diff --git a/rust/crd/src/authentication/ldap.rs b/rust/crd/src/authentication/ldap.rs index 6ba1e0cc..65a07838 100644 --- a/rust/crd/src/authentication/ldap.rs +++ b/rust/crd/src/authentication/ldap.rs @@ -6,9 +6,9 @@ use stackable_operator::commons::authentication::AuthenticationClassProvider; use stackable_operator::kube::ResourceExt; use crate::authentication::ResolvedAuthenticationClasses; -use crate::{ - security::{add_cert_to_trust_store_cmd, STACKABLE_TLS_DIR, TLS_STORE_PASSWORD}, - ENV_INTERNAL_SECRET, RUNTIME_PROPS, RW_CONFIG_DIRECTORY, +use crate::security::{ + add_cert_to_trust_store_cmd, ESCALATOR_INTERNAL_CLIENT_PASSWORD_ENV, + INTERNAL_INITIAL_CLIENT_PASSWORD_ENV, STACKABLE_TLS_DIR, TLS_STORE_PASSWORD, }; #[derive(Snafu, Debug)] @@ -25,11 +25,6 @@ pub struct DruidLdapSettings { pub authentication_class_name: String, } -pub const PLACEHOLDER_INTERNAL_CLIENT_PASSWORD: &str = - "xxx_druid_system_internal_client_password_xxx"; -pub const PLACEHOLDER_LDAP_BIND_PASSWORD: &str = "xxx_ldap_bind_password_xxx"; -pub const PLACEHOLDER_LDAP_BIND_USER: &str = "xxx_ldap_bind_user_xxx"; - impl DruidLdapSettings { pub fn new_from( resolved_authentication_config: &ResolvedAuthenticationClasses, @@ -63,7 +58,7 @@ impl DruidLdapSettings { config.insert( format!("{PREFIX}.initialInternalClientPassword"), - Some(PLACEHOLDER_INTERNAL_CLIENT_PASSWORD.to_string()), + Some(format!("${{env:{INTERNAL_INITIAL_CLIENT_PASSWORD_ENV}}}").to_string()), ); config.insert( format!("{PREFIX}.authorizerName"), @@ -97,14 +92,16 @@ impl DruidLdapSettings { ), ); - if self.ldap.bind_credentials_mount_paths().is_some() { + if let Some((ldap_bind_user_path, ldap_bind_password_path)) = + self.ldap.bind_credentials_mount_paths() + { config.insert( format!("{PREFIX}.credentialsValidator.bindUser"), - Some(PLACEHOLDER_LDAP_BIND_USER.to_string()), // NOTE: this placeholder will be replaced from a mounted secret operator volume on container startup + Some(format!("${{file:UTF-8:{ldap_bind_user_path}}}").to_string()), ); config.insert( format!("{PREFIX}.credentialsValidator.bindPassword"), - Some(PLACEHOLDER_LDAP_BIND_PASSWORD.to_string()), // NOTE: this placeholder will be replaced from a mounted secret operator volume on container startup + Some(format!("${{file:UTF-8:{ldap_bind_password_path}}}").to_string()), ); } @@ -139,7 +136,7 @@ impl DruidLdapSettings { ); config.insert( "druid.escalator.internalClientPassword".to_string(), - Some(PLACEHOLDER_INTERNAL_CLIENT_PASSWORD.to_string()), + Some(format!("${{env:{ESCALATOR_INTERNAL_CLIENT_PASSWORD_ENV}}}").to_string()), ); config.insert( "druid.escalator.authorizerName".to_string(), @@ -180,35 +177,6 @@ impl DruidLdapSettings { Ok(config) } - pub fn main_container_commands(&self) -> Vec { - let mut commands = Vec::new(); - - let runtime_properties_file: String = format!("{RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}"); - let internal_client_password = format!("$(echo ${ENV_INTERNAL_SECRET})"); - - commands - .push(format!("echo \"Replacing LDAP placeholders with their proper values in {runtime_properties_file}\"")); - commands.push(format!( - r#"sed "s|{PLACEHOLDER_INTERNAL_CLIENT_PASSWORD}|{internal_client_password}|g" -i {runtime_properties_file}"# // using another delimiter (|) here because of base64 string - )); - - if let Some((ldap_bind_user_path, ldap_bind_password_path)) = - self.ldap.bind_credentials_mount_paths() - { - let ldap_bind_user = format!("$(cat {ldap_bind_user_path})"); - let ldap_bind_password = format!("$(cat {ldap_bind_password_path})"); - - commands.push(format!( - r#"sed "s/{PLACEHOLDER_LDAP_BIND_USER}/{ldap_bind_user}/g" -i {runtime_properties_file}"# - )); - commands.push(format!( - r#"sed "s/{PLACEHOLDER_LDAP_BIND_PASSWORD}/{ldap_bind_password}/g" -i {runtime_properties_file}"# - )); - } - - commands - } - pub fn prepare_container_commands(&self) -> Vec { let mut command = vec![]; if let Some(tls_ca_cert_mount_path) = self.ldap.tls.tls_ca_cert_mount_path() { diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index ce476623..f36e2cd0 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -93,6 +93,8 @@ pub const DS_DIRECTORY: &str = "druid.storage.storageDirectory"; pub const DS_BUCKET: &str = "druid.storage.bucket"; pub const DS_BASE_KEY: &str = "druid.storage.baseKey"; pub const S3_ENDPOINT_URL: &str = "druid.s3.endpoint.url"; +pub const S3_ACCESS_KEY: &str = "druid.s3.accessKey"; +pub const S3_SECRET_KEY: &str = "druid.s3.secretKey"; pub const S3_PATH_STYLE_ACCESS: &str = "druid.s3.enablePathStyleAccess"; // OPA pub const AUTH_AUTHORIZERS: &str = "druid.auth.authorizers"; @@ -125,20 +127,14 @@ pub const PROMETHEUS_PORT: &str = "druid.emitter.prometheus.port"; pub const METRICS_PORT: u16 = 9090; // container locations pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets"; -const ENV_S3_ACCESS_KEY: &str = "AWS_ACCESS_KEY_ID"; -const ENV_S3_SECRET_KEY: &str = "AWS_SECRET_ACCESS_KEY"; -const SECRET_KEY_S3_ACCESS_KEY: &str = "accessKey"; -const SECRET_KEY_S3_SECRET_KEY: &str = "secretKey"; +pub const SECRET_KEY_S3_ACCESS_KEY: &str = "accessKey"; +pub const SECRET_KEY_S3_SECRET_KEY: &str = "secretKey"; // segment storage pub const SC_LOCATIONS: &str = "druid.segmentCache.locations"; pub const SC_DIRECTORY: &str = "/stackable/var/druid/segment-cache"; pub const SC_VOLUME_NAME: &str = "segment-cache"; -pub const ENV_INTERNAL_SECRET: &str = "INTERNAL_SECRET"; - -// DB credentials -pub const DB_USERNAME_PLACEHOLDER: &str = "xxx_db_username_xxx"; -pub const DB_PASSWORD_PLACEHOLDER: &str = "xxx_db_password_xxx"; +// DB credentials - both of these are read from an env var by Druid with the ${env:...} syntax pub const DB_USERNAME_ENV: &str = "DB_USERNAME_ENV"; pub const DB_PASSWORD_ENV: &str = "DB_PASSWORD_ENV"; @@ -158,16 +154,21 @@ pub enum Error { ResolveS3Connection { source: stackable_operator::commons::s3::Error, }, + #[snafu(display("failed to resolve S3 bucket"))] ResolveS3Bucket { source: stackable_operator::commons::s3::Error, }, + #[snafu(display("2 differing s3 connections were given, this is unsupported by Druid"))] IncompatibleS3Connections, + #[snafu(display("the role group {rolegroup_name} is not defined"))] CannotRetrieveRoleGroup { rolegroup_name: String }, + #[snafu(display("missing namespace for resource {name}"))] MissingNamespace { name: String }, + #[snafu(display("fragment validation failure"))] FragmentValidationFailure { source: ValidationError }, } @@ -518,7 +519,6 @@ impl DruidRole { pub fn main_container_prepare_commands( &self, s3_connection: Option<&S3ConnectionSpec>, - credentials_secret: Option<&String>, ) -> Vec { let mut commands = vec![]; @@ -532,11 +532,6 @@ impl DruidRole { { commands.push(format!("keytool -importcert -file {CERTS_DIR}/{secret_class}-tls-certificate/ca.crt -alias stackable-{secret_class} -keystore {STACKABLE_TRUST_STORE} -storepass {STACKABLE_TRUST_STORE_PASSWORD} -noprompt")); } - - if s3_connection.credentials.is_some() { - commands.push(format!("export {ENV_S3_ACCESS_KEY}=$(cat {S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_ACCESS_KEY})")); - commands.push(format!("export {ENV_S3_SECRET_KEY}=$(cat {S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_SECRET_KEY})")); - } } // copy druid config to rw config @@ -560,14 +555,11 @@ impl DruidRole { rw_conf = RW_CONFIG_DIRECTORY, )); - // db credentials - if credentials_secret.is_some() { - commands.extend([ - format!("echo replacing {DB_USERNAME_PLACEHOLDER} and {DB_PASSWORD_PLACEHOLDER} with secret values."), - format!("sed -i \"s|{DB_USERNAME_PLACEHOLDER}|${DB_USERNAME_ENV}|g\" {RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}"), - format!("sed -i \"s|{DB_PASSWORD_PLACEHOLDER}|${DB_PASSWORD_ENV}|g\" {RW_CONFIG_DIRECTORY}/{RUNTIME_PROPS}"), - ]); - } + commands.extend([ + format!("config-utils template {RW_CONFIG_DIRECTORY}/runtime.properties",), + format!("if test -f {RW_CONFIG_DIRECTORY}/core-site.xml; then config-utils template {RW_CONFIG_DIRECTORY}/core-site.xml; fi",), + format!("if test -f {RW_CONFIG_DIRECTORY}/hdfs-site.xml; then config-utils template {RW_CONFIG_DIRECTORY}/hdfs-site.xml; fi",), + ]); commands } @@ -631,11 +623,11 @@ impl DruidCluster { if mds.credentials_secret.is_some() { result.insert( METADATA_STORAGE_USER.to_string(), - Some(DB_USERNAME_PLACEHOLDER.into()), + Some(format!("${{env:{DB_USERNAME_ENV}}}")), ); result.insert( METADATA_STORAGE_PASSWORD.to_string(), - Some(DB_PASSWORD_PLACEHOLDER.into()), + Some(format!("${{env:{DB_PASSWORD_ENV}}}")), ); } diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs index be8b6bab..2b88019e 100644 --- a/rust/crd/src/security.rs +++ b/rust/crd/src/security.rs @@ -101,6 +101,10 @@ pub const STACKABLE_TLS_DIR: &str = "/stackable/tls"; const TLS_VOLUME_NAME: &str = "tls"; const TLS_MOUNT_VOLUME_NAME: &str = "tls-mount"; +pub const INTERNAL_INITIAL_CLIENT_PASSWORD_ENV: &str = "INTERNAL_INITIAL_CLIENT_PASSWORD"; +// It seems this needs to be the same password for Druid to work, so we re-use the existing env variable from above. +pub const ESCALATOR_INTERNAL_CLIENT_PASSWORD_ENV: &str = INTERNAL_INITIAL_CLIENT_PASSWORD_ENV; + impl DruidTlsSecurity { pub fn new( resolved_authentication_classes: ResolvedAuthenticationClasses, diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs index 53e2c208..903f9f97 100644 --- a/rust/operator-binary/src/druid_controller.rs +++ b/rust/operator-binary/src/druid_controller.rs @@ -16,13 +16,16 @@ use stackable_druid_crd::{ authentication::ldap::DruidLdapSettings, authorization::DruidAuthorization, build_recommended_labels, build_string_list, - security::{resolve_authentication_classes, DruidTlsSecurity}, + security::{ + resolve_authentication_classes, DruidTlsSecurity, INTERNAL_INITIAL_CLIENT_PASSWORD_ENV, + }, CommonRoleGroupConfig, Container, DeepStorageSpec, DruidCluster, DruidClusterStatus, DruidRole, APP_NAME, AUTH_AUTHORIZER_OPA_URI, CERTS_DIR, CREDENTIALS_SECRET_PROPERTY, DB_PASSWORD_ENV, - DB_USERNAME_ENV, DRUID_CONFIG_DIRECTORY, DS_BUCKET, ENV_INTERNAL_SECRET, EXTENSIONS_LOADLIST, - HDFS_CONFIG_DIRECTORY, JVM_CONFIG, JVM_SECURITY_PROPERTIES_FILE, LOG_CONFIG_DIRECTORY, LOG_DIR, - MAX_DRUID_LOG_FILES_SIZE, RUNTIME_PROPS, RW_CONFIG_DIRECTORY, S3_ENDPOINT_URL, - S3_PATH_STYLE_ACCESS, S3_SECRET_DIR_NAME, ZOOKEEPER_CONNECTION_STRING, + DB_USERNAME_ENV, DRUID_CONFIG_DIRECTORY, DS_BUCKET, EXTENSIONS_LOADLIST, HDFS_CONFIG_DIRECTORY, + JVM_CONFIG, JVM_SECURITY_PROPERTIES_FILE, LOG_CONFIG_DIRECTORY, LOG_DIR, + MAX_DRUID_LOG_FILES_SIZE, RUNTIME_PROPS, RW_CONFIG_DIRECTORY, S3_ACCESS_KEY, S3_ENDPOINT_URL, + S3_PATH_STYLE_ACCESS, S3_SECRET_DIR_NAME, S3_SECRET_KEY, SECRET_KEY_S3_ACCESS_KEY, + SECRET_KEY_S3_SECRET_KEY, ZOOKEEPER_CONNECTION_STRING, }; use stackable_operator::{ builder::{ @@ -711,6 +714,21 @@ fn build_rolegroup_config_map( conf.insert(S3_ENDPOINT_URL.to_string(), Some(endpoint)); } + if conn.credentials.is_some() { + conf.insert( + S3_ACCESS_KEY.to_string(), + Some(format!( + "${{file:UTF-8:{S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_ACCESS_KEY}}}" + )), + ); + conf.insert( + S3_SECRET_KEY.to_string(), + Some(format!( + "${{file:UTF-8:{S3_SECRET_DIR_NAME}/{SECRET_KEY_S3_SECRET_KEY}}}" + )), + ); + } + // We did choose a match statement here to detect new access styles in the future let path_style_access = match conn.access_style.clone().unwrap_or_default() { S3AccessStyle::Path => true, @@ -915,8 +933,7 @@ fn build_rolegroup_statefulset( .metadata_storage_database .credentials_secret .as_ref(); - let mut main_container_commands = - role.main_container_prepare_commands(s3_conn, credentials_secret); + let mut main_container_commands = role.main_container_prepare_commands(s3_conn); let mut prepare_container_commands = vec![]; if let Some(ContainerLogConfig { choice: Some(ContainerLogConfigChoice::Automatic(log_config)), @@ -949,7 +966,6 @@ fn build_rolegroup_statefulset( .context(AddLdapVolumesSnafu)?; prepare_container_commands.extend(ldap_settings.prepare_container_commands()); - main_container_commands.extend(ldap_settings.main_container_commands()); } // volume and volume mounts @@ -1007,7 +1023,11 @@ fn build_rolegroup_statefulset( .collect::>(); let secret_name = build_shared_internal_secret_name(druid); - rest_env.push(env_var_from_secret(&secret_name, None, ENV_INTERNAL_SECRET)); + rest_env.push(env_var_from_secret( + &secret_name, + None, + INTERNAL_INITIAL_CLIENT_PASSWORD_ENV, + )); // load database credentials to environment variables: these will be used to replace // the placeholders in runtime.properties so that the operator does not "touch" the secret. diff --git a/rust/operator-binary/src/internal_secret.rs b/rust/operator-binary/src/internal_secret.rs index a47471c6..a2d050ee 100644 --- a/rust/operator-binary/src/internal_secret.rs +++ b/rust/operator-binary/src/internal_secret.rs @@ -1,11 +1,12 @@ use snafu::{OptionExt, ResultExt, Snafu}; -use stackable_druid_crd::{DruidCluster, ENV_INTERNAL_SECRET}; +use stackable_druid_crd::security::INTERNAL_INITIAL_CLIENT_PASSWORD_ENV; +use stackable_druid_crd::DruidCluster; use stackable_operator::k8s_openapi::api::core::v1::{EnvVar, EnvVarSource, SecretKeySelector}; use stackable_operator::kube::ResourceExt; use stackable_operator::{ builder::meta::ObjectMetaBuilder, client::Client, k8s_openapi::api::core::v1::Secret, }; -use std::collections::BTreeMap; +use std::collections::{BTreeMap, HashSet}; use strum::{EnumDiscriminants, IntoStaticStr}; #[derive(Snafu, Debug, EnumDiscriminants)] @@ -16,12 +17,20 @@ pub enum Error { ApplyInternalSecret { source: stackable_operator::client::Error, }, + + #[snafu(display("failed to delete internal secret"))] + DeleteInternalSecret { + source: stackable_operator::client::Error, + }, + #[snafu(display("failed to retrieve secret for internal communications"))] FailedToRetrieveInternalSecret { source: stackable_operator::client::Error, }, + #[snafu(display("object defines no namespace"))] ObjectHasNoNamespace, + #[snafu(display("object is missing metadata to build owner reference"))] ObjectMissingMetadataForOwnerRef { source: stackable_operator::builder::meta::Error, @@ -34,7 +43,7 @@ pub async fn create_shared_internal_secret( controller_name: &str, ) -> Result<(), Error> { let secret = build_shared_internal_secret(druid)?; - if client + let existing_secret = client .get_opt::( &secret.name_any(), secret @@ -43,13 +52,76 @@ pub async fn create_shared_internal_secret( .context(ObjectHasNoNamespaceSnafu)?, ) .await - .context(FailedToRetrieveInternalSecretSnafu)? - .is_none() - { - client - .apply_patch(controller_name, &secret, &secret) - .await - .context(ApplyInternalSecretSnafu)?; + .context(FailedToRetrieveInternalSecretSnafu)?; + + match existing_secret { + None => { + tracing::info!( + secret_name = secret.name_any(), + "Did not found a shared internal secret with the necessary data, creating one" + ); + client + .apply_patch(controller_name, &secret, &secret) + .await + .context(ApplyInternalSecretSnafu)?; + } + Some(existing_secret) => { + if existing_secret.immutable == Some(true) { + // Before 2024-06-25 we did set `spec.immutable` to avoid accidentally changing the contents. Which was + // great back than, *but* we now need something more flexible. AFAIK we can not make the Secret mutable, + // so there seems to be no other way than to re-create it. We *could* read in the contents and use them + // during the re-creation (so we don't change the contents to avoid downtime), but we strive that our + // operators don't handle Secret contents and it's a one time migration thing. + + tracing::warn!( + secret_name = secret.name_any(), + "Shared internal secret found, which is immutable. Re-creating it, as we can not modify it. This \ + should only happen once and will change the contents of the Secret. This might cause a short \ + downtime of Druid, as the changed internal Secrets need to propagate through all Druid nodes" + ); + + client + .delete(&secret) + .await + .context(DeleteInternalSecretSnafu)?; + + client + .apply_patch(controller_name, &secret, &secret) + .await + .context(ApplyInternalSecretSnafu)?; + return Ok(()); + } + + let current_secret_keys = existing_secret + .data + .unwrap_or_default() + .into_keys() + .collect::>(); + for required in secret + .string_data + .as_ref() + .expect("Secret data must be set by the `build_shared_internal_secret` function") + .keys() + { + if !current_secret_keys.contains(required) { + tracing::info!( + secret_name = secret.name_any(), + "Found shared internal secret, which is missing the key {required}, patching it" + ); + tracing::warn!( + secret_name = secret.name_any(), + "Found shared internal secret, which is missing the key {required}, patching it. This \ + should only happen once and will change the contents of the Secret. This might cause a short \ + downtime of Druid, as the changed internal Secrets need to propagate through all Druid nodes" + ); + client + .apply_patch(controller_name, &secret, &secret) + .await + .context(ApplyInternalSecretSnafu)?; + return Ok(()); + } + } + } } Ok(()) @@ -57,10 +129,12 @@ pub async fn create_shared_internal_secret( pub fn build_shared_internal_secret(druid: &DruidCluster) -> Result { let mut internal_secret = BTreeMap::new(); - internal_secret.insert(ENV_INTERNAL_SECRET.to_string(), get_random_base64()); + internal_secret.insert( + INTERNAL_INITIAL_CLIENT_PASSWORD_ENV.to_string(), + get_random_base64(), + ); Ok(Secret { - immutable: Some(true), metadata: ObjectMetaBuilder::new() .name(build_shared_internal_secret_name(druid)) .namespace_opt(druid.namespace()) diff --git a/tests/templates/kuttl/authorizer/05-checks-container.yaml b/tests/templates/kuttl/authorizer/05-checks-container.yaml index 24734226..dd9ecb77 100644 --- a/tests/templates/kuttl/authorizer/05-checks-container.yaml +++ b/tests/templates/kuttl/authorizer/05-checks-container.yaml @@ -19,3 +19,4 @@ spec: - name: checks image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/hdfs-deep-storage/04-checks-container.yaml b/tests/templates/kuttl/hdfs-deep-storage/04-checks-container.yaml index 24734226..dd9ecb77 100644 --- a/tests/templates/kuttl/hdfs-deep-storage/04-checks-container.yaml +++ b/tests/templates/kuttl/hdfs-deep-storage/04-checks-container.yaml @@ -19,3 +19,4 @@ spec: - name: checks image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/ingestion-no-s3-ext/04-checks-container.yaml b/tests/templates/kuttl/ingestion-no-s3-ext/04-checks-container.yaml index 24734226..dd9ecb77 100644 --- a/tests/templates/kuttl/ingestion-no-s3-ext/04-checks-container.yaml +++ b/tests/templates/kuttl/ingestion-no-s3-ext/04-checks-container.yaml @@ -19,3 +19,4 @@ spec: - name: checks image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/ingestion-s3-ext/04-checks-container.yaml b/tests/templates/kuttl/ingestion-s3-ext/04-checks-container.yaml index 24734226..dd9ecb77 100644 --- a/tests/templates/kuttl/ingestion-s3-ext/04-checks-container.yaml +++ b/tests/templates/kuttl/ingestion-s3-ext/04-checks-container.yaml @@ -19,3 +19,4 @@ spec: - name: checks image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml b/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml deleted file mode 100644 index 663a6f96..00000000 --- a/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestAssert -commands: - - script: kubectl exec -n $NAMESPACE openldap-0 -- ldapsearch -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin -b ou=users,dc=example,dc=org > /dev/null - - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D cn=admin,dc=example,dc=org -w admin -b ou=users,dc=example,dc=org > /dev/null diff --git a/tests/templates/kuttl/ldap-authentication/20-assert.yaml b/tests/templates/kuttl/ldap-authentication/20-assert.yaml deleted file mode 100644 index 48cc7f14..00000000 --- a/tests/templates/kuttl/ldap-authentication/20-assert.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestAssert -commands: - - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/authcheck.py -timeout: 60 diff --git a/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh b/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh deleted file mode 100644 index ef0c6ead..00000000 --- a/tests/templates/kuttl/ldap-authentication/create_ldap_user.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/sh - -cat << 'EOF' | ldapadd -H ldap://localhost:1389 -D cn=admin,dc=example,dc=org -w admin -dn: uid=alice,ou=users,dc=example,dc=org -uid: alice -cn: alice -sn: alice -objectClass: top -objectClass: posixAccount -objectClass: inetOrgPerson -homeDirectory: /home/alice -uidNumber: 3 -gidNumber: 3 -userPassword: alice -EOF diff --git a/tests/templates/kuttl/ldap-authentication/00-assert.yaml.j2 b/tests/templates/kuttl/ldap/00-assert.yaml.j2 similarity index 100% rename from tests/templates/kuttl/ldap-authentication/00-assert.yaml.j2 rename to tests/templates/kuttl/ldap/00-assert.yaml.j2 diff --git a/tests/templates/kuttl/ldap-authentication/00-install-vector-aggregator-discovery-configmap.yaml.j2 b/tests/templates/kuttl/ldap/00-install-vector-aggregator-discovery-configmap.yaml.j2 similarity index 100% rename from tests/templates/kuttl/ldap-authentication/00-install-vector-aggregator-discovery-configmap.yaml.j2 rename to tests/templates/kuttl/ldap/00-install-vector-aggregator-discovery-configmap.yaml.j2 diff --git a/tests/templates/kuttl/ldap-authentication/00-patch-ns.yaml.j2 b/tests/templates/kuttl/ldap/00-patch-ns.yaml.j2 similarity index 100% rename from tests/templates/kuttl/ldap-authentication/00-patch-ns.yaml.j2 rename to tests/templates/kuttl/ldap/00-patch-ns.yaml.j2 diff --git a/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml b/tests/templates/kuttl/ldap/01-assert.yaml similarity index 100% rename from tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml rename to tests/templates/kuttl/ldap/01-assert.yaml diff --git a/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml b/tests/templates/kuttl/ldap/01-install-openldap.yaml similarity index 63% rename from tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml rename to tests/templates/kuttl/ldap/01-install-openldap.yaml index e593a84a..4508fa66 100644 --- a/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml +++ b/tests/templates/kuttl/ldap/01-install-openldap.yaml @@ -3,4 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: # We need to replace $NAMESPACE (by KUTTL) in the install-openldap.yaml - - script: eval "echo \"$(cat 03_openldap.yaml)\"" | kubectl apply -f - + - script: envsubst < 01_openldap.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/ldap-authentication/03_openldap.yaml.j2 b/tests/templates/kuttl/ldap/01_openldap.yaml.j2 similarity index 85% rename from tests/templates/kuttl/ldap-authentication/03_openldap.yaml.j2 rename to tests/templates/kuttl/ldap/01_openldap.yaml.j2 index 0561e4a1..ef0f2e35 100644 --- a/tests/templates/kuttl/ldap-authentication/03_openldap.yaml.j2 +++ b/tests/templates/kuttl/ldap/01_openldap.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: secrets.stackable.tech/v1alpha1 kind: SecretClass metadata: - name: openldap-tls-$NAMESPACE + name: openldap-tls spec: backend: autoTls: @@ -30,7 +30,7 @@ spec: labels: app.kubernetes.io/name: openldap spec: - serviceAccountName: "druid-ldap-sa" + serviceAccountName: "ldap-sa" # # The security context below is necessary to avoid the following error on OpenShift: # /opt/bitnami/scripts/openldap/setup.sh: line 102: /opt/bitnami/openldap/sbin/slappasswd: Operation not permitted @@ -46,17 +46,13 @@ spec: - name: LDAP_ADMIN_PASSWORD value: admin - name: LDAP_ENABLE_TLS - value: \"yes\" + value: "yes" - name: LDAP_TLS_CERT_FILE value: /tls/tls.crt - name: LDAP_TLS_KEY_FILE value: /tls/tls.key - name: LDAP_TLS_CA_FILE value: /tls/ca.crt -{% if test_scenario['values']['ldap-no-bind-credentials'] == 'true' %} - - name: LDAP_ALLOW_ANON_BINDING - value: \"yes\" -{% endif %} ports: - name: ldap containerPort: 1389 @@ -76,7 +72,7 @@ spec: csi: driver: secrets.stackable.tech volumeAttributes: - secrets.stackable.tech/class: openldap-tls-$NAMESPACE + secrets.stackable.tech/class: openldap-tls secrets.stackable.tech/scope: pod --- apiVersion: v1 @@ -101,15 +97,14 @@ spec: apiVersion: v1 kind: ServiceAccount metadata: - name: druid-ldap-sa + name: ldap-sa namespace: $NAMESPACE - {% if test_scenario['values']['openshift'] == 'true' %} --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: druid-ldap-tests-role + name: use-integration-tests-scc namespace: $NAMESPACE rules: - apiGroups: ["security.openshift.io"] @@ -120,13 +115,13 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: druid-ldap-tests-rolebinding + name: use-integration-tests-scc namespace: $NAMESPACE subjects: - kind: ServiceAccount - name: druid-ldap-sa + name: ldap-sa roleRef: kind: Role - name: druid-ldap-tests-role + name: use-integration-tests-scc apiGroup: rbac.authorization.k8s.io {% endif %} diff --git a/tests/templates/kuttl/ldap/02-assert.yaml b/tests/templates/kuttl/ldap/02-assert.yaml new file mode 100644 index 00000000..46bea753 --- /dev/null +++ b/tests/templates/kuttl/ldap/02-assert.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: kubectl exec -n $NAMESPACE openldap-0 -- ldapsearch -H ldap://localhost:1389 -D "cn=integrationtest,ou=my users,dc=example,dc=org" -w 'bindPasswordWithSpecialCharacter\@<&>"'"'" -b "ou=my users,dc=example,dc=org" > /dev/null + - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D "cn=integrationtest,ou=my users,dc=example,dc=org" -w 'bindPasswordWithSpecialCharacter\@<&>"'"'" -b "ou=my users,dc=example,dc=org" > /dev/null diff --git a/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml b/tests/templates/kuttl/ldap/02-create-ldap-user.yaml similarity index 100% rename from tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml rename to tests/templates/kuttl/ldap/02-create-ldap-user.yaml diff --git a/tests/templates/kuttl/ldap-authentication/11-assert.yaml b/tests/templates/kuttl/ldap/03-assert.yaml similarity index 89% rename from tests/templates/kuttl/ldap-authentication/11-assert.yaml rename to tests/templates/kuttl/ldap/03-assert.yaml index dc085bb1..a4f62208 100644 --- a/tests/templates/kuttl/ldap-authentication/11-assert.yaml +++ b/tests/templates/kuttl/ldap/03-assert.yaml @@ -6,7 +6,7 @@ timeout: 300 apiVersion: apps/v1 kind: StatefulSet metadata: - name: checks + name: test-druid status: readyReplicas: 1 replicas: 1 diff --git a/tests/templates/kuttl/ldap-authentication/11-checks-container.yaml b/tests/templates/kuttl/ldap/03-install-test-druid.yaml similarity index 67% rename from tests/templates/kuttl/ldap-authentication/11-checks-container.yaml rename to tests/templates/kuttl/ldap/03-install-test-druid.yaml index 24734226..450becea 100644 --- a/tests/templates/kuttl/ldap-authentication/11-checks-container.yaml +++ b/tests/templates/kuttl/ldap/03-install-test-druid.yaml @@ -2,20 +2,21 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: checks + name: test-druid labels: - app: checks + app: test-druid spec: replicas: 1 selector: matchLabels: - app: checks + app: test-druid template: metadata: labels: - app: checks + app: test-druid spec: containers: - - name: checks + - name: test-druid image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/ldap-authentication/01-assert.yaml b/tests/templates/kuttl/ldap/10-assert.yaml similarity index 62% rename from tests/templates/kuttl/ldap-authentication/01-assert.yaml rename to tests/templates/kuttl/ldap/10-assert.yaml index f21094ef..0a9d9e7b 100644 --- a/tests/templates/kuttl/ldap-authentication/01-assert.yaml +++ b/tests/templates/kuttl/ldap/10-assert.yaml @@ -6,12 +6,7 @@ timeout: 600 apiVersion: apps/v1 kind: StatefulSet metadata: - name: druid-zk-server-default + name: zk-server-default status: readyReplicas: 1 replicas: 1 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: hdfs-znode diff --git a/tests/templates/kuttl/ldap-authentication/01-install-zk.yaml.j2 b/tests/templates/kuttl/ldap/10-install-zk.yaml.j2 similarity index 93% rename from tests/templates/kuttl/ldap-authentication/01-install-zk.yaml.j2 rename to tests/templates/kuttl/ldap/10-install-zk.yaml.j2 index 1b307f07..ea59f09e 100644 --- a/tests/templates/kuttl/ldap-authentication/01-install-zk.yaml.j2 +++ b/tests/templates/kuttl/ldap/10-install-zk.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: zookeeper.stackable.tech/v1alpha1 kind: ZookeeperCluster metadata: - name: druid-zk + name: zk spec: image: productVersion: "{{ test_scenario['values']['zookeeper-latest'] }}" @@ -25,7 +25,7 @@ metadata: name: druid-znode spec: clusterRef: - name: druid-zk + name: zk --- apiVersion: zookeeper.stackable.tech/v1alpha1 kind: ZookeeperZnode @@ -33,4 +33,4 @@ metadata: name: hdfs-znode spec: clusterRef: - name: druid-zk + name: zk diff --git a/tests/templates/kuttl/ldap-authentication/05-authentication-class.yaml.j2 b/tests/templates/kuttl/ldap/11-create-authentication-classes.yaml.j2 similarity index 56% rename from tests/templates/kuttl/ldap-authentication/05-authentication-class.yaml.j2 rename to tests/templates/kuttl/ldap/11-create-authentication-classes.yaml.j2 index 7c35481c..9af5805a 100644 --- a/tests/templates/kuttl/ldap-authentication/05-authentication-class.yaml.j2 +++ b/tests/templates/kuttl/ldap/11-create-authentication-classes.yaml.j2 @@ -2,7 +2,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep metadata: - name: create-authentication-classes + name: create-ldap-user commands: # We need to replace $NAMESPACE (by KUTTL) in the create-authentication-classes.yaml(.j2) - - script: eval "echo \"$(cat 05_authentication-class.yaml)\"" | kubectl apply -f - + - script: envsubst < 11_authentication-classes.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/ldap-authentication/05_authentication-class.yaml.j2 b/tests/templates/kuttl/ldap/11_authentication-classes.yaml.j2 similarity index 64% rename from tests/templates/kuttl/ldap-authentication/05_authentication-class.yaml.j2 rename to tests/templates/kuttl/ldap/11_authentication-classes.yaml.j2 index f41d2fa8..75f83998 100644 --- a/tests/templates/kuttl/ldap-authentication/05_authentication-class.yaml.j2 +++ b/tests/templates/kuttl/ldap/11_authentication-classes.yaml.j2 @@ -7,43 +7,31 @@ spec: provider: ldap: hostname: openldap.$NAMESPACE.svc.cluster.local - searchBase: ou=users,dc=example,dc=org + searchBase: ou=my users,dc=example,dc=org searchFilter: (uid=%s) +{% if test_scenario['values']['ldap-no-bind-credentials'] == 'true' %} + bindCredentials: null +{% else %} + bindCredentials: + secretClass: druid-with-ldap-bind +{% endif %} {% if test_scenario['values']['ldap-use-tls'] == 'false' %} port: 1389 - tls: null {% else %} port: 1636 tls: verification: server: caCert: - secretClass: openldap-tls-$NAMESPACE -{% endif %} -{% if test_scenario['values']['ldap-no-bind-credentials'] == 'true' %} - bindCredentials: null -{% else %} - bindCredentials: - secretClass: druid-ldap-secret + secretClass: openldap-tls {% endif %} --- apiVersion: secrets.stackable.tech/v1alpha1 kind: SecretClass metadata: - name: druid-ldap-secret + name: druid-with-ldap-bind spec: backend: k8sSearch: searchNamespace: pod: {} ---- -apiVersion: v1 -kind: Secret -metadata: - name: druid-ldap-secret - namespace: $NAMESPACE - labels: - secrets.stackable.tech/class: druid-ldap-secret -stringData: - user: cn=admin,dc=example,dc=org - password: admin diff --git a/tests/templates/kuttl/ldap-authentication/02-assert.yaml b/tests/templates/kuttl/ldap/12-assert.yaml similarity index 100% rename from tests/templates/kuttl/ldap-authentication/02-assert.yaml rename to tests/templates/kuttl/ldap/12-assert.yaml diff --git a/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 b/tests/templates/kuttl/ldap/12-install-hdfs.yaml.j2 similarity index 100% rename from tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 rename to tests/templates/kuttl/ldap/12-install-hdfs.yaml.j2 diff --git a/tests/templates/kuttl/ldap-authentication/10-assert.yaml b/tests/templates/kuttl/ldap/13-assert.yaml similarity index 100% rename from tests/templates/kuttl/ldap-authentication/10-assert.yaml rename to tests/templates/kuttl/ldap/13-assert.yaml diff --git a/tests/templates/kuttl/ldap-authentication/10-install-druid.yaml.j2 b/tests/templates/kuttl/ldap/13-install-druid.yaml.j2 similarity index 77% rename from tests/templates/kuttl/ldap-authentication/10-install-druid.yaml.j2 rename to tests/templates/kuttl/ldap/13-install-druid.yaml.j2 index 6be8a87f..d615e173 100644 --- a/tests/templates/kuttl/ldap-authentication/10-install-druid.yaml.j2 +++ b/tests/templates/kuttl/ldap/13-install-druid.yaml.j2 @@ -33,6 +33,7 @@ commands: {% endif %} brokers: config: + gracefulShutdownTimeout: 1s # Let the test run faster logging: enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} roleGroups: @@ -40,6 +41,7 @@ commands: replicas: 1 coordinators: config: + gracefulShutdownTimeout: 1s # Let the test run faster logging: enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} roleGroups: @@ -47,6 +49,7 @@ commands: replicas: 1 historicals: config: + gracefulShutdownTimeout: 1s # Let the test run faster logging: enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} roleGroups: @@ -54,6 +57,7 @@ commands: replicas: 1 middleManagers: config: + gracefulShutdownTimeout: 1s # Let the test run faster logging: enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} roleGroups: @@ -61,8 +65,20 @@ commands: replicas: 1 routers: config: + gracefulShutdownTimeout: 1s # Let the test run faster logging: enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }} roleGroups: default: replicas: 1 +--- +apiVersion: v1 +kind: Secret +metadata: + name: druid-with-ldap-bind-secret + labels: + secrets.stackable.tech/class: druid-with-ldap-bind +stringData: + user: cn=integrationtest,ou=my users,dc=example,dc=org + password: > + bindPasswordWithSpecialCharacter\@<&>"' diff --git a/tests/templates/kuttl/ldap/20-assert.yaml b/tests/templates/kuttl/ldap/20-assert.yaml new file mode 100644 index 00000000..c947cc92 --- /dev/null +++ b/tests/templates/kuttl/ldap/20-assert.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: kubectl exec -n $NAMESPACE test-druid-0 -- python /tmp/authcheck.py +timeout: 60 diff --git a/tests/templates/kuttl/ldap-authentication/20-authcheck.yaml b/tests/templates/kuttl/ldap/20-authcheck.yaml similarity index 50% rename from tests/templates/kuttl/ldap-authentication/20-authcheck.yaml rename to tests/templates/kuttl/ldap/20-authcheck.yaml index 58d7d1bc..01967066 100644 --- a/tests/templates/kuttl/ldap-authentication/20-authcheck.yaml +++ b/tests/templates/kuttl/ldap/20-authcheck.yaml @@ -3,4 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep timeout: 60 commands: - - script: kubectl cp -n $NAMESPACE ./authcheck.py checks-0:/tmp + - script: kubectl cp -n $NAMESPACE ./authcheck.py test-druid-0:/tmp diff --git a/tests/templates/kuttl/ldap-authentication/authcheck.py b/tests/templates/kuttl/ldap/authcheck.py similarity index 87% rename from tests/templates/kuttl/ldap-authentication/authcheck.py rename to tests/templates/kuttl/ldap/authcheck.py index be28d4e0..a1de4b8e 100755 --- a/tests/templates/kuttl/ldap-authentication/authcheck.py +++ b/tests/templates/kuttl/ldap/authcheck.py @@ -2,6 +2,8 @@ import sys import logging +USER_NAME = "integrationtest" +USER_PASSWORD = "bindPasswordWithSpecialCharacter\\@<&>\"'" def main(): result = 0 @@ -30,8 +32,8 @@ def main(): else: logging.info("success") # make an authorized request -> return 200 expected - logging.info(f"making request as LDAP user [alice] to {role}") - res = requests.get(url, auth=("alice", "alice"), verify=False) + logging.info(f"making request as LDAP user [{USER_NAME}] to {role}") + res = requests.get(url, auth=(USER_NAME, USER_PASSWORD), verify=False) if res.status_code != 200: logging.error(f"expected 200 but got {res.status_code}") result = 1 diff --git a/tests/templates/kuttl/ldap/create_ldap_user.sh b/tests/templates/kuttl/ldap/create_ldap_user.sh new file mode 100755 index 00000000..6c51cd03 --- /dev/null +++ b/tests/templates/kuttl/ldap/create_ldap_user.sh @@ -0,0 +1,36 @@ +#!/bin/sh + +# To check the existing users +# ldapsearch -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w admin -b "ou=my users,dc=example,dc=org" + +# To check the new user +# ldapsearch -H ldap://localhost:1389 -D "cn=integrationtest,ou=my users,dc=example,dc=org" -w 'bindPasswordWithSpecialCharacter\@<&>"'"'" -b "ou=my users,dc=example,dc=org" + +cat << 'EOF' | ldapadd -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w admin +dn: ou=my users,dc=example,dc=org +ou: my users +objectclass: top +objectclass: organizationalUnit +EOF + +cat << 'EOF' | ldapadd -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w admin +dn: cn=integrationtest,ou=my users,dc=example,dc=org +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +cn: integrationtest +uid: integrationtest +givenName: Stackable +sn: Integration-Test +mail: integrationtest@stackable.de +uidNumber: 16842 +gidNumber: 100 +homeDirectory: /home/integrationtest +loginShell: /bin/bash +userPassword: {crypt}x +shadowLastChange: 0 +shadowMax: 0 +shadowWarning: 0 +EOF + +ldappasswd -H ldap://localhost:1389 -D "cn=admin,dc=example,dc=org" -w admin -s 'bindPasswordWithSpecialCharacter\@<&>"'"'" "cn=integrationtest,ou=my users,dc=example,dc=org" diff --git a/tests/templates/kuttl/logging/06-install-druid-test-runner.yaml b/tests/templates/kuttl/logging/06-install-druid-test-runner.yaml index c7e1097f..f1657554 100644 --- a/tests/templates/kuttl/logging/06-install-druid-test-runner.yaml +++ b/tests/templates/kuttl/logging/06-install-druid-test-runner.yaml @@ -20,3 +20,4 @@ spec: image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev stdin: true tty: true + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/oidc/51-install-test-container.yaml.j2 b/tests/templates/kuttl/oidc/51-install-test-container.yaml.j2 index 1ae86a1d..3bec5cb8 100644 --- a/tests/templates/kuttl/oidc/51-install-test-container.yaml.j2 +++ b/tests/templates/kuttl/oidc/51-install-test-container.yaml.j2 @@ -94,3 +94,4 @@ spec: - name: ingestion-check configMap: name: ingestion-check + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/s3-deep-storage/07-checks-container.yaml b/tests/templates/kuttl/s3-deep-storage/07-checks-container.yaml index 24734226..dd9ecb77 100644 --- a/tests/templates/kuttl/s3-deep-storage/07-checks-container.yaml +++ b/tests/templates/kuttl/s3-deep-storage/07-checks-container.yaml @@ -19,3 +19,4 @@ spec: - name: checks image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev command: ["sleep", "infinity"] + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/smoke/60-checks-container.yaml b/tests/templates/kuttl/smoke/60-checks-container.yaml index 98d3ab13..4aafaf71 100644 --- a/tests/templates/kuttl/smoke/60-checks-container.yaml +++ b/tests/templates/kuttl/smoke/60-checks-container.yaml @@ -26,3 +26,4 @@ spec: limits: memory: "128Mi" cpu: "1" + terminationGracePeriodSeconds: 1 diff --git a/tests/templates/kuttl/tls/05-install-checks.yaml.j2 b/tests/templates/kuttl/tls/05-install-checks.yaml.j2 index 5c153768..1700f687 100644 --- a/tests/templates/kuttl/tls/05-install-checks.yaml.j2 +++ b/tests/templates/kuttl/tls/05-install-checks.yaml.j2 @@ -91,3 +91,4 @@ spec: requests: storage: "1" {% endif %} + terminationGracePeriodSeconds: 1 diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index a21415b7..9b19d497 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -113,7 +113,7 @@ tests: - zookeeper-latest - tls-mode - openshift - - name: ldap-authentication + - name: ldap dimensions: - druid - zookeeper-latest