[Merged by Bors] - Fix/custom s3 certificates

rust/crd/src/constants.rs

@@ -28,6 +28,20 @@ pub const LOG4J2_CONFIG_FILE: &str = "log4j2.properties";
 pub const ACCESS_KEY_ID: &str = "accessKey";
 pub const SECRET_ACCESS_KEY: &str = "secretKey";
 pub const S3_SECRET_DIR_NAME: &str = "/stackable/secrets";
+pub const SYSTEM_TRUST_STORE: &str = "/etc/pki/java/cacerts";
+pub const STACKABLE_TLS_STORE_PASSWORD: &str = "changeit";
+pub const SYSTEM_TRUST_STORE_PASSWORD: &str = "changeit";
+
+pub const STACKABLE_SERVER_TLS_DIR: &str = "/stackable/server_tls";
+pub const STACKABLE_CLIENT_TLS_DIR: &str = "/stackable/client_tls";
+pub const STACKABLE_INTERNAL_TLS_DIR: &str = "/stackable/internal_tls";
+pub const STACKABLE_MOUNT_SERVER_TLS_DIR: &str = "/stackable/mount_server_tls";
+pub const STACKABLE_MOUNT_CLIENT_TLS_DIR: &str = "/stackable/mount_client_tls";
+pub const STACKABLE_MOUNT_INTERNAL_TLS_DIR: &str = "/stackable/mount_internal_tls";
+
+pub const STACKABLE_CLIENT_CA_CERT: &str = "stackable-client-ca-cert";
+pub const STACKABLE_SERVER_CA_CERT: &str = "stackable-server-ca-cert";
+pub const STACKABLE_INTERNAL_CA_CERT: &str = "stackable-internal-ca-cert";
 
 pub const MIN_MEMORY_OVERHEAD: u32 = 384;
 pub const JVM_OVERHEAD_FACTOR: f32 = 0.1;

rust/operator-binary/src/pod_driver_controller.rs

@@ -1,6 +1,7 @@
 use stackable_operator::{k8s_openapi::api::core::v1::Pod, kube::runtime::controller::Action};
 use stackable_spark_k8s_crd::{
-    constants::POD_DRIVER_CONTROLLER_NAME, SparkApplication, SparkApplicationStatus,
+    constants::POD_DRIVER_CONTROLLER_NAME, SparkApplication, SparkApplicationStatus, 
+    constants::SYSTEM_TRUST_STORE, constants::SYSTEM_TRUST_STORE_PASSWORD, constants::STACKABLE_TLS_STORE_PASSWORD, 
 };
 use std::sync::Arc;
 use std::time::Duration;
@@ -100,3 +101,34 @@ pub async fn reconcile(pod: Arc<Pod>, ctx: Arc<Ctx>) -> Result<Action> {
 pub fn error_policy(_obj: Arc<Pod>, _error: &Error, _ctx: Arc<Ctx>) -> Action {
     Action::requeue(Duration::from_secs(5))
 }
+
+/// Generates the shell script to create key and truststores from the certificates provided
+/// by the secret operator.
+pub fn create_key_and_trust_store(
+    cert_directory: &str,
+    stackable_cert_directory: &str,
+    alias_name: &str,
+    secret_class: &str
+) -> Vec<String> {
+    vec![
+        format!("echo [{stackable_cert_directory}] Cleaning up truststore - just in case"),
+        format!("rm -f {stackable_cert_directory}/truststore.p12"),
+        format!("echo [{stackable_cert_directory}] Creating truststore"),
+        format!("keytool -importcert -file {cert_directory}/{secret_class}-tls-certificate/ca.cert -keystore {stackable_cert_directory}/truststore.p12 -storetype pkcs12 -noprompt -alias {alias_name} -storepass {STACKABLE_TLS_STORE_PASSWORD}"),
+        format!("echo [{stackable_cert_directory}] Creating certificate chain"),
+        format!("cat {cert_directory}/{secret_class}-tls-certificate/ca.crt {cert_directory}/{secret_class}-tls-certificate/tls.crt > {stackable_cert_directory}/{secret_class}/chain.crt"),
+        format!("echo [{stackable_cert_directory}] Creating keystore"),
+        format!("openssl pkcs12 -export -in {stackable_cert_directory}/{secret_class}/chain.crt -inkey {cert_directory}/{secret_class}/tls.key -out {stackable_cert_directory}/keystore.p12 --passout pass:{STACKABLE_TLS_STORE_PASSWORD}")
+    ]
+}
+
+pub fn add_cert_to_stackable_truststore(
+    cert_file: &str,
+    truststore_directory: &str,
+    alias_name: &str,
+) -> Vec<String> {
+    vec![
+        format!("echo [{truststore_directory}] Adding cert from {cert_file} to truststore {truststore_directory}/truststore.p12"),
+        format!("keytool -importcert -file {cert_file} -keystore {truststore_directory}/truststore.p12 -storetype pkcs12 -noprompt -alias {alias_name} -storepass {STACKABLE_TLS_STORE_PASSWORD}"),
+    ]
+}

rust/operator-binary/src/spark_k8s_controller.rs

@@ -1,4 +1,4 @@
-use std::{sync::Arc, time::Duration};
+use std::{sync::Arc, time::Duration, vec};
 
 use stackable_spark_k8s_crd::{
     constants::*, s3logdir::S3LogDir, SparkApplication, SparkApplicationRole, SparkContainer,
@@ -12,8 +12,8 @@ use stackable_operator::{
         affinity::StackableAffinity,
         product_image_selection::ResolvedProductImage,
         resources::{NoRuntimeLimits, Resources},
-        s3::S3ConnectionSpec,
-        tls::{CaCert, TlsVerification},
+        s3::{S3ConnectionSpec, S3ConnectionDef},
+        tls::{TlsVerification, CaCert},
     },
     k8s_openapi::{
         api::{
@@ -42,7 +42,9 @@ use stackable_operator::{
 };
 use strum::{EnumDiscriminants, IntoStaticStr};
 
-use crate::product_logging::{self, resolve_vector_aggregator_address};
+use crate::pod_driver_controller;
+
+use crate::{product_logging::{self, resolve_vector_aggregator_address}};
 
 pub struct Ctx {
     pub client: stackable_operator::client::Client,
@@ -148,19 +150,14 @@ pub async fn reconcile(spark_application: Arc<SparkApplication>, ctx: Arc<Ctx>)
         _ => None,
     };
 
+//    let mut secret_name = &String::new();
+
     if let Some(conn) = opt_s3conn.as_ref() {
         if let Some(tls) = &conn.tls {
             match &tls.verification {
                 TlsVerification::None {} => return S3TlsNoVerificationNotSupportedSnafu.fail(),
-                TlsVerification::Server(server_verification) => {
-                    match &server_verification.ca_cert {
-                        CaCert::WebPki {} => {}
-                        CaCert::SecretClass(_) => {
-                            return S3TlsCaVerificationNotSupportedSnafu.fail()
-                        }
-                    }
-                }
-            }
+                TlsVerification::Server(_) => {}
+            } 
         }
     }
 
@@ -243,7 +240,7 @@ pub async fn reconcile(spark_application: Arc<SparkApplication>, ctx: Arc<Ctx>)
         resources: executor_config.resources.clone(),
         logging: executor_config.logging.clone(),
         volume_mounts: spark_application.executor_volume_mounts(
-            &executor_config,
+           &executor_config,
             &opt_s3conn,
             &s3logdir,
         ),
@@ -324,7 +321,35 @@ fn init_containers(
         args.push(format!("cp /jobs/* {VOLUME_MOUNT_PATH_JOB}"));
         // Wait until the log file is written.
         args.push("sleep 1".into());
-
+
+        // if TLS is enabled, build TrustStore and put secret inside. 
+        match spark_application.spec.s3connection.as_ref() {
+            Some(conn) => {
+                if let S3ConnectionDef::Inline(s3spec) = conn {
+                    match &s3spec.tls {
+                        Some(tls) => {
+                            if let TlsVerification::Server(verification) = &tls.verification {
+                                if let CaCert::SecretClass(secret_name) = &verification.ca_cert {
+                                    args.extend(pod_driver_controller::create_key_and_trust_store(
+                                        STACKABLE_MOUNT_SERVER_TLS_DIR, 
+                                        STACKABLE_SERVER_TLS_DIR, 
+                                        STACKABLE_SERVER_CA_CERT, 
+                                        secret_name));
+
+                                    args.extend(pod_driver_controller::add_cert_to_stackable_truststore(
+                                        format!("{STACKABLE_MOUNT_SERVER_TLS_DIR}/{secret_name}/ca.crt").as_str(), 
+                                        STACKABLE_INTERNAL_TLS_DIR, 
+                                        STACKABLE_CLIENT_CA_CERT));
+                                }
+                            }
+                        }
+                        None => {}
+                    }
+                }
+            }
+            None => {}
+        }  
+
         jcb.image(job_image)
             .command(vec!["/bin/bash".to_string(), "-c".to_string()])
             .args(vec![args.join(" && ")])
@@ -360,15 +385,17 @@ fn init_containers(
             "pip install --target={VOLUME_MOUNT_PATH_REQ} {req}"
         ));
 
-        rcb.image(spark_image)
-            .command(vec!["/bin/bash".to_string(), "-c".to_string()])
-            .args(vec![args.join(" && ")])
-            .add_volume_mount(VOLUME_MOUNT_NAME_REQ, VOLUME_MOUNT_PATH_REQ)
-            .add_volume_mount(VOLUME_MOUNT_NAME_LOG, VOLUME_MOUNT_PATH_LOG);
-        if let Some(image_pull_policy) = spark_application.spark_image_pull_policy() {
-            rcb.image_pull_policy(image_pull_policy.to_string());
-        }
-        rcb.build()
+    rcb.image(spark_image)
+        .command(vec!["/bin/bash".to_string(), "-c".to_string()])
+        .args(vec![args.join(" && ")])
+        .add_volume_mount(VOLUME_MOUNT_NAME_REQ, VOLUME_MOUNT_PATH_REQ)
+        .add_volume_mount(VOLUME_MOUNT_NAME_LOG, VOLUME_MOUNT_PATH_LOG);
+    if let Some(image_pull_policy) = spark_application.spark_image_pull_policy() {
+        rcb.image_pull_policy(image_pull_policy.to_string());
+    }
+
+    rcb.build()
+
     });
 
     Ok(vec![job_container, requirements_container]
@@ -616,6 +643,8 @@ fn spark_job(
                 "-cp /stackable/spark/extra-jars/*:/stackable/spark/jars/* \
                 -Dlog4j.configurationFile={VOLUME_MOUNT_PATH_LOG_CONFIG}/{LOG4J2_CONFIG_FILE}"
             ),
+            // This is the same stuff like we had above. Looks like this could be the trust store thingy right? 
+
         )
         // TODO: move this to the image
         .add_env_var("SPARK_CONF_DIR", "/stackable/spark/conf");

tests/templates/kuttl/spark-ny-public-s3/00-s3-secret.yaml.j2

@@ -0,0 +1,27 @@
+{% if test_scenario['values']['openshift'] == 'true' %}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-credentials
+  labels:
+    secrets.stackable.tech/class: s3-credentials-class
+timeout: 240
+stringData:
+  accessKey: minioAccessKey
+  secretKey: minioSecretKey
+  # The following two entries are used by the Bitnami chart for MinIO to
+  # set up credentials for accessing buckets managed by the MinIO tenant.
+  root-user: minioAccessKey
+  root-password: minioSecretKey
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: s3-credentials-class
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {}
+{% endif %}

tests/templates/kuttl/spark-ny-public-s3/01-install-minio-certificates.yaml.j2

@@ -0,0 +1,24 @@
+{% if test_scenario['values']['s3-use-tls'] == 'true' %}
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: minio-tls-certificates
+spec:
+  backend:
+    k8sSearch:
+      searchNamespace:
+        pod: {}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-tls-certificates
+  labels:
+    secrets.stackable.tech/class: minio-tls-certificates
+# Have a look at the folder certs on how to create this
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQyVENDQXNHZ0F3SUJBZ0lVQkl4WEVMKzd6RXVXVWNPMHI0blB2WUZpNnhBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2V6RUxNQWtHQTFVRUJoTUNSRVV4R3pBWkJnTlZCQWdNRWxOamFHeGxjM2RwWnkxSWIyeHpkR1ZwYmpFTwpNQXdHQTFVRUJ3d0ZWMlZrWld3eEtEQW1CZ05WQkFvTUgxTjBZV05yWVdKc1pTQlRhV2R1YVc1bklFRjFkR2h2CmNtbDBlU0JKYm1NeEZUQVRCZ05WQkFNTURITjBZV05yWVdKc1pTNWtaVEFnRncweU1qQTJNamd4TkRJMU5ESmEKR0E4eU1USXlNRFl3TkRFME1qVTBNbG93ZXpFTE1Ba0dBMVVFQmhNQ1JFVXhHekFaQmdOVkJBZ01FbE5qYUd4bApjM2RwWnkxSWIyeHpkR1ZwYmpFT01Bd0dBMVVFQnd3RlYyVmtaV3d4S0RBbUJnTlZCQW9NSDFOMFlXTnJZV0pzClpTQlRhV2R1YVc1bklFRjFkR2h2Y21sMGVTQkpibU14RlRBVEJnTlZCQU1NREhOMFlXTnJZV0pzWlM1a1pUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMT0JuRFhHaE10OFFWOVRac0FyVlZ0UAp3cDlNeE0wREZ0VUlGYzdzYkw3V2Nwa0lXa2pEWjc4TDYrZkNVbnBqZUluYUZlZkdzVE1CdDY2ZGFQZFovZ3JJCjM3aFJudy9GZDA2Q2NSb3FST01pdlFFWXo1eHVRdGFsQVZkcXRlTVZQUjZwUzFnMTlKMHMwOVpEM0x1SnJJQ2UKc1c0TXpzeUdhb3ovektTcDYrOEpESktDQjNxWElBRldRT0NhM29PbW9TZTg2VHRONE1TdXhXdktxT21VZUE2NQp2d2o4REpyWXEzc3cxMjkxT3RDSFcrSG95aWFpMnBwMG9mYVNhakExZ3NBU2Erd3JYd3FVOGN5QU9LazBONVhzCmx5ZXdkd0hCQ0FrYTg3RkRDUk1VSTlGZ2pzRGsva3pZL0h3L1BLTXVHRlB0NGhwSXZYMHpFK2FUdVBoeU9yRUMKQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRk5EVGNRWU9DOFVMYUs1R1dWZXFKbGxja1RjOE1COEdBMVVkSXdRWQpNQmFBRk5EVGNRWU9DOFVMYUs1R1dWZXFKbGxja1RjOE1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBSEx6eUFRS3JiREJRTlhYMnNtV2xxWC8ySkFXTTB4U0NVR2hsZ0NRSVRqZHJ6Y3YKcTlnMGgvVTZSb0VFSnBwYUZpNWY0UmVvcU50TWErZU12bXErTnQ4WHQ3YzErZ0owZlFuMDh2b2s4YnVxaUZ0SQpCU0Rwd1ZzNjVEOThETVRoUVhrc0dUb1NjT0loRkpVOHZwVXR0NzlDbWJ1a0d5dy91YzQ5ckJxZWpiNHhIVFBpCnNyV1BKSVFrZnBQbUZBUGtqWFdzYVg3cnZYc0dBQk9kZnAvcU1NM2UyWDRhTzVvd2U4QWlocW1LRTNYdmhtZUMKdjA0NStuSW9GTHo0bWZHSGl1YVdLNFJwd3U5SEwzakhEZEU0UXluMVpFd3Z0UUQ3ekUwNXNkVXNsdi96SjhnUgpqem8rOG1lbVRudjhXMi9RZm1MVm5lczJUS1cza1ZqbjJZUHROUkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K 
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmVENDQW1XZ0F3SUJBZ0lVS0Z0ckhXUjNXOHBqSDdoMlIvUUtIQ3d6aFBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2V6RUxNQWtHQTFVRUJoTUNSRVV4R3pBWkJnTlZCQWdNRWxOamFHeGxjM2RwWnkxSWIyeHpkR1ZwYmpFTwpNQXdHQTFVRUJ3d0ZWMlZrWld3eEtEQW1CZ05WQkFvTUgxTjBZV05yWVdKc1pTQlRhV2R1YVc1bklFRjFkR2h2CmNtbDBlU0JKYm1NeEZUQVRCZ05WQkFNTURITjBZV05yWVdKc1pTNWtaVEFnRncweU1qQTJNamd4TkRJMU5ESmEKR0E4eU1USXlNRFl3TkRFME1qVTBNbG93WGpFTE1Ba0dBMVVFQmhNQ1JFVXhHekFaQmdOVkJBZ01FbE5qYUd4bApjM2RwWnkxSWIyeHpkR1ZwYmpFT01Bd0dBMVVFQnd3RlYyVmtaV3d4RWpBUUJnTlZCQW9NQ1ZOMFlXTnJZV0pzClpURU9NQXdHQTFVRUF3d0ZiV2x1YVc4d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUIKQVFDN210R0RoQWtiRFJlSVJZNkM1K00xYVJwMmI2bUhWRytlSFU0TWhDWE1kcnlmK0JCdXJzS1VCN1l4TXlWOQpOb2drSEpLS3RxUDlSNUpSdDJGdnMvNFFPcWRlbmZPbTNzdWkyZHA4UE94OU5OdE1PVGdMSFRZc0dhODlCTzZpCmRNVHFiSm1FcFUwK2NER2VmVTVkTkN2S2VGQTBNMVZJT0ZrLzBBS3pOQjZSZWZoa0VSWHE0ZWFMOHh0NG8xSnIKZzBnZm10dzd4S2lITkkwa3ViWllSM0crM1NhQ2pITVRFMEZ2REVxZnFFT0xZSTBwM3FhdHJIZ00vNm5hMXVDegpkVFhScm40SmJ1QkYzUmd5UGM5VDlaK3pMUk9ZVE9OYzE4aEJFQVgwYlBNTWg3aUZOTXgzMVM1K2lScEZpSGhkClVKUmFVVEYrYjJQdVhPd2d1L00zVmdhSkFnTUJBQUdqRkRBU01CQUdBMVVkRVFRSk1BZUNCVzFwYm1sdk1BMEcKQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUNjbkprekZYbmZuRUkvK3JRVTVzS3NjL1AzRlVVb1lKbzdoTEpKTWRodwpYTVY1RTRlNHprTEJyL3dVeWVtVkZreUdNY0RCZFJtUGZyS281RERFSWZjQ0xrbkpGOVcwY0kya3BwZHVpTW5GCks1V3pMQnRUUkNlaE5EK2FtdTNPN2VhaGFqSFQwNHFka05ja2wwN1U3TXNXRy95UVpWVXZ4bU9Mc2s2aysxYTIKY3JUdlNTcHN6ZVJVUU1xQkJrUSswOUw3V1Yxcy9wL2ZjVUpVZVA2cDJ4SjF6YmlCTnk2U0tHQmx0MXQrQUdSTApxUkRidVlMK2hsRGsrZ1ZjZGd6U3duOHB3Qnl5OSs0eFM4bmZ0NWRPdHVmQkxUOGJMK2RHcG9PN2VOMVVXZkVsCnpBUFFWYjRDTHUvaXVaWkVuWWtOMlg3aWVsZEU5eDYvNHJiVllxbUgxZHVuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBdTVyUmc0UUpHdzBYaUVXT2d1ZmpOV2thZG0rcGgxUnZuaDFPRElRbHpIYThuL2dRCmJxN0NsQWUyTVRNbGZUYUlKQnlTaXJhai9VZVNVYmRoYjdQK0VEcW5YcDN6cHQ3TG90bmFmRHpzZlRUYlREazQKQ3gwMkxCbXZQUVR1b25URTZteVpoS1ZOUG5BeG5uMU9YVFFyeW5oUU5ETlZTRGhaUDlBQ3N6UWVrWG40WkJFVgo2dUhtaS9NYmVLTlNhNE5JSDVyY084U29oelNOSkxtMldFZHh2dDBtZ294ekV4TkJid3hLbjZoRGkyQ05LZDZtCnJheDREUCtwMnRiZ3MzVTEwYTUrQ1c3Z1JkMFlNajNQVS9XZnN5MFRtRXpqWE5mSVFSQUY5R3p6REllNGhUVE0KZDlVdWZva2FSWWg0WFZDVVdsRXhmbTlqN2x6c0lMdnpOMVlHaVFJREFRQUJBb0lCQUF2RDQ4dkpwZ0NLUzZXQwpKelBTY3c5UWJoWnJYa2hjWlR1WFB1UE9EY2pLMFgxK3d4a040S29ENmNzZ0dBUElQYlYyRFVLaHZac091QUJqCjdicGhvVmRITm1QYXFBTVpDZEJHdFVzQlR4dHpDeVcybU9zcGc5STBNaWN6ZmZ1Mk12czRvRkFQUmM3YW5tSUEKSGIvK201aHcveWFtNlh4RC9HVGlHS2xBWllKZDlpV2MxVThHTWMvZXRoNXpDOHpIQ0p5dzkyVi9lMHVDUzh4SAowRTZyK1IxUU5TaWRBV1Rmc0p1dVVzSnFEcHVjd3NyQlF3dTUxYzB6SjlNeGthTUgzYlBRMnJCMUpBeU5Gd2JlCmxCdzhubjJuVXVXZDYzRUN1TzJDUUFadU14ZnpRVVJCRzV3ZjZiaHh3S2RBNGQ1dFJqd2Y3NXJUbm1pNFdJbW0KeEZlbXAyRUNnWUVBOXJwTTI4UTlzdGJNMEc3YmZHSk9UT284dVVTOHppOUwwNndMckswZ1NFdVNaaXRsTUkyKwpIQmgrS1ZOVGZ6RzVBSENiTDUycFU4V2JOcVMwcmNHaXgvRUthUDRrTXB2WlBGQW5yMGYrYTVJaVk2OUo1WUpDCllic3JGcHVrVTJGTjJXdVpUbG1DRE1NR0J2WlhyNkl5NVZlbFlRRC9oMDVEb0NUYjU5VWVDTVVDZ1lFQXdxZTIKVjQ4d3EydGVlZzRSY2FQZ1R4QmxPMXBDK2V4dFVJdEQvUTVyME14SHUyNVFYbTdYZTVVb2N6all3SUpPRklvcgp6dk5PS2pHb0o1SzY0QkMvVXQxZUNqKy9mMWQ1MjJNcmZheitvZnlObEpIaUthVmhWUkYzOWlmdnhRZ2kvNlQ3CmpENCsxZmdXZ0w5V0ZpSncrNGxUUWsybUdXV0FmWkNKRjVEZk92VUNnWUFlR3p1WHNZbUowaFlwOU8wSmI0RjQKZHppenJzU1BNRXhEWndJQnJ4cDZWK1prV3pVOHlIOEROS1hvYXdlTVJNZjdXc0pFL0NzV1VzMk96R2hUcjRZcQplYW80aDVKcExvVkNpOUZiM1NBWmhqcDJDWVN0NGNneDNzSHlQMG04OXVtbDl6QTgxRVUvUTJqdjNvMXluQXN6CjJ3OE9HQzRXRjZHKzMrQ0ptSUxTdFFLQmdIMGl1ZnNTQjFTNzRuR09wN0lwaXFMcFJGcmlqTm9FSHNZL3NVWjIKUmVObDM5dGpjSEUweW53ZENITUNJWDJvaHk5M0gvQ2J3eTBtM1JZTG91MDJkdmg3Yk9BajJTU3hCSnAvNTA2VQpydUZON1dxTVdoc3h3UitoNmorcHJ0ODRldDlqblg2cjZWTStlS0R0NEJhOHIydFUvZHhLOUxPdzUraFF5WUVICjFpb2RBb0dBT1lyWUJhWEVQS0JFUHNnTURjbG4wdTNTQWN2b3VuSklLTklmTmF0NEdqdnFacWxOQnRvODQ0NVMKRWVzVm4yd0xpVWROQ0c0NzZ1b25LSUpJeWdQTDdhMUV4KzJQK0pkMno3MnFmUFlGUkhUa1MrTFEzRXJCVEVvSQpockZZWlRwVEk4aVl2ZG9Xd0k2RUtBdmhnVGdzT05YeEtzdmJUYUlxRURTOWJwWFVPK2c9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
+{% endif %}

tests/templates/kuttl/spark-ny-public-s3/02-setup-minio.yaml → tests/templates/kuttl/spark-ny-public-s3/02-setup-minio.yaml.j2

@@ -46,3 +46,22 @@ spec:
           value: "9000"
         - name: MINIO_SERVER_SCHEME
           value: http
+
+---
+apiVersion: s3.stackable.tech/v1alpha1
+kind: S3Connection
+metadata:
+  name: test-minio
+spec:
+  host: test-minio
+  port: 9000
+  accessStyle: Path
+  credentials:
+    secretClass: s3-credentials
+{% if test_scenario['values']['s3-use-tls'] == 'true' %}
+  tls:
+    verification:
+      server:
+        caCert:
+          secretClass: minio-tls-certificates
+{% endif %}

tests/templates/kuttl/spark-ny-public-s3/certs/ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIUBIxXEL+7zEuWUcO0r4nPvYFi6xAwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCREUxGzAZBgNVBAgMElNjaGxlc3dpZy1Ib2xzdGVpbjEO
+MAwGA1UEBwwFV2VkZWwxKDAmBgNVBAoMH1N0YWNrYWJsZSBTaWduaW5nIEF1dGhv
+cml0eSBJbmMxFTATBgNVBAMMDHN0YWNrYWJsZS5kZTAgFw0yMjA2MjgxNDI1NDJa
+GA8yMTIyMDYwNDE0MjU0MlowezELMAkGA1UEBhMCREUxGzAZBgNVBAgMElNjaGxl
+c3dpZy1Ib2xzdGVpbjEOMAwGA1UEBwwFV2VkZWwxKDAmBgNVBAoMH1N0YWNrYWJs
+ZSBTaWduaW5nIEF1dGhvcml0eSBJbmMxFTATBgNVBAMMDHN0YWNrYWJsZS5kZTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOBnDXGhMt8QV9TZsArVVtP
+wp9MxM0DFtUIFc7sbL7WcpkIWkjDZ78L6+fCUnpjeInaFefGsTMBt66daPdZ/grI
+37hRnw/Fd06CcRoqROMivQEYz5xuQtalAVdqteMVPR6pS1g19J0s09ZD3LuJrICe
+sW4MzsyGaoz/zKSp6+8JDJKCB3qXIAFWQOCa3oOmoSe86TtN4MSuxWvKqOmUeA65
+vwj8DJrYq3sw1291OtCHW+Hoyiai2pp0ofaSajA1gsASa+wrXwqU8cyAOKk0N5Xs
+lyewdwHBCAka87FDCRMUI9FgjsDk/kzY/Hw/PKMuGFPt4hpIvX0zE+aTuPhyOrEC
+AwEAAaNTMFEwHQYDVR0OBBYEFNDTcQYOC8ULaK5GWVeqJllckTc8MB8GA1UdIwQY
+MBaAFNDTcQYOC8ULaK5GWVeqJllckTc8MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggEBAHLzyAQKrbDBQNXX2smWlqX/2JAWM0xSCUGhlgCQITjdrzcv
+q9g0h/U6RoEEJppaFi5f4ReoqNtMa+eMvmq+Nt8Xt7c1+gJ0fQn08vok8buqiFtI
+BSDpwVs65D98DMThQXksGToScOIhFJU8vpUtt79CmbukGyw/uc49rBqejb4xHTPi
+srWPJIQkfpPmFAPkjXWsaX7rvXsGABOdfp/qMM3e2X4aO5owe8AihqmKE3XvhmeC
+v045+nIoFLz4mfGHiuaWK4Rpwu9HL3jHDdE4Qyn1ZEwvtQD7zE05sdUslv/zJ8gR
+jzo+8memTnv8W2/QfmLVnes2TKW3kVjn2YPtNRE=
+-----END CERTIFICATE-----

tests/templates/kuttl/spark-ny-public-s3/certs/client.crt.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfTCCAmWgAwIBAgIUKFtrHWR3W8pjH7h2R/QKHCwzhPMwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCREUxGzAZBgNVBAgMElNjaGxlc3dpZy1Ib2xzdGVpbjEO
+MAwGA1UEBwwFV2VkZWwxKDAmBgNVBAoMH1N0YWNrYWJsZSBTaWduaW5nIEF1dGhv
+cml0eSBJbmMxFTATBgNVBAMMDHN0YWNrYWJsZS5kZTAgFw0yMjA2MjgxNDI1NDJa
+GA8yMTIyMDYwNDE0MjU0MlowXjELMAkGA1UEBhMCREUxGzAZBgNVBAgMElNjaGxl
+c3dpZy1Ib2xzdGVpbjEOMAwGA1UEBwwFV2VkZWwxEjAQBgNVBAoMCVN0YWNrYWJs
+ZTEOMAwGA1UEAwwFbWluaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQC7mtGDhAkbDReIRY6C5+M1aRp2b6mHVG+eHU4MhCXMdryf+BBursKUB7YxMyV9
+NogkHJKKtqP9R5JRt2Fvs/4QOqdenfOm3sui2dp8POx9NNtMOTgLHTYsGa89BO6i
+dMTqbJmEpU0+cDGefU5dNCvKeFA0M1VIOFk/0AKzNB6RefhkERXq4eaL8xt4o1Jr
+g0gfmtw7xKiHNI0kubZYR3G+3SaCjHMTE0FvDEqfqEOLYI0p3qatrHgM/6na1uCz
+dTXRrn4JbuBF3RgyPc9T9Z+zLROYTONc18hBEAX0bPMMh7iFNMx31S5+iRpFiHhd
+UJRaUTF+b2PuXOwgu/M3VgaJAgMBAAGjFDASMBAGA1UdEQQJMAeCBW1pbmlvMA0G
+CSqGSIb3DQEBCwUAA4IBAQCcnJkzFXnfnEI/+rQU5sKsc/P3FUUoYJo7hLJJMdhw
+XMV5E4e4zkLBr/wUyemVFkyGMcDBdRmPfrKo5DDEIfcCLknJF9W0cI2kppduiMnF
+K5WzLBtTRCehND+amu3O7eahajHT04qdkNckl07U7MsWG/yQZVUvxmOLsk6k+1a2
+crTvSSpszeRUQMqBBkQ+09L7WV1s/p/fcUJUeP6p2xJ1zbiBNy6SKGBlt1t+AGRL
+qRDbuYL+hlDk+gVcdgzSwn8pwByy9+4xS8nft5dOtufBLT8bL+dGpoO7eN1UWfEl
+zAPQVb4CLu/iuZZEnYkN2X7ieldE9x6/4rbVYqmH1dun
+-----END CERTIFICATE-----