feat: requestedSecretLifetime role group property added

Author: razvan

CHANGELOG.md

@@ -4,13 +4,18 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup config property `requestedSecretLifetime` ([#619])
+
 ### Fixed
 
 - BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be
   deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after
   restart ([#616]).
 
 [#616]: https://github.com/stackabletech/hdfs-operator/pull/616
+[#619]: https://github.com/stackabletech/hdfs-operator/pull/619
 
 ## [24.11.0] - 2024-11-18
 

Cargo.lock

@@ -28,6 +28,6 @@ tokio = { version = "1.40", features = ["full"] }
 tracing = "0.1"
 tracing-futures = { version = "0.2", features = ["futures-03"] }
 
-#[patch."https://github.com/stackabletech/operator-rs.git"]
+[patch."https://github.com/stackabletech/operator-rs.git"]
 #stackable-operator = { path = "../operator-rs/crates/stackable-operator" }
-#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "feat/request-secret-lifetime" }

Cargo.toml

@@ -261,6 +261,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -538,6 +542,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -840,6 +848,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1104,6 +1116,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -1353,6 +1369,10 @@ spec:
                               nullable: true
                               type: boolean
                           type: object
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1621,6 +1641,10 @@ spec:
                                     nullable: true
                                     type: boolean
                                 type: object
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:

deploy/helm/hdfs-operator/crds/crds.yaml

@@ -87,3 +87,7 @@ pub const LISTENER_VOLUME_NAME: &str = "listener";
 pub const LISTENER_VOLUME_DIR: &str = "/stackable/listener";
 
 pub const HDFS_UID: i64 = 1000;
+
+pub const DEFAULT_NAME_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+pub const DEFAULT_DATA_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+pub const DEFAULT_JOURNAL_NODE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);

rust/crd/src/constants.rs

@@ -238,6 +238,10 @@ pub struct CommonNodeConfig {
     /// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
     #[fragment_attrs(serde(default))]
     pub graceful_shutdown_timeout: Option<Duration>,
+    /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`.
+    /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+    #[fragment_attrs(serde(default))]
+    pub requested_secret_lifetime: Option<Duration>,
 }
 
 /// Configuration for a rolegroup of an unknown type.
@@ -310,6 +314,13 @@ impl AnyNodeConfig {
             AnyNodeConfig::JournalNode(node) => node.logging.enable_vector_agent,
         }
     }
+    pub fn requested_secret_lifetime(&self) -> Option<Duration> {
+        match self {
+            AnyNodeConfig::NameNode(node) => node.common.requested_secret_lifetime,
+            AnyNodeConfig::DataNode(node) => node.common.requested_secret_lifetime,
+            AnyNodeConfig::JournalNode(node) => node.common.requested_secret_lifetime,
+        }
+    }
 }
 
 #[derive(
@@ -1098,6 +1109,7 @@ impl NameNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_NAME_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(DEFAULT_NAME_NODE_SECRET_LIFETIME),
             },
         }
     }
@@ -1237,6 +1249,7 @@ impl DataNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_DATA_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(DEFAULT_DATA_NODE_SECRET_LIFETIME),
             },
         }
     }
@@ -1347,6 +1360,7 @@ impl JournalNodeConfigFragment {
             common: CommonNodeConfigFragment {
                 affinity: get_affinity(cluster_name, role),
                 graceful_shutdown_timeout: Some(DEFAULT_JOURNAL_NODE_GRACEFUL_SHUTDOWN_TIMEOUT),
+                requested_secret_lifetime: Some(DEFAULT_JOURNAL_NODE_SECRET_LIFETIME),
             },
         }
     }

rust/crd/src/lib.rs

@@ -89,6 +89,9 @@ type Result<T, E = Error> = std::result::Result<T, E>;
 #[derive(Snafu, Debug, EnumDiscriminants)]
 #[strum_discriminants(derive(IntoStaticStr))]
 pub enum Error {
+    #[snafu(display("missing secret lifetime"))]
+    MissingSecretLifetime,
+
     #[snafu(display("object has no namespace"))]
     ObjectHasNoNamespace,
 
@@ -272,6 +275,11 @@ impl ContainerConfig {
                         .with_node_scope()
                         .with_format(SecretFormat::TlsPkcs12)
                         .with_tls_pkcs12_password(TLS_STORE_PASSWORD)
+                        .with_auto_tls_cert_lifetime(
+                            merged_config
+                                .requested_secret_lifetime()
+                                .context(MissingSecretLifetimeSnafu)?,
+                        )
                         .build()
                         .context(BuildSecretVolumeSnafu {
                             volume_name: TLS_STORE_VOLUME_NAME,