feat: Support setting TLS certificate lifetimes (#619)

* feat: `requestedSecretLifetime` role group property added

* added tests for requested secret lifetime

* point to op-rs main

* chore: bump op-rs

* cargo update -p rustls

* Update CHANGELOG.md

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* Update rust/crd/src/lib.rs

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* implement review feedback

---------

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

Author: razvan

CHANGELOG.md

@@ -4,13 +4,19 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup
+  config property `requestedSecretLifetime`. This helps reducing frequent Pod restarts ([#619]).
+
 ### Fixed
 
 - BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be
   deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after
   restart ([#616]).
 
 [#616]: https://github.com/stackabletech/hdfs-operator/pull/616
+[#619]: https://github.com/stackabletech/hdfs-operator/pull/619
 
 ## [24.11.0] - 2024-11-18
 

Cargo.lock

@@ -21,7 +21,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 serde_yaml = "0.9"
 snafu = "0.8"
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.83.0" }
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 strum = { version = "0.26", features = ["derive"] }
 tokio = { version = "1.40", features = ["full"] }

Cargo.toml

@@ -261,6 +261,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -538,6 +542,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -840,6 +848,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1104,6 +1116,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -1353,6 +1369,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1621,6 +1641,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:

deploy/helm/hdfs-operator/crds/crds.yaml

@@ -238,6 +238,11 @@ pub struct CommonNodeConfig {
     /// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
     #[fragment_attrs(serde(default))]
     pub graceful_shutdown_timeout: Option<Duration>,
+
+    /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`.
+    /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+    #[fragment_attrs(serde(default))]
+    pub requested_secret_lifetime: Option<Duration>,
 }
 
 /// Configuration for a rolegroup of an unknown type.
@@ -310,6 +315,13 @@ impl AnyNodeConfig {
             AnyNodeConfig::JournalNode(node) => node.logging.enable_vector_agent,
         }
     }
+    pub fn requested_secret_lifetime(&self) -> Option<Duration> {
+        match self {
+            AnyNodeConfig::NameNode(node) => node.common.requested_secret_lifetime,
+            AnyNodeConfig::DataNode(node) => node.common.requested_secret_lifetime,
+            AnyNodeConfig::JournalNode(node) => node.common.requested_secret_lifetime,
+        }
+    }
 }
 
 #[derive(
@@ -1074,6 +1086,8 @@ pub struct NameNodeConfig {
 }
 
 impl NameNodeConfigFragment {
+    const DEFAULT_NAME_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+
     pub fn default_config(cluster_name: &str, role: &HdfsRole) -> Self {
         Self {
             resources: ResourcesFragment {
@@ -1098,6 +1112,7 @@ impl NameNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_NAME_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(Self::DEFAULT_NAME_NODE_SECRET_LIFETIME),
             },
         }
     }
@@ -1208,6 +1223,8 @@ pub struct DataNodeConfig {
 }
 
 impl DataNodeConfigFragment {
+    const DEFAULT_DATA_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+
     pub fn default_config(cluster_name: &str, role: &HdfsRole) -> Self {
         Self {
             resources: ResourcesFragment {
@@ -1237,6 +1254,7 @@ impl DataNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_DATA_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(Self::DEFAULT_DATA_NODE_SECRET_LIFETIME),
             },
         }
     }
@@ -1324,6 +1342,7 @@ pub struct JournalNodeConfig {
 }
 
 impl JournalNodeConfigFragment {
+    const DEFAULT_JOURNAL_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
     pub fn default_config(cluster_name: &str, role: &HdfsRole) -> Self {
         Self {
             resources: ResourcesFragment {
@@ -1347,6 +1366,7 @@ impl JournalNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_JOURNAL_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(Self::DEFAULT_JOURNAL_NODE_SECRET_LIFETIME),
             },
         }
     }

rust/crd/src/lib.rs

@@ -89,6 +89,9 @@ type Result<T, E = Error> = std::result::Result<T, E>;
 #[derive(Snafu, Debug, EnumDiscriminants)]
 #[strum_discriminants(derive(IntoStaticStr))]
 pub enum Error {
+    #[snafu(display("missing secret lifetime"))]
+    MissingSecretLifetime,
+
     #[snafu(display("object has no namespace"))]
     ObjectHasNoNamespace,
 
@@ -272,6 +275,11 @@ impl ContainerConfig {
                         .with_node_scope()
                         .with_format(SecretFormat::TlsPkcs12)
                         .with_tls_pkcs12_password(TLS_STORE_PASSWORD)
+                        .with_auto_tls_cert_lifetime(
+                            merged_config
+                                .requested_secret_lifetime()
+                                .context(MissingSecretLifetimeSnafu)?,
+                        )
                         .build()
                         .context(BuildSecretVolumeSnafu {
                             volume_name: TLS_STORE_VOLUME_NAME,

rust/operator-binary/src/container.rs

@@ -26,3 +26,11 @@ metadata:
 status:
   readyReplicas: 2
   replicas: 2
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 600
+commands:
+  - script: kubectl -n $NAMESPACE get sts/hdfs-namenode-default -o yaml | yq -e '.spec.template.spec.volumes.[] | select(.name == "tls" and .ephemeral.volumeClaimTemplate.metadata.annotations."secrets.stackable.tech/backend.autotls.cert.lifetime" == "7d")'
+  - script: kubectl -n $NAMESPACE get sts/hdfs-datanode-default -o yaml | yq -e '.spec.template.spec.volumes.[] | select(.name == "tls" and .ephemeral.volumeClaimTemplate.metadata.annotations."secrets.stackable.tech/backend.autotls.cert.lifetime" == "1d")'
+  - script: kubectl -n $NAMESPACE get sts/hdfs-journalnode-default -o yaml | yq -e '.spec.template.spec.volumes.[] | select(.name == "tls" and .ephemeral.volumeClaimTemplate.metadata.annotations."secrets.stackable.tech/backend.autotls.cert.lifetime" == "2d")'

tests/templates/kuttl/kerberos/20-assert.yaml

@@ -44,6 +44,7 @@ spec:
         replicas: 2
   dataNodes:
     config:
+      requestedSecretLifetime: 1d
       logging:
         enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
     roleGroups:
@@ -56,3 +57,5 @@ spec:
     roleGroups:
       default:
         replicas: 3
+        config:
+          requestedSecretLifetime: 2d