Closed sbernauer closed 11 months ago
@sbernauer @lfrancke Not sure about the last item here "Remove uneeded stuff from our product docker images (e.g. openssl or keytool)". Keytool is included with java, and im not sure we want to remove openssl since we sometimes add certs to system truststore etc. manually. There are operators that do not do that for now, but i think it may happen that we just have to add it again in the future? Any opinions?
I did leave openssl in for now. I can't really judge whether it's really needed, sorry. I'm happy for you to make a decision
Yeah im for leaving it in as well. Could be useful for us as well as random user requirements. Ill mark that bullet point optional for now and maybe revisit.
The only downside is that openssl frequently has vulnerabilities. But let's leave it in for now and we can remove it later if needed.
Ill make a list where we could remove it as of today and we can evaluate from operator to operator? I think e.g. NiFi will need it fore sure?
This change should be transparent to the end-user, right?
Yes no CRD changes.
In 99% of the cases I would say yes. There could be the chance the users e.g. wrote Druid jobs that relied on /stackable/server_tls/ca.crt (or similar) being present, but I would consider this unlikely enough to not take any actions. And I would not consider this to be part of our public API
@maltesander I would offer to take care of switching the lakehouse spark job to use the keystore.
All done!
Thanks to https://github.com/stackabletech/secret-operator/pull/286 we can simply Pod startups, as we don't need to create rust and keystores all over the place. It should also decrease Pod startup times a bit, as we don't rely on the JVM with cpu limits.
https://github.com/stackabletech/zookeeper-operator/pull/695 can server as a template