From ca3f88f44960d945e2dab0c2a6b5a98d5df3ee73 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Thu, 28 Nov 2024 12:59:35 +0100 Subject: [PATCH 01/15] feat: `requestedSecretLifetime` role group property added --- CHANGELOG.md | 5 ++ Cargo.lock | 19 ++------ Cargo.nix | 21 ++------ Cargo.toml | 4 +- crate-hashes.json | 3 -- deploy/helm/druid-operator/crds/crds.yaml | 40 ++++++++++++++++ rust/crd/src/lib.rs | 50 ++++++++++++++++++++ rust/crd/src/security.rs | 3 ++ rust/operator-binary/src/druid_controller.rs | 7 ++- 9 files changed, 113 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cb6f283..ad3c8a05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- Lifetime of auto generated certificates is configurable with the `requestedSecretLifetime` role group property ([#660]) + ### Fixed - Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#656]). @@ -13,6 +17,7 @@ All notable changes to this project will be documented in this file. [#656]: https://github.com/stackabletech/druid-operator/pull/656 [#657]: https://github.com/stackabletech/druid-operator/pull/657 +[#660]: https://github.com/stackabletech/druid-operator/pull/660 ## [24.11.0] - 2024-11-18 diff --git a/Cargo.lock b/Cargo.lock index 5014a2c7..fc2649fa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -488,17 +488,6 @@ dependencies = [ "powerfmt", ] -[[package]] -name = "derivative" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" -dependencies = [ - "proc-macro2", - "quote", - "syn 1.0.109", -] - [[package]] name = "digest" version = "0.10.7" @@ -2444,14 +2433,14 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.82.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" dependencies = [ "chrono", "clap", "const_format", "delegate", - "derivative", "dockerfile-parser", + "educe", "either", "futures 0.3.31", "indexmap", @@ -2482,7 +2471,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" dependencies = [ "darling", "proc-macro2", @@ -2493,7 +2482,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" dependencies = [ "kube", "semver", diff --git a/Cargo.nix b/Cargo.nix index 5e3f89ad..4a3641ec 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -7557,12 +7557,7 @@ rec { crateName = "stackable-operator"; version = "0.82.0"; edition = "2021"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator; }; libName = "stackable_operator"; authors = [ "Stackable GmbH " @@ -7715,12 +7710,7 @@ rec { crateName = "stackable-operator-derive"; version = "0.3.1"; edition = "2021"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator-derive; }; procMacro = true; libName = "stackable_operator_derive"; authors = [ @@ -7750,12 +7740,7 @@ rec { crateName = "stackable-shared"; version = "0.0.1"; edition = "2021"; - workspace_member = null; - src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; - }; + src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-shared; }; libName = "stackable_shared"; authors = [ "Stackable GmbH " diff --git a/Cargo.toml b/Cargo.toml index a66977b4..4da2f304 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,5 +30,5 @@ strum = { version = "0.26", features = ["derive"] } tokio = { version = "1.40", features = ["full"] } tracing = "0.1" -# [patch."https://github.com/stackabletech/operator-rs.git"] -# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +[patch."https://github.com/stackabletech/operator-rs.git"] +stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/request-secret-lifetime" } diff --git a/crate-hashes.json b/crate-hashes.json index 0ca37e6e..46c186b3 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,3 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator-derive@0.3.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator@0.82.0": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-shared@0.0.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/deploy/helm/druid-operator/crds/crds.yaml b/deploy/helm/druid-operator/crds/crds.yaml index a1e148ad..3364092b 100644 --- a/deploy/helm/druid-operator/crds/crds.yaml +++ b/deploy/helm/druid-operator/crds/crds.yaml @@ -154,6 +154,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -372,6 +376,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -994,6 +1002,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -1212,6 +1224,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -1410,6 +1426,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -1659,6 +1679,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -1936,6 +1960,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -2154,6 +2182,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -2352,6 +2384,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: @@ -2570,6 +2606,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only auto certificates) lifetime from the secret operator. + nullable: true + type: string resources: default: cpu: diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 0f164d52..ce2b77a8 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -152,6 +152,9 @@ const DEFAULT_MIDDLEMANAGER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = const DEFAULT_ROUTER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5); const DEFAULT_HISTORICAL_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5); +// Auto TLS certificate lifetime +const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); + #[derive(Snafu, Debug, EnumDiscriminants)] #[strum_discriminants(derive(IntoStaticStr))] #[allow(clippy::enum_variant_names)] @@ -348,6 +351,7 @@ pub struct CommonRoleGroupConfig { pub replicas: Option, pub affinity: StackableAffinity, pub graceful_shutdown_timeout: Option, + pub requested_secret_lifetime: Duration, } /// Container for the merged and validated role group configurations @@ -387,6 +391,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .unwrap_or(DEFAULT_SECRET_LIFETIME), }) } DruidRole::Coordinator => { @@ -400,6 +409,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .unwrap_or(DEFAULT_SECRET_LIFETIME), }) } DruidRole::Historical => { @@ -415,6 +429,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .unwrap_or(DEFAULT_SECRET_LIFETIME), }) } DruidRole::MiddleManager => { @@ -428,6 +447,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .unwrap_or(DEFAULT_SECRET_LIFETIME), }) } DruidRole::Router => { @@ -441,6 +465,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .unwrap_or(DEFAULT_SECRET_LIFETIME), }) } } @@ -1105,6 +1134,10 @@ pub struct BrokerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only auto certificates) lifetime from the secret operator. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl BrokerConfig { @@ -1118,6 +1151,7 @@ impl BrokerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), } } } @@ -1148,6 +1182,9 @@ pub struct CoordinatorConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only auto certificates) lifetime from the secret operator. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl CoordinatorConfig { @@ -1161,6 +1198,7 @@ impl CoordinatorConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), } } } @@ -1191,6 +1229,9 @@ pub struct MiddleManagerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only auto certificates) lifetime from the secret operator. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl MiddleManagerConfig { @@ -1204,6 +1245,7 @@ impl MiddleManagerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), } } } @@ -1234,6 +1276,9 @@ pub struct RouterConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only auto certificates) lifetime from the secret operator. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl RouterConfig { @@ -1247,6 +1292,7 @@ impl RouterConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), } } } @@ -1277,6 +1323,9 @@ pub struct HistoricalConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only auto certificates) lifetime from the secret operator. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl HistoricalConfig { @@ -1290,6 +1339,7 @@ impl HistoricalConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), } } } diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs index e4b74ad6..d1319b1a 100644 --- a/rust/crd/src/security.rs +++ b/rust/crd/src/security.rs @@ -20,6 +20,7 @@ use stackable_operator::{ api::core::v1::{ContainerPort, Probe, ServicePort, TCPSocketAction}, apimachinery::pkg::util::intstr::IntOrString, }, + time::Duration, }; use std::collections::BTreeMap; @@ -190,6 +191,7 @@ impl DruidTlsSecurity { prepare: &mut ContainerBuilder, druid: &mut ContainerBuilder, pod: &mut PodBuilder, + requested_secret_lifetime: Duration, ) -> Result<(), Error> { // `ResolvedAuthenticationClasses::validate` already checked that the tls AuthenticationClass // uses the same SecretClass as the Druid server itself. @@ -202,6 +204,7 @@ impl DruidTlsSecurity { .with_node_scope() .with_format(SecretFormat::TlsPkcs12) .with_tls_pkcs12_password(TLS_STORE_PASSWORD) + .with_auto_tls_cert_lifetime(requested_secret_lifetime) .build() .context(SecretVolumeBuildSnafu)?, ) diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs index dad2e8f3..275946c6 100644 --- a/rust/operator-binary/src/druid_controller.rs +++ b/rust/operator-binary/src/druid_controller.rs @@ -981,7 +981,12 @@ fn build_rolegroup_statefulset( // volume and volume mounts druid_tls_security - .add_tls_volume_and_volume_mounts(&mut cb_prepare, &mut cb_druid, &mut pb) + .add_tls_volume_and_volume_mounts( + &mut cb_prepare, + &mut cb_druid, + &mut pb, + merged_rolegroup_config.requested_secret_lifetime, + ) .context(FailedToInitializeSecurityContextSnafu)?; if let Some(s3) = s3_conn { From e5a95a52dfcc26eeae65933a50df8d74041f0271 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:04:54 +0100 Subject: [PATCH 02/15] implement review feedback --- CHANGELOG.md | 2 +- Cargo.nix | 62 +++++++++++++++++++-------------------------- crate-hashes.json | 3 +++ rust/crd/src/lib.rs | 29 +++++++++++++-------- 4 files changed, 48 insertions(+), 48 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad3c8a05..e0133414 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ All notable changes to this project will be documented in this file. ### Added -- Lifetime of auto generated certificates is configurable with the `requestedSecretLifetime` role group property ([#660]) +- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup config property `requestedSecretLifetime` ([#660]) ### Fixed diff --git a/Cargo.nix b/Cargo.nix index 4a3641ec..c9139fa0 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -1405,33 +1405,6 @@ rec { }; resolvedDefaultFeatures = [ "alloc" "powerfmt" "std" ]; }; - "derivative" = rec { - crateName = "derivative"; - version = "2.2.0"; - edition = "2015"; - sha256 = "02vpb81wisk2zh1d5f44szzxamzinqgq2k8ydrfjj2wwkrgdvhzw"; - procMacro = true; - authors = [ - "mcarton " - ]; - dependencies = [ - { - name = "proc-macro2"; - packageId = "proc-macro2"; - } - { - name = "quote"; - packageId = "quote"; - } - { - name = "syn"; - packageId = "syn 1.0.109"; - features = [ "visit" "extra-traits" ]; - } - ]; - features = { - }; - }; "digest" = rec { crateName = "digest"; version = "0.10.7"; @@ -1593,7 +1566,7 @@ rec { "default" = [ "Debug" "Clone" "Copy" "PartialEq" "Eq" "PartialOrd" "Ord" "Hash" "Default" "Deref" "DerefMut" "Into" ]; "full" = [ "syn/full" ]; }; - resolvedDefaultFeatures = [ "Clone" "Debug" "Hash" "PartialEq" ]; + resolvedDefaultFeatures = [ "Clone" "Debug" "Default" "Hash" "PartialEq" ]; }; "either" = rec { crateName = "either"; @@ -7557,7 +7530,12 @@ rec { crateName = "stackable-operator"; version = "0.82.0"; edition = "2021"; - src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator; }; + workspace_member = null; + src = pkgs.fetchgit { + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; + }; libName = "stackable_operator"; authors = [ "Stackable GmbH " @@ -7581,14 +7559,16 @@ rec { name = "delegate"; packageId = "delegate"; } - { - name = "derivative"; - packageId = "derivative"; - } { name = "dockerfile-parser"; packageId = "dockerfile-parser"; } + { + name = "educe"; + packageId = "educe"; + usesDefaultFeatures = false; + features = [ "Clone" "Debug" "Default" "PartialEq" ]; + } { name = "either"; packageId = "either"; @@ -7710,7 +7690,12 @@ rec { crateName = "stackable-operator-derive"; version = "0.3.1"; edition = "2021"; - src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-operator-derive; }; + workspace_member = null; + src = pkgs.fetchgit { + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; + }; procMacro = true; libName = "stackable_operator_derive"; authors = [ @@ -7740,7 +7725,12 @@ rec { crateName = "stackable-shared"; version = "0.0.1"; edition = "2021"; - src = lib.cleanSourceWith { filter = sourceFilter; src = ../operator-rs/crates/stackable-shared; }; + workspace_member = null; + src = pkgs.fetchgit { + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; + }; libName = "stackable_shared"; authors = [ "Stackable GmbH " @@ -7891,7 +7881,7 @@ rec { "quote" = [ "dep:quote" ]; "test" = [ "syn-test-suite/all-features" ]; }; - resolvedDefaultFeatures = [ "clone-impls" "default" "derive" "extra-traits" "full" "parsing" "printing" "proc-macro" "quote" "visit" ]; + resolvedDefaultFeatures = [ "clone-impls" "default" "derive" "full" "parsing" "printing" "proc-macro" "quote" ]; }; "syn 2.0.89" = rec { crateName = "syn"; diff --git a/crate-hashes.json b/crate-hashes.json index 46c186b3..cf8cfc73 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,3 +1,6 @@ { + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-operator-derive@0.3.1": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-operator@0.82.0": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-shared@0.0.1": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index ce2b77a8..1bc409df 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -153,12 +153,19 @@ const DEFAULT_ROUTER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minute const DEFAULT_HISTORICAL_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5); // Auto TLS certificate lifetime -const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_BROKER_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_COORDINATOR_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_MIDDLE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_ROUTER_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_HISTORICAL_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); #[derive(Snafu, Debug, EnumDiscriminants)] #[strum_discriminants(derive(IntoStaticStr))] #[allow(clippy::enum_variant_names)] pub enum Error { + #[snafu(display("missing secret lifetime"))] + MissingSecretLifetime, + #[snafu(display("failed to resolve S3 connection"))] ResolveS3Connection { source: S3Error }, @@ -395,7 +402,7 @@ impl MergedConfig { .config .config .requested_secret_lifetime - .unwrap_or(DEFAULT_SECRET_LIFETIME), + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Coordinator => { @@ -413,7 +420,7 @@ impl MergedConfig { .config .config .requested_secret_lifetime - .unwrap_or(DEFAULT_SECRET_LIFETIME), + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Historical => { @@ -433,7 +440,7 @@ impl MergedConfig { .config .config .requested_secret_lifetime - .unwrap_or(DEFAULT_SECRET_LIFETIME), + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::MiddleManager => { @@ -451,7 +458,7 @@ impl MergedConfig { .config .config .requested_secret_lifetime - .unwrap_or(DEFAULT_SECRET_LIFETIME), + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Router => { @@ -469,7 +476,7 @@ impl MergedConfig { .config .config .requested_secret_lifetime - .unwrap_or(DEFAULT_SECRET_LIFETIME), + .context(MissingSecretLifetimeSnafu)?, }) } } @@ -1151,7 +1158,7 @@ impl BrokerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), - requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), + requested_secret_lifetime: Some(DEFAULT_BROKER_SECRET_LIFETIME), } } } @@ -1198,7 +1205,7 @@ impl CoordinatorConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), - requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), + requested_secret_lifetime: Some(DEFAULT_COORDINATOR_SECRET_LIFETIME), } } } @@ -1245,7 +1252,7 @@ impl MiddleManagerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), - requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), + requested_secret_lifetime: Some(DEFAULT_MIDDLE_SECRET_LIFETIME), } } } @@ -1292,7 +1299,7 @@ impl RouterConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), - requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), + requested_secret_lifetime: Some(DEFAULT_ROUTER_SECRET_LIFETIME), } } } @@ -1339,7 +1346,7 @@ impl HistoricalConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), - requested_secret_lifetime: Some(DEFAULT_SECRET_LIFETIME), + requested_secret_lifetime: Some(DEFAULT_HISTORICAL_SECRET_LIFETIME), } } } From 0c0ba65a2034cc09de026a71cc6c421cded61cde Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:25:25 +0100 Subject: [PATCH 03/15] update crd field docs --- deploy/helm/druid-operator/crds/crds.yaml | 20 ++++++++++---------- rust/crd/src/lib.rs | 16 ++++++++++------ 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/deploy/helm/druid-operator/crds/crds.yaml b/deploy/helm/druid-operator/crds/crds.yaml index 3364092b..70ed1b32 100644 --- a/deploy/helm/druid-operator/crds/crds.yaml +++ b/deploy/helm/druid-operator/crds/crds.yaml @@ -155,7 +155,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -377,7 +377,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -1003,7 +1003,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -1225,7 +1225,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -1427,7 +1427,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -1680,7 +1680,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -1961,7 +1961,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -2183,7 +2183,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -2385,7 +2385,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: @@ -2607,7 +2607,7 @@ spec: type: boolean type: object requestedSecretLifetime: - description: Request secret (currently only auto certificates) lifetime from the secret operator. + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. nullable: true type: string resources: diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 1bc409df..44dad587 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1141,8 +1141,8 @@ pub struct BrokerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, - - /// Request secret (currently only auto certificates) lifetime from the secret operator. + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] pub requested_secret_lifetime: Option, } @@ -1189,7 +1189,8 @@ pub struct CoordinatorConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, - /// Request secret (currently only auto certificates) lifetime from the secret operator. + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] pub requested_secret_lifetime: Option, } @@ -1236,7 +1237,8 @@ pub struct MiddleManagerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, - /// Request secret (currently only auto certificates) lifetime from the secret operator. + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] pub requested_secret_lifetime: Option, } @@ -1283,7 +1285,8 @@ pub struct RouterConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, - /// Request secret (currently only auto certificates) lifetime from the secret operator. + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] pub requested_secret_lifetime: Option, } @@ -1330,7 +1333,8 @@ pub struct HistoricalConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, - /// Request secret (currently only auto certificates) lifetime from the secret operator. + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] pub requested_secret_lifetime: Option, } From 8046ac0d03c9886355f1a7321fb73602b87a10ed Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Mon, 2 Dec 2024 10:49:24 +0100 Subject: [PATCH 04/15] Point to op-rs main --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index fc2649fa..1dd0b846 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2433,7 +2433,7 @@ dependencies = [ [[package]] name = "stackable-operator" version = "0.82.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" dependencies = [ "chrono", "clap", @@ -2471,7 +2471,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" dependencies = [ "darling", "proc-macro2", @@ -2482,7 +2482,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=feat/request-secret-lifetime#f6aa3c46948d4cb59f92c5daa08f685068a393ba" +source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" dependencies = [ "kube", "semver", diff --git a/Cargo.toml b/Cargo.toml index 4da2f304..201e6729 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -31,4 +31,4 @@ tokio = { version = "1.40", features = ["full"] } tracing = "0.1" [patch."https://github.com/stackabletech/operator-rs.git"] -stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/request-secret-lifetime" } +stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } From 347bb1ddb257a13ccf6710f189c550a9e9d55153 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:27:10 +0100 Subject: [PATCH 05/15] chore: bump op-rs --- Cargo.lock | 8 ++++---- Cargo.toml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 1dd0b846..3fa5a3c6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2432,8 +2432,8 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.82.0" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" +version = "0.83.0" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "chrono", "clap", @@ -2471,7 +2471,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "darling", "proc-macro2", @@ -2482,7 +2482,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech//operator-rs.git?branch=main#7939b3516f01483c0d9f601d57ee70003420f7e5" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "kube", "semver", diff --git a/Cargo.toml b/Cargo.toml index 201e6729..af394b09 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,10 +25,10 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" serde_yaml = "0.9" snafu = "0.8" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.83.0" } strum = { version = "0.26", features = ["derive"] } tokio = { version = "1.40", features = ["full"] } tracing = "0.1" -[patch."https://github.com/stackabletech/operator-rs.git"] -stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } +# [patch."https://github.com/stackabletech/operator-rs.git"] +# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" } From 496f1251e12b38055cffb487f2514602e095ba42 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 09:26:09 +0100 Subject: [PATCH 06/15] cargo update -p rustls --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3fa5a3c6..977ed63f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2028,9 +2028,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.18" +version = "0.23.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c9cc1d47e243d655ace55ed38201c19ae02c148ae56412ab8750e8f0166ab7f" +checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1" dependencies = [ "log", "once_cell", From 1b568a69458df01679594c1809b63b2066ee8f84 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:25:59 +0100 Subject: [PATCH 07/15] Update CHANGELOG.md Co-authored-by: Sebastian Bernauer --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e0133414..44099637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,8 @@ All notable changes to this project will be documented in this file. ### Added -- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup config property `requestedSecretLifetime` ([#660]) +- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup + config property `requestedSecretLifetime`. This helps reducing frequent Pod restarts ([#660]). ### Fixed From 3cadcd62ea0e4182c5e04cb8816c24450c1b06f8 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:26:09 +0100 Subject: [PATCH 08/15] Update rust/crd/src/lib.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 44dad587..c5a253cb 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1237,6 +1237,7 @@ pub struct MiddleManagerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] From 7fd415c1cf1556996b84d7b6227f02ce853403bf Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:26:17 +0100 Subject: [PATCH 09/15] Update rust/crd/src/lib.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index c5a253cb..1a0aab9c 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1189,6 +1189,7 @@ pub struct CoordinatorConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] From 61a877b0ddfec5e78bbfdce3e494a0ab91881682 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:26:25 +0100 Subject: [PATCH 10/15] Update rust/crd/src/lib.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 1a0aab9c..f934450d 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1141,6 +1141,7 @@ pub struct BrokerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] From bca44a1c5dca5c223d28fdbbc13cd08d67246fb6 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:26:32 +0100 Subject: [PATCH 11/15] Update rust/crd/src/lib.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index f934450d..ba0b86ea 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1288,6 +1288,7 @@ pub struct RouterConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] From be236238822f8053c361a03ac7718459d101f744 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:26:39 +0100 Subject: [PATCH 12/15] Update rust/crd/src/lib.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/lib.rs | 1 + 1 file changed, 1 insertion(+) diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index ba0b86ea..873321e5 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -1337,6 +1337,7 @@ pub struct HistoricalConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. #[fragment_attrs(serde(default))] From 82ed5521c306d1f5f63d1daef73273ebe620179a Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:27:11 +0100 Subject: [PATCH 13/15] Update rust/crd/src/security.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/security.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs index d1319b1a..10c74a1e 100644 --- a/rust/crd/src/security.rs +++ b/rust/crd/src/security.rs @@ -191,7 +191,7 @@ impl DruidTlsSecurity { prepare: &mut ContainerBuilder, druid: &mut ContainerBuilder, pod: &mut PodBuilder, - requested_secret_lifetime: Duration, + requested_secret_lifetime: &Duration, ) -> Result<(), Error> { // `ResolvedAuthenticationClasses::validate` already checked that the tls AuthenticationClass // uses the same SecretClass as the Druid server itself. From b3933f3146d176fd8bd1461d524372f97c46a4ca Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:27:21 +0100 Subject: [PATCH 14/15] Update rust/operator-binary/src/druid_controller.rs Co-authored-by: Sebastian Bernauer --- rust/operator-binary/src/druid_controller.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs index 275946c6..1ed6a666 100644 --- a/rust/operator-binary/src/druid_controller.rs +++ b/rust/operator-binary/src/druid_controller.rs @@ -985,7 +985,7 @@ fn build_rolegroup_statefulset( &mut cb_prepare, &mut cb_druid, &mut pb, - merged_rolegroup_config.requested_secret_lifetime, + &merged_rolegroup_config.requested_secret_lifetime, ) .context(FailedToInitializeSecurityContextSnafu)?; From d2518b7d307fdd588e96341fa99f24b2eadcb414 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:27:29 +0100 Subject: [PATCH 15/15] Update rust/crd/src/security.rs Co-authored-by: Sebastian Bernauer --- rust/crd/src/security.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs index 10c74a1e..627f0277 100644 --- a/rust/crd/src/security.rs +++ b/rust/crd/src/security.rs @@ -204,7 +204,7 @@ impl DruidTlsSecurity { .with_node_scope() .with_format(SecretFormat::TlsPkcs12) .with_tls_pkcs12_password(TLS_STORE_PASSWORD) - .with_auto_tls_cert_lifetime(requested_secret_lifetime) + .with_auto_tls_cert_lifetime(*requested_secret_lifetime) .build() .context(SecretVolumeBuildSnafu)?, )