Let secret-op handle pkcs12 stores

[dervoeti]

Description

Fixes #502.

Keytool is used to set a password for the PKCS12 stores, because NiFi complains when no password is specified:

WARN [main] o.a.nifi.security.util.SslContextFactory Some truststore properties are populated (/stackable/server_tls/truststore.p12, ********, PKCS12) but not valid
Failed to start web server: Invalid nifi.web.https configuration in nifi.properties

At least I could not make it work without a password for the store.

Local Kuttl test for LDAP with TLS worked fine.

Not sure about the naming of STACKABLE_SERVER_TLS_DIR, I just used the same name that was used in the change for trino-operator. Might not be appropiate for NiFi.

Also: I don't think we need the random destination alias (as implemented in trino-operator) in this case, but please re-check this.

Definition of Done Checklist

• Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
• Please make sure all these things are done and tick the boxes

Author

Beta Give feedback

1. Changes are OpenShift compatible
2. CRD changes approved
3. Helm chart can be installed and deployed operator works
4. Integration tests passed (for non trivial changes)
5. Changes need to be "offline" compatible

Reviewer

Beta Give feedback

1. Code contains useful comments
2. (Integration-)Test cases added
3. Documentation added or updated
4. Changelog updated
5. Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

Beta Give feedback

1. Feature Tracker has been updated
2. Proper release label has been added

[dervoeti]

When stackabletech/secret-operator#314 is merged, we can probably get rid of the two keytool commands. I think the emptyDir volume is still needed, since an LDAP tls certificate might be added to the truststore (we should not write to the secret-op mount). But we could simply cp truststore.p12 to the emptyDir volume.

[maltesander]

When stackabletech/secret-operator#314 is merged, we can probably get rid of the two keytool commands. I think the emptyDir volume is still needed, since an LDAP tls certificate might be added to the truststore (we should not write to the secret-op mount). But we could simply cp truststore.p12 to the emptyDir volume.

Agreed, after operator-rs is released we can just copy. We need the password annotation though otherwise we cannot add the ldap cert.

[dervoeti]

@maltesander Thank you very much for the feedback, implemented all your suggestions. I also found a bug in the "create reporting task" job, which is a python script that needs the CA certificate to verify the server's identity. The certificate itself is not present anymore and has to be extracted from the PKCS12 store, which is now handled by keytool before the script runs.

[maltesander]

@maltesander Thank you very much for the feedback, implemented all your suggestions. I also found a bug in the "create reporting task" job, which is a python script that needs the CA certificate to verify the server's identity. The certificate itself is not present anymore and has to be extracted from the PKCS12 store, which is now handled by keytool before the script runs.

I think we can just mount the cert here directly since its an independent job/pod?

[maltesander]

Thanks, LGTM!