fix: Prevent missing certificates (#636)

sbernauer · web-flow · commit 6a7756003e7d · 2025-10-01T09:21:17.000Z
* chore: Use cert-tools to convert system truststore

* fix second keytool

* changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,7 +8,16 @@ All notable changes to this project will be documented in this file.
 
 - Helm: Allow Pod `priorityClassName` to be configured ([#633]).
 
+### Fixed
+
+- Previously we had a bug that could lead to missing certificates ([#636]).
+
+  This could be the case when you specified multiple CAs in your SecretClass.
+  We now correctly handle multiple certificates in this cases.
+  See [this GitHub issue](https://github.com/stackabletech/issues/issues/764) for details
+
 [#633]: https://github.com/stackabletech/hive-operator/pull/633
+[#636]: https://github.com/stackabletech/hive-operator/pull/636
 
 ## [25.7.0] - 2025-07-23
 
diff --git a/rust/operator-binary/src/command.rs b/rust/operator-binary/src/command.rs
@@ -4,7 +4,7 @@ use crate::crd::{
     DB_PASSWORD_ENV, DB_PASSWORD_PLACEHOLDER, DB_USERNAME_ENV, DB_USERNAME_PLACEHOLDER,
     HIVE_METASTORE_LOG4J2_PROPERTIES, HIVE_SITE_XML, STACKABLE_CONFIG_DIR,
     STACKABLE_CONFIG_MOUNT_DIR, STACKABLE_LOG_CONFIG_MOUNT_DIR, STACKABLE_TRUST_STORE,
-    STACKABLE_TRUST_STORE_PASSWORD, SYSTEM_TRUST_STORE, SYSTEM_TRUST_STORE_PASSWORD, v1alpha1,
+    STACKABLE_TRUST_STORE_PASSWORD, v1alpha1,
 };
 
 pub fn build_container_command_args(
@@ -32,7 +32,7 @@ pub fn build_container_command_args(
         ),
         // Copy system truststore to stackable truststore
         format!(
-            "keytool -importkeystore -srckeystore {SYSTEM_TRUST_STORE} -srcstoretype jks -srcstorepass {SYSTEM_TRUST_STORE_PASSWORD} -destkeystore {STACKABLE_TRUST_STORE} -deststoretype pkcs12 -deststorepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt"
+            "cert-tools generate-pkcs12-truststore --pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem --out {STACKABLE_TRUST_STORE} --out-password {STACKABLE_TRUST_STORE_PASSWORD}"
         ),
     ];
 
@@ -44,9 +44,10 @@ pub fn build_container_command_args(
     }
 
     if let Some(s3) = s3_connection_spec {
-        if let Some(ca_cert) = s3.tls.tls_ca_cert_mount_path() {
-            // The alias can not clash, as we only support a single S3Connection
-            args.push(format!("keytool -importcert -file {ca_cert} -alias stackable-s3-ca-cert -keystore {STACKABLE_TRUST_STORE} -storepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt"));
+        if let Some(ca_cert_file) = s3.tls.tls_ca_cert_mount_path() {
+            args.push(format!(
+                "cert-tools generate-pkcs12-truststore --pkcs12 {STACKABLE_TRUST_STORE}:{STACKABLE_TRUST_STORE_PASSWORD} --pem {ca_cert_file} --out {STACKABLE_TRUST_STORE} --out-password {STACKABLE_TRUST_STORE_PASSWORD}"
+            ));
         }
     }
 
diff --git a/rust/operator-binary/src/crd/mod.rs b/rust/operator-binary/src/crd/mod.rs
@@ -62,8 +62,6 @@ pub const METRICS_PORT_NAME: &str = "metrics";
 pub const METRICS_PORT: u16 = 9084;
 
 // Certificates and trust stores
-pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
-pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit";
 pub const STACKABLE_TRUST_STORE: &str = "/stackable/truststore.p12";
 pub const STACKABLE_TRUST_STORE_PASSWORD: &str = "changeit";
 
