search

stackabletech / issues

This repository is only for issues that concern multiple repositories or don't fit into any specific repository
2 stars 0 forks source link

Let secret-operator handle PKCS#12 conversion in all operators #417

Closed sbernauer closed 11 months ago

sbernauer commented 1 year ago

Thanks to https://github.com/stackabletech/secret-operator/pull/286 we can simply Pod startups, as we don't need to create rust and keystores all over the place. It should also decrease Pod startup times a bit, as we don't rely on the JVM with cpu limits.

https://github.com/stackabletech/zookeeper-operator/pull/695 can server as a template

### Tasks
- [ ] https://github.com/stackabletech/stackablectl/pull/284
- [x] airflow
- [ ] https://github.com/stackabletech/druid-operator/issues/468
- [x] hbase
- [ ] https://github.com/stackabletech/hdfs-operator/issues/386
- [x] hive
- [ ] https://github.com/stackabletech/kafka-operator/issues/618
- [ ] https://github.com/stackabletech/nifi-operator/issues/502
- [x] opa
- [ ] https://github.com/stackabletech/spark-k8s-operator/issues/282
- [x] superset
- [ ] https://github.com/stackabletech/trino-operator/issues/468
- [ ] https://github.com/stackabletech/zookeeper-operator/pull/695
- [x] commons
- [x] listener
- [x] secret
- [x] hello-world
- [x] edc
maltesander commented 1 year ago

@sbernauer @lfrancke Not sure about the last item here "Remove uneeded stuff from our product docker images (e.g. openssl or keytool)". Keytool is included with java, and im not sure we want to remove openssl since we sometimes add certs to system truststore etc. manually. There are operators that do not do that for now, but i think it may happen that we just have to add it again in the future? Any opinions?

lfrancke commented 1 year ago

I did leave openssl in for now. I can't really judge whether it's really needed, sorry. I'm happy for you to make a decision

maltesander commented 1 year ago

Yeah im for leaving it in as well. Could be useful for us as well as random user requirements. Ill mark that bullet point optional for now and maybe revisit.

lfrancke commented 1 year ago

The only downside is that openssl frequently has vulnerabilities. But let's leave it in for now and we can remove it later if needed.

maltesander commented 1 year ago

Ill make a list where we could remove it as of today and we can evaluate from operator to operator? I think e.g. NiFi will need it fore sure?

lfrancke commented 11 months ago

This change should be transparent to the end-user, right?

maltesander commented 11 months ago

Yes no CRD changes.

sbernauer commented 11 months ago

In 99% of the cases I would say yes. There could be the chance the users e.g. wrote Druid jobs that relied on /stackable/server_tls/ca.crt (or similar) being present, but I would consider this unlikely enough to not take any actions. And I would not consider this to be part of our public API

sbernauer commented 11 months ago

@maltesander I would offer to take care of switching the lakehouse spark job to use the keystore.

maltesander commented 11 months ago

All done!