-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Let secret-op handle pkcs12 stores #505
Conversation
When stackabletech/secret-operator#314 is merged, we can probably get rid of the two keytool commands. I think the emptyDir volume is still needed, since an LDAP tls certificate might be added to the truststore (we should not write to the secret-op mount). But we could simply |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When stackabletech/secret-operator#314 is merged, we can probably get rid of the two keytool commands. I think the emptyDir volume is still needed, since an LDAP tls certificate might be added to the truststore (we should not write to the secret-op mount). But we could simply
cp
truststore.p12 to the emptyDir volume.
Agreed, after operator-rs is released we can just copy. We need the password annotation though otherwise we cannot add the ldap cert.
@maltesander Thank you very much for the feedback, implemented all your suggestions. I also found a bug in the "create reporting task" job, which is a python script that needs the CA certificate to verify the server's identity. The certificate itself is not present anymore and has to be extracted from the PKCS12 store, which is now handled by keytool before the script runs. |
I think we can just mount the cert here directly since its an independent job/pod? |
bc3bf6b
to
272ee46
Compare
…into let-secret-op-create-pkcs12-stores
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM!
Description
Fixes #502.
Keytool is used to set a password for the PKCS12 stores, because NiFi complains when no password is specified:
At least I could not make it work without a password for the store.
Local Kuttl test for LDAP with TLS worked fine.
Not sure about the naming of
STACKABLE_SERVER_TLS_DIR
, I just used the same name that was used in the change for trino-operator. Might not be appropiate for NiFi.Also: I don't think we need the random destination alias (as implemented in trino-operator) in this case, but please re-check this.
Definition of Done Checklist
Author
Reviewer
Acceptance