] -} - -/// Generates the shell script to import a secret operator provided truststore without password -/// into a new truststore with password in a writeable empty dir -/// -/// # Arguments -/// - `source_directory`: The directory of the source truststore. Should usually be a secret operator volume mount. -/// - `destination_directory`: The directory of the destination truststore. Should usually be an empty dir. -fn import_truststore(source_directory: &str, destination_directory: &str) -> Vec { - vec![ - // The source directory is a secret-op mount and we do not want to write / add anything in there - // Therefore we import all the contents to a truststore in "writeable" empty dirs. - // Keytool is only barking if a password is not set for the destination truststore (which we set) - // and do provide an empty password for the source truststore coming from the secret-operator. - // Using no password will result in a warning. - // All secret-op generated truststores have one entry with alias "1". We generate a UUID for - // the destination truststore to avoid conflicts when importing multiple secret-op generated - // truststores. We do not use the UUID rust crate since this will continuously change the STS... and - // leads to never-ending reconciles. - format!( - "echo Importing {source_directory}/truststore.p12 to {destination_directory}/truststore.p12" - ), - format!( - "keytool -importkeystore -srckeystore {source_directory}/truststore.p12 -srcstoretype PKCS12 -srcstorepass \"\" -srcalias 1 -destkeystore {destination_directory}/truststore.p12 -deststoretype PKCS12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -destalias $(cat /proc/sys/kernel/random/uuid) -noprompt" - ), - ] -} - -/// Import the system truststore to a truststore named `truststore.p12` in `destination_directory`. -fn import_system_truststore(destination_directory: &str) -> Vec { - vec![ - format!("echo Importing {SYSTEM_TRUST_STORE} to {destination_directory}/truststore.p12"), - format!( - "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {destination_directory}/truststore.p12 -deststoretype pkcs12 -deststorepass {STACKABLE_TLS_STORE_PASSWORD} -noprompt" - ), - ] +/// Adds a PEM file to configured PKCS12 truststore (using the [`STACKABLE_TLS_STORE_PASSWORD`] +/// password) +pub fn add_cert_to_truststore(cert_file: &str, destination_directory: &str) -> Vec { + let truststore = format!("{destination_directory}/truststore.p12"); + vec![format!( + "truststore-merger --pkcs12 {truststore}:{STACKABLE_TLS_STORE_PASSWORD} --pem {cert_file} --out {truststore} --out-password {STACKABLE_TLS_STORE_PASSWORD}" + )] } diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 58e4775e..071efc9f 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -86,7 +86,7 @@ use crate::{ MAX_TRINO_LOG_FILES_SIZE, METRICS_PORT, METRICS_PORT_NAME, NODE_PROPERTIES, RW_CONFIG_DIR_NAME, STACKABLE_CLIENT_TLS_DIR, STACKABLE_INTERNAL_TLS_DIR, STACKABLE_MOUNT_INTERNAL_TLS_DIR, STACKABLE_MOUNT_SERVER_TLS_DIR, STACKABLE_SERVER_TLS_DIR, - TrinoRole, + STACKABLE_TLS_STORE_PASSWORD, TrinoRole, authentication::resolve_authentication_classes, catalog, discovery::{TrinoDiscovery, TrinoDiscoveryProtocol, TrinoPodRef}, @@ -1576,6 +1576,7 @@ fn create_tls_volume( secret_volume_source_builder .with_pod_scope() .with_format(SecretFormat::TlsPkcs12) + .with_tls_pkcs12_password(STACKABLE_TLS_STORE_PASSWORD) .with_auto_tls_cert_lifetime(*requested_secret_lifetime); if let Some(listener_scope) = &listener_scope { diff --git a/rust/operator-binary/src/crd/fault_tolerant_execution.rs b/rust/operator-binary/src/crd/fault_tolerant_execution.rs index a58ab302..6a43efa3 100644 --- a/rust/operator-binary/src/crd/fault_tolerant_execution.rs +++ b/rust/operator-binary/src/crd/fault_tolerant_execution.rs @@ -545,11 +545,7 @@ impl ResolvedFaultTolerantExecutionConfig { }) => { if let Some(ca_cert) = s3_connection.tls.tls_ca_cert_mount_path() { self.init_container_extra_start_commands.extend( - command::add_cert_to_truststore( - &ca_cert, - STACKABLE_CLIENT_TLS_DIR, - "exchange-s3-ca-cert", - ), + command::add_cert_to_truststore(&ca_cert, STACKABLE_CLIENT_TLS_DIR), ); } } diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs index a5c69932..ee107b7f 100644 --- a/rust/operator-binary/src/crd/mod.rs +++ b/rust/operator-binary/src/crd/mod.rs @@ -99,10 +99,8 @@ pub const STACKABLE_INTERNAL_TLS_DIR: &str = "/stackable/internal_tls"; pub const STACKABLE_LOG_DIR: &str = "/stackable/log"; pub const STACKABLE_MOUNT_SERVER_TLS_DIR: &str = "/stackable/mount_server_tls"; pub const STACKABLE_MOUNT_INTERNAL_TLS_DIR: &str = "/stackable/mount_internal_tls"; -pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts"; // store pws pub const STACKABLE_TLS_STORE_PASSWORD: &str = "changeit"; -pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit"; // secret vars pub const ENV_INTERNAL_SECRET: &str = "INTERNAL_SECRET"; // TLS From e92faa1fc25fa5918bdcd88ce7a46738416868cb Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 11 Sep 2025 09:18:36 +0200 Subject: [PATCH 02/10] linter --- _WORK/README.md | 2 +- _WORK/trino.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/_WORK/README.md b/_WORK/README.md index 414c7b67..f6b128d7 100644 --- a/_WORK/README.md +++ b/_WORK/README.md @@ -23,5 +23,5 @@ Congrats, your secret-op now did a certificate rotation and your Pod should star ```bash keytool -list -storepass "" -keystore /certs/pkcs12-1/truststore.p12 -openssl pkcs12 -password pass: -in /certs/pkcs12-1/truststore.p12 +openssl pkcs12 -password pass: -in /certs/pkcs12-1/truststore.p12 ``` diff --git a/_WORK/trino.yaml b/_WORK/trino.yaml index 81a7462a..e88e1aa0 100644 --- a/_WORK/trino.yaml +++ b/_WORK/trino.yaml @@ -29,8 +29,8 @@ kind: SecretClass metadata: name: short-tls spec: - backend: - autoTls: + backend: + autoTls: ca: secret: name: secret-provisioner-short-tls-ca From 02d16e4e844817482f090417c4f643866b0f4a06 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Thu, 11 Sep 2025 11:06:09 +0200 Subject: [PATCH 03/10] linter --- _WORK/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/_WORK/README.md b/_WORK/README.md index f6b128d7..e8757bc9 100644 --- a/_WORK/README.md +++ b/_WORK/README.md @@ -6,6 +6,7 @@ stackablectl op in commons listener secret trino kind load docker-image oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger kubectl apply -f _WORK/trino.yaml ``` + The Trino Pod will not came up because of `backend failed to get secret data: failed to pick a CA: no CA in Secret.v1./secret-provisioner-short-tls-ca.stackable-operators will live until at least 2025-09-04 8:03:42.030007063 +00:00:00`. That's totally expected! From d9f6e7215cde3331b6bb06c6c14e0aa48f68b663 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 17 Sep 2025 08:53:17 +0200 Subject: [PATCH 04/10] Update to new CLI args --- _WORK/README.md | 2 +- _WORK/trino.yaml | 4 ++-- rust/operator-binary/src/command.rs | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/_WORK/README.md b/_WORK/README.md index e8757bc9..81b4d303 100644 --- a/_WORK/README.md +++ b/_WORK/README.md @@ -3,7 +3,7 @@ ```bash stackablectl op in commons listener secret trino -kind load docker-image oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger +# kind load docker-image oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger kubectl apply -f _WORK/trino.yaml ``` diff --git a/_WORK/trino.yaml b/_WORK/trino.yaml index e88e1aa0..f0135280 100644 --- a/_WORK/trino.yaml +++ b/_WORK/trino.yaml @@ -5,8 +5,8 @@ metadata: spec: image: productVersion: "476" - custom: oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger - pullPolicy: Never + # custom: oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger + # pullPolicy: Never clusterConfig: tls: serverSecretClass: short-tls diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index f2e1a6f7..33e2201d 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -44,7 +44,7 @@ pub fn container_prepare_args( // Create truststore that will be used when talking to external tools like S3 // It will be populated from the system truststore so that connections against public services like AWS S3 are still possible - args.push(format!("truststore-merger --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_CLIENT_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); + args.push(format!("cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_CLIENT_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); if trino.tls_enabled() { args.push(format!("cp {STACKABLE_MOUNT_SERVER_TLS_DIR}/truststore.p12 {STACKABLE_SERVER_TLS_DIR}/truststore.p12")); @@ -55,7 +55,7 @@ pub fn container_prepare_args( args.push(format!("cp {STACKABLE_MOUNT_INTERNAL_TLS_DIR}/truststore.p12 {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12")); args.push(format!("cp {STACKABLE_MOUNT_INTERNAL_TLS_DIR}/keystore.p12 {STACKABLE_INTERNAL_TLS_DIR}/keystore.p12")); if trino.tls_enabled() { - args.push(format!("truststore-merger --pkcs12 {STACKABLE_MOUNT_SERVER_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --out {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); + args.push(format!("cert-tools generate-pkcs12-truststore --pkcs12 {STACKABLE_MOUNT_SERVER_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --pkcs12 {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12:{STACKABLE_TLS_STORE_PASSWORD} --out {STACKABLE_INTERNAL_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); } } @@ -137,6 +137,6 @@ wait_for_termination $! pub fn add_cert_to_truststore(cert_file: &str, destination_directory: &str) -> Vec { let truststore = format!("{destination_directory}/truststore.p12"); vec![format!( - "truststore-merger --pkcs12 {truststore}:{STACKABLE_TLS_STORE_PASSWORD} --pem {cert_file} --out {truststore} --out-password {STACKABLE_TLS_STORE_PASSWORD}" + "cert-tools generate-pkcs12-truststore --pkcs12 {truststore}:{STACKABLE_TLS_STORE_PASSWORD} --pem {cert_file} --out {truststore} --out-password {STACKABLE_TLS_STORE_PASSWORD}" )] } From 7fe2208448a1b4215a6a0b66f9a4ef730ad30dfb Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 17 Sep 2025 08:55:03 +0200 Subject: [PATCH 05/10] Delete _WORK folder --- _WORK/Dockerfile | 42 ------------------------------------------ _WORK/README.md | 28 ---------------------------- _WORK/trino.yaml | 39 --------------------------------------- 3 files changed, 109 deletions(-) delete mode 100644 _WORK/Dockerfile delete mode 100644 _WORK/README.md delete mode 100644 _WORK/trino.yaml diff --git a/_WORK/Dockerfile b/_WORK/Dockerfile deleted file mode 100644 index bedac681..00000000 --- a/_WORK/Dockerfile +++ /dev/null @@ -1,42 +0,0 @@ -# FROM stackable/image/stackable-devel AS truststore-merger -FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:383329bf9c4f968e87e85d30ba3a5cb988a3bbde28b8e4932dcd3a025fd9c98c AS truststore-merger - - -RUN microdnf update -y -RUN microdnf install -y gcc findutils git -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - -ENV CARGO_CYCLONEDX_CRATE_VERSION=0.5.7 -ENV CARGO_AUDITABLE_CRATE_VERSION=0.6.6 -RUN . "$HOME/.cargo/env" && cargo --locked --quiet install cargo-cyclonedx@"$CARGO_CYCLONEDX_CRATE_VERSION" cargo-auditable@"$CARGO_AUDITABLE_CRATE_VERSION" && rustup toolchain install - -RUN microdnf install -y openssl-devel pkg-config - - - - - - - - - - - - - -# TRASH ABOVE!!! - -# docker build . -t oci.stackable.tech/sdp/trino:476-stackable0.0.0-dev-with-merger - -RUN echo "invalidate cache 2 :)" - -RUN < Date: Wed, 17 Sep 2025 08:58:02 +0200 Subject: [PATCH 06/10] Add comment --- rust/operator-binary/src/command.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index 33e2201d..b3db5dd8 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -44,6 +44,8 @@ pub fn container_prepare_args( // Create truststore that will be used when talking to external tools like S3 // It will be populated from the system truststore so that connections against public services like AWS S3 are still possible + // FIXME: *Technically* we should only add the system truststore in case any webPki usage is detected, wether that's in + // S3, LDAP, OIDC, FTE or whatnot. args.push(format!("cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_CLIENT_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}")); if trino.tls_enabled() { From 1cbfc300bbe3378156d6f4077a4d405b97abe00c Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 17 Sep 2025 10:11:52 +0200 Subject: [PATCH 07/10] changelog --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 046495b8..473cde5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,18 @@ All notable changes to this project will be documented in this file. - Support for fault-tolerant execution ([#779]). - Helm: Allow Pod `priorityClassName` to be configured ([#798]). +### Fixed + +- Previously we had a bug that could lead to missing certificates ([#796]). + + This could be the case when the Stackable PKI rotated it's CA certificate or you specify multiple + CAs in your SecretClass. + Especially the CA rotation could brake working clusters. + We now correctly handle multiple certificates for both cases. + See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details + [#779]: https://github.com/stackabletech/trino-operator/pull/779 +[#796]: https://github.com/stackabletech/trino-operator/pull/796 [#798]: https://github.com/stackabletech/trino-operator/pull/798 ## [25.7.0] - 2025-07-23 From f78c5338abf16f0b4f2119c56c5f0af6cae70863 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 17 Sep 2025 10:23:05 +0200 Subject: [PATCH 08/10] changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 473cde5e..db084e8e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,9 +13,9 @@ All notable changes to this project will be documented in this file. - Previously we had a bug that could lead to missing certificates ([#796]). - This could be the case when the Stackable PKI rotated it's CA certificate or you specify multiple + This could be the case when the Stackable PKI rotated it's CA certificate or you specified multiple CAs in your SecretClass. - Especially the CA rotation could brake working clusters. + Especially the CA rotation could brake working clusters at any time. We now correctly handle multiple certificates for both cases. See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details From 7c2384bc5deeecaeec66ece301c2f868fc585383 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 23 Sep 2025 14:32:39 +0200 Subject: [PATCH 09/10] Apply suggestions from code review Co-authored-by: Andrew Kenworthy <1712947+adwk67@users.noreply.github.com> --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1e23547..3c9a98d2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,9 +14,9 @@ All notable changes to this project will be documented in this file. - Previously we had a bug that could lead to missing certificates ([#796]). - This could be the case when the Stackable PKI rotated it's CA certificate or you specified multiple + This could be the case when the Stackable PKI rotated its CA certificate or you specified multiple CAs in your SecretClass. - Especially the CA rotation could brake working clusters at any time. + Especially the CA rotation could break working clusters at any time. We now correctly handle multiple certificates for both cases. See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details From 69fc4e92ad63d4fdfe83513cc7f903910d537a34 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 23 Sep 2025 14:35:10 +0200 Subject: [PATCH 10/10] Update rust/operator-binary/src/command.rs Co-authored-by: Andrew Kenworthy <1712947+adwk67@users.noreply.github.com> --- rust/operator-binary/src/command.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs index 6cea0928..e14cac17 100644 --- a/rust/operator-binary/src/command.rs +++ b/rust/operator-binary/src/command.rs @@ -47,7 +47,7 @@ pub fn container_prepare_args( // Create truststore that will be used when talking to external tools like S3 // It will be populated from the system truststore so that connections against public services like AWS S3 are still possible - // FIXME: *Technically* we should only add the system truststore in case any webPki usage is detected, wether that's in + // FIXME: *Technically* we should only add the system truststore in case any webPki usage is detected, whether that's in // S3, LDAP, OIDC, FTE or whatnot. args.push(format!("cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_CLIENT_TLS_DIR}/truststore.p12 --out-password {STACKABLE_TLS_STORE_PASSWORD}"));