feat: Support setting TLS certificate lifetimes (#676)

* feat: Support setting TLS certificate lifetimes

* typo

* chore: bump op-rs

* cargo update -p rustls

* Update rust/crd/src/lib.rs

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

* rustfmt

---------

Co-authored-by: Sebastian Bernauer <sebastian.bernauer@stackable.de>

Author: razvan

CHANGELOG.md

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup
+  config property `requestedSecretLifetime`. This helps reduce frequent Pod restarts ([#676]).
+
 ### Fixed
 
 - Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#673]).
@@ -13,6 +18,7 @@ All notable changes to this project will be documented in this file.
 
 [#672]: https://github.com/stackabletech/trino-operator/pull/672
 [#673]: https://github.com/stackabletech/trino-operator/pull/673
+[#676]: https://github.com/stackabletech/trino-operator/pull/676
 
 ## [24.11.0] - 2024-11-18
 

Cargo.lock

@@ -24,12 +24,12 @@ serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 serde_yaml = "0.9"
 snafu = "0.8"
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.83.0" }
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 strum = { version = "0.26", features = ["derive"] }
 tokio = { version = "1.40", features = ["full"] }
 tracing = "0.1"
 
-# [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+#[patch."https://github.com/stackabletech/operator-rs.git"]
+#stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
 # stackable-operator = { path = "../operator-rs/crates/stackable-operator" }

Cargo.toml

@@ -297,6 +297,10 @@ spec:
                         queryMaxMemoryPerNode:
                           nullable: true
                           type: string
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -566,6 +570,10 @@ spec:
                               queryMaxMemoryPerNode:
                                 nullable: true
                                 type: string
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
@@ -864,6 +872,10 @@ spec:
                         queryMaxMemoryPerNode:
                           nullable: true
                           type: string
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -1133,6 +1145,10 @@ spec:
                               queryMaxMemoryPerNode:
                                 nullable: true
                                 type: string
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:

deploy/helm/trino-operator/crds/crds.yaml

@@ -432,9 +432,15 @@ pub struct TrinoConfig {
     /// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
     #[fragment_attrs(serde(default))]
     pub graceful_shutdown_timeout: Option<Duration>,
+
+    /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`.
+    /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+    #[fragment_attrs(serde(default))]
+    pub requested_secret_lifetime: Option<Duration>,
 }
 
 impl TrinoConfig {
+    const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
     fn default_config(
         cluster_name: &str,
         role: &TrinoRole,
@@ -472,6 +478,7 @@ impl TrinoConfig {
             query_max_memory: None,
             query_max_memory_per_node: None,
             graceful_shutdown_timeout: Some(graceful_shutdown_timeout),
+            requested_secret_lifetime: Some(Self::DEFAULT_SECRET_LIFETIME),
         }
     }
 }

rust/crd/src/lib.rs

@@ -124,6 +124,9 @@ const DOCKER_IMAGE_BASE_NAME: &str = "trino";
 #[strum_discriminants(derive(IntoStaticStr))]
 #[allow(clippy::enum_variant_names)]
 pub enum Error {
+    #[snafu(display("missing secret lifetime"))]
+    MissingSecretLifetime,
+
     #[snafu(display("object defines no namespace"))]
     ObjectHasNoNamespace,
 
@@ -944,13 +947,17 @@ fn build_rolegroup_statefulset(
             }),
     );
 
+    let requested_secret_lifetime = merged_config
+        .requested_secret_lifetime
+        .context(MissingSecretLifetimeSnafu)?;
     // add volume mounts depending on the client tls, internal tls, catalogs and authentication
     tls_volume_mounts(
         trino,
         &mut pod_builder,
         &mut cb_prepare,
         &mut cb_trino,
         catalogs,
+        &requested_secret_lifetime,
     )?;
 
     let mut prepare_args = vec![];
@@ -1486,13 +1493,18 @@ fn liveness_probe(trino: &TrinoCluster) -> Probe {
     }
 }
 
-fn create_tls_volume(volume_name: &str, tls_secret_class: &str) -> Result<Volume> {
+fn create_tls_volume(
+    volume_name: &str,
+    tls_secret_class: &str,
+    requested_secret_lifetime: &Duration,
+) -> Result<Volume> {
     Ok(VolumeBuilder::new(volume_name)
         .ephemeral(
             SecretOperatorVolumeSourceBuilder::new(tls_secret_class)
                 .with_pod_scope()
                 .with_node_scope()
                 .with_format(SecretFormat::TlsPkcs12)
+                .with_auto_tls_cert_lifetime(*requested_secret_lifetime)
                 .build()
                 .context(TlsCertSecretClassVolumeBuildSnafu)?,
         )
@@ -1505,6 +1517,7 @@ fn tls_volume_mounts(
     cb_prepare: &mut ContainerBuilder,
     cb_trino: &mut ContainerBuilder,
     catalogs: &[CatalogConfig],
+    requested_secret_lifetime: &Duration,
 ) -> Result<()> {
     if let Some(server_tls) = trino.get_server_tls() {
         cb_prepare
@@ -1514,7 +1527,11 @@ fn tls_volume_mounts(
             .add_volume_mount("server-tls-mount", STACKABLE_MOUNT_SERVER_TLS_DIR)
             .context(AddVolumeMountSnafu)?;
         pod_builder
-            .add_volume(create_tls_volume("server-tls-mount", server_tls)?)
+            .add_volume(create_tls_volume(
+                "server-tls-mount",
+                server_tls,
+                requested_secret_lifetime,
+            )?)
             .context(AddVolumeSnafu)?;
     }
 
@@ -1546,7 +1563,11 @@ fn tls_volume_mounts(
             .add_volume_mount("internal-tls-mount", STACKABLE_MOUNT_INTERNAL_TLS_DIR)
             .context(AddVolumeMountSnafu)?;
         pod_builder
-            .add_volume(create_tls_volume("internal-tls-mount", internal_tls)?)
+            .add_volume(create_tls_volume(
+                "internal-tls-mount",
+                internal_tls,
+                requested_secret_lifetime,
+            )?)
             .context(AddVolumeSnafu)?;
 
         cb_prepare