stackabletech · sbernauer · Jun 22, 2022 · Jun 23, 2022 · Jun 27, 2022 · Jun 27, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,9 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Readiness probe added ([#241])
-- Support s3 path style access ([#245])
+- Support S3 path style access ([#245])
+- Support S3 TLS verification ([#255])
+- Support Druid 0.23.0 ([#255])
 
 ### Changed
 
@@ -24,6 +26,7 @@ All notable changes to this project will be documented in this file.
 [#241]: https://github.com/stackabletech/druid-operator/pull/241
 [#244]: https://github.com/stackabletech/druid-operator/pull/244
 [#245]: https://github.com/stackabletech/druid-operator/pull/245
+[#255]: https://github.com/stackabletech/druid-operator/pull/255
 
 ## [0.5.0] - 2022-03-15
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/docs/modules/ROOT/pages/usage.adoc b/docs/modules/ROOT/pages/usage.adoc
@@ -53,7 +53,7 @@ kind: DruidCluster
 metadata:
   name: simple-druid
 spec:
-  version: 0.22.1-authorizer0.1.0-stackable0.2.0
+  version: 0.23.0-stackable0.3.0
   zookeeperConfigMapName: simple-zk
   metadataStorageDatabase:
     dbType: postgresql

diff --git a/docs/modules/ROOT/partials/supported-versions.adoc b/docs/modules/ROOT/partials/supported-versions.adoc
@@ -3,3 +3,4 @@
 // Stackable Platform documentation.
 
 - 0.22.1
+- 0.23.0
diff --git a/examples/psql-s3/psql-s3-druid-cluster.yaml b/examples/psql-s3/psql-s3-druid-cluster.yaml
@@ -35,7 +35,7 @@ kind: DruidCluster
 metadata:
   name: psql-s3-druid
 spec:
-  version: 0.22.1-authorizer0.1.0-stackable0.2.0
+  version: 0.23.0-stackable0.3.0
   zookeeperConfigMapName: simple-druid-znode
   metadataStorageDatabase:
     dbType: postgresql

diff --git a/examples/psql/psql-hdfs-druid-cluster.yaml b/examples/psql/psql-hdfs-druid-cluster.yaml
@@ -27,7 +27,7 @@ kind: DruidCluster
 metadata:
   name: psql-druid
 spec:
-  version: 0.22.1-authorizer0.1.0-stackable0.2.0
+  version: 0.23.0-stackable0.3.0
   zookeeperConfigMapName: simple-druid-znode
   metadataStorageDatabase:
     dbType: postgresql

diff --git a/examples/simple-druid-cluster.yaml b/examples/simple-druid-cluster.yaml
@@ -47,7 +47,7 @@ kind: DruidCluster
 metadata:
   name: simple-derby-druid
 spec:
-  version: 0.22.1-authorizer0.1.0-stackable0.2.0
+  version: 0.23.0-stackable0.3.0
   zookeeperConfigMapName: simple-druid-znode
   metadataStorageDatabase:
     dbType: derby

diff --git a/rust/crd/Cargo.toml b/rust/crd/Cargo.toml
@@ -8,7 +8,7 @@ repository = "https://github.com/stackabletech/druid-operator"
 version = "0.6.0-nightly"
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.1" }
 
 semver = "1.0"
 serde = { version = "1.0", features = ["derive"] }

diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -2,6 +2,7 @@ use serde::{Deserialize, Serialize};
 use snafu::{ResultExt, Snafu};
 use stackable_operator::client::Client;
 use stackable_operator::commons::s3::{InlinedS3BucketSpec, S3BucketDef, S3ConnectionSpec};
+use stackable_operator::commons::tls::{CaCert, Tls, TlsServerVerification, TlsVerification};
 use stackable_operator::kube::ResourceExt;
 use stackable_operator::{
     commons::{opa::OpaConfig, s3::S3ConnectionDef},
@@ -21,6 +22,12 @@ pub const JVM_CONFIG: &str = "jvm.config";
 pub const RUNTIME_PROPS: &str = "runtime.properties";
 pub const LOG4J2_CONFIG: &str = "log4j2.xml";
 
+pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
+pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit";
+pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore.p12";
+pub const STACKABLE_TRUST_STORE_PASSWORD: &str = "changeit";
+pub const CERTS_DIR: &str = "/stackable/certificates/";
+
 // port names
 pub const CONTAINER_HTTP_PORT: &str = "http";
 pub const CONTAINER_METRICS_PORT: &str = "metrics";
@@ -64,6 +71,8 @@ pub const MD_ST_HOST: &str = "druid.metadata.storage.connector.host";
 pub const MD_ST_PORT: &str = "druid.metadata.storage.connector.port";
 pub const MD_ST_USER: &str = "druid.metadata.storage.connector.user";
 pub const MD_ST_PASSWORD: &str = "druid.metadata.storage.connector.password";
+// indexer properties
+pub const INDEXER_JAVA_OPTS: &str = "druid.indexer.runner.javaOptsArray";
 // extra
 pub const CREDENTIALS_SECRET_PROPERTY: &str = "credentialsSecret";
 
@@ -178,21 +187,24 @@ impl DruidRole {
     }
 
     /// Returns the start commands for the different server types.
-    pub fn get_command(&self, mount_s3_credentials: bool) -> Vec<String> {
-        let mut shell_cmd = vec![];
-        if mount_s3_credentials {
-            shell_cmd.push(format!(
-                "export {env_var}=$(cat {secret_dir}/{file_name})",
-                env_var = ENV_S3_ACCESS_KEY,
-                secret_dir = S3_SECRET_DIR_NAME,
-                file_name = SECRET_KEY_S3_ACCESS_KEY
-            ));
-            shell_cmd.push(format!(
-                "export {env_var}=$(cat {secret_dir}/{file_name})",
-                env_var = ENV_S3_SECRET_KEY,
-                secret_dir = S3_SECRET_DIR_NAME,
-                file_name = SECRET_KEY_S3_SECRET_KEY
-            ));
+    pub fn get_command(&self, s3_connection: Option<&S3ConnectionSpec>) -> Vec<String> {
+        let mut shell_cmd = vec![format!("keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE} -deststoretype pkcs12 -deststorepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt")];
+
+        if let Some(s3_connection) = s3_connection {
+            if let Some(Tls {
+                verification:
+                    TlsVerification::Server(TlsServerVerification {
+                        ca_cert: CaCert::SecretClass(secret_class),
+                    }),
+            }) = &s3_connection.tls
+            {
+                shell_cmd.push(format!("keytool -importcert -file /stackable/certificates/{secret_class}-tls-certificate/ca.crt -alias stackable-{secret_class} -keystore {STACKABLE_TRUST_STORE} -storepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt"));
+            }
+
+            if s3_connection.credentials.is_some() {
+                shell_cmd.push(format!("export {ENV_S3_ACCESS_KEY}=$(cat {S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_ACCESS_KEY})"));
+                shell_cmd.push(format!("export {ENV_S3_SECRET_KEY}=$(cat {S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_SECRET_KEY})"));
+            }
         }
         shell_cmd.push(format!(
             "{} {} {}",
@@ -488,6 +500,19 @@ impl Configuration for DruidConfig {
                     PROMETHEUS_PORT.to_string(),
                     Some(DRUID_METRICS_PORT.to_string()),
                 );
+                // Role-specific config
+                if role == DruidRole::MiddleManager {
+                    // When we start ingestion jobs they will run as new JVM processes.
+                    // We need to set this config to pass the custom truststore not only to the Druid roles but also to the started ingestion jobs.
+                    result.insert(
+                        INDEXER_JAVA_OPTS.to_string(),
+                        Some(build_string_list(&[
+                            format!("-Djavax.net.ssl.trustStore={STACKABLE_TRUST_STORE}"),
+                            format!("-Djavax.net.ssl.trustStorePassword={STACKABLE_TRUST_STORE_PASSWORD}"),
+                            "-Djavax.net.ssl.trustStoreType=pkcs12".to_string()
+                        ]))
+                    );
+                }
             }
             LOG4J2_CONFIG => {}
             _ => {}

diff --git a/rust/operator-binary/Cargo.toml b/rust/operator-binary/Cargo.toml
@@ -8,12 +8,13 @@ repository = "https://github.com/stackabletech/druid-operator"
 version = "0.6.0-nightly"
 
 [dependencies]
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.1" }
 stackable-druid-crd = { path = "../crd" }
 anyhow = "1.0"
 clap = "3.2"
 fnv = "1.0"
 futures = { version = "0.3", features = ["compat"] }
+indoc = "1.0.6"
 pin-project = "1.0"
 semver = "1.0"
 serde = "1.0"
@@ -26,5 +27,5 @@ tracing = "0.1"
 
 [build-dependencies]
 built = { version =  "0.5", features = ["chrono", "git2"] }
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "0.21.1" }
 stackable-druid-crd = { path = "../crd" }
diff --git a/rust/operator-binary/src/config.rs b/rust/operator-binary/src/config.rs
@@ -1,55 +1,58 @@
-use stackable_druid_crd::DruidRole;
+use indoc::formatdoc;
+use stackable_druid_crd::{DruidRole, STACKABLE_TRUST_STORE, STACKABLE_TRUST_STORE_PASSWORD};
 
 pub fn get_jvm_config(role: &DruidRole) -> String {
-    let common_props = "
-    -server
-    -Duser.timezone=UTC
-    -Dfile.encoding=UTF-8
-    -Djava.io.tmpdir=/tmp
-    -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
-    -XX:+UseG1GC
-    -XX:+ExitOnOutOfMemoryError
-    ";
+    let common_config = formatdoc! {"
+      -server
+      -Duser.timezone=UTC
+      -Dfile.encoding=UTF-8
+      -Djava.io.tmpdir=/tmp
+      -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
+      -XX:+UseG1GC
+      -XX:+ExitOnOutOfMemoryError
+      -Djavax.net.ssl.trustStore={STACKABLE_TRUST_STORE}
+      -Djavax.net.ssl.trustStorePassword={STACKABLE_TRUST_STORE_PASSWORD}
+      -Djavax.net.ssl.trustStoreType=pkcs12"};
 
     match role {
         DruidRole::Broker => {
-            common_props.to_string()
-                + "
-            -Xms512m
-            -Xmx512m
-            -XX:MaxDirectMemorySize=400m
-        "
+            formatdoc! {"
+              {common_config}
+              -Xms512m
+              -Xmx512m
+              -XX:MaxDirectMemorySize=400m
+            "}
         }
         DruidRole::Coordinator => {
-            common_props.to_string()
-                + "
-            -Xms256m
-            -Xmx256m
-            -Dderby.stream.error.file=/stackable/var/druid/derby.log
-        "
+            formatdoc! {"
+              {common_config}
+              -Xms256m
+              -Xmx256m
+              -Dderby.stream.error.file=/stackable/var/druid/derby.log
+            "}
         }
         DruidRole::Historical => {
-            common_props.to_string()
-                + "
-            -Xms512m
-            -Xmx512m
-            -XX:MaxDirectMemorySize=400m
-        "
+            formatdoc! {"
+              {common_config}
+              -Xms512m
+              -Xmx512m
+              -XX:MaxDirectMemorySize=400m
+            "}
         }
         DruidRole::MiddleManager => {
-            common_props.to_string()
-                + "
-            -Xms64m
-            -Xmx64m
-        "
+            formatdoc! {"
+              {common_config}
+              -Xms64m
+              -Xmx64m
+            "}
         }
         DruidRole::Router => {
-            common_props.to_string()
-                + "
-            -Xms128m
-            -Xmx128m
-            -XX:MaxDirectMemorySize=128m
-        "
+            formatdoc! {"
+              {common_config}
+              -Xms128m
+              -Xmx128m
+              -XX:MaxDirectMemorySize=128m
+            "}
         }
     }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,4 @@
		// Stackable Platform documentation.

		- 0.22.1
		- 0.23.0