From 0dc39e125987767484cdb2b021d6356def842ea6 Mon Sep 17 00:00:00 2001
From: Siegfried Weber <mail@siegfriedweber.net>
Date: Tue, 11 Mar 2025 12:55:43 +0100
Subject: [PATCH] Document and test the configuration option
 "requestedSecretLifetime"

---
 .../kafka/pages/usage-guide/security.adoc     |  5 ++++
 tests/templates/kuttl/smoke/30-assert.yaml.j2 | 25 +++++++++++++++++++
 .../kuttl/smoke/30-install-kafka.yaml.j2      |  1 +
 3 files changed, 31 insertions(+)

diff --git a/docs/modules/kafka/pages/usage-guide/security.adoc b/docs/modules/kafka/pages/usage-guide/security.adoc
index 8da828a9..ffe7b151 100644
--- a/docs/modules/kafka/pages/usage-guide/security.adoc
+++ b/docs/modules/kafka/pages/usage-guide/security.adoc
@@ -22,12 +22,16 @@ spec:
       serverSecretClass: tls # <1>
       internalSecretClass: kafka-internal-tls # <2>
   brokers:
+    config:
+      requestedSecretLifetime: 7d # <3>
     roleGroups:
       default:
         replicas: 3
 ----
 <1> The `spec.clusterConfig.tls.serverSecretClass` refers to the client-to-server encryption. Defaults to the `tls` secret. Can be deactivated by setting `serverSecretClass` to `null`.
 <2> The `spec.clusterConfig.tls.internalSecretClass` refers to the broker-to-broker internal encryption. This must be explicitly set or defaults to `tls`. May be disabled by setting `internalSecretClass` to `null`.
+<3> The lifetime for autoTls certificates generated by the secret operator.
+    Only a lifetime up to the `maxCertificateLifetime` setting in the SecretClass is applied.
 
 The `tls` secret is deployed from the xref:secret-operator:index.adoc[Secret Operator] and looks like this:
 
@@ -46,6 +50,7 @@ spec:
           name: secret-provisioner-tls-ca
           namespace: default
         autoGenerate: true
+      maxCertificateLifetime: 15d
 ----
 
 You can create your own secrets and reference them e.g. in the `spec.clusterConfig.tls.serverSecretClass` or `spec.clusterConfig.tls.internalSecretClass` to use different certificates.
diff --git a/tests/templates/kuttl/smoke/30-assert.yaml.j2 b/tests/templates/kuttl/smoke/30-assert.yaml.j2
index 0ec0ac65..1520c7dc 100644
--- a/tests/templates/kuttl/smoke/30-assert.yaml.j2
+++ b/tests/templates/kuttl/smoke/30-assert.yaml.j2
@@ -38,6 +38,31 @@ spec:
               memory: 128Mi
 {% endif %}
       terminationGracePeriodSeconds: 1800
+      volumes:
+{% if test_scenario['values']['use-client-tls'] == 'true' %}
+        - name: tls-kcat
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/backend.autotls.cert.lifetime: 7d
+        - name: tls-kafka-server
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/backend.autotls.cert.lifetime: 7d
+{% endif %}
+        - name: tls-kafka-internal
+          ephemeral:
+            volumeClaimTemplate:
+              metadata:
+                annotations:
+                  secrets.stackable.tech/backend.autotls.cert.lifetime: 7d
+        - name: log-config
+        - name: config
+        - name: listener-broker
+        - name: log
 status:
   readyReplicas: 1
   replicas: 1
diff --git a/tests/templates/kuttl/smoke/30-install-kafka.yaml.j2 b/tests/templates/kuttl/smoke/30-install-kafka.yaml.j2
index baa74d42..9b5f2482 100644
--- a/tests/templates/kuttl/smoke/30-install-kafka.yaml.j2
+++ b/tests/templates/kuttl/smoke/30-install-kafka.yaml.j2
@@ -38,6 +38,7 @@ spec:
     config:
       logging:
         enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+      requestedSecretLifetime: 7d
     roleGroups:
       default:
         replicas: 1