feat: OPA TLS support

Author: dervoeti

rust/operator-binary/src/authorization/opa.rs

@@ -3,6 +3,8 @@ use std::collections::BTreeMap;
 use stackable_operator::{
     client::Client,
     commons::opa::{OpaApiVersion, OpaConfig},
+    k8s_openapi::api::core::v1::ConfigMap,
+    kube::ResourceExt,
 };
 
 use crate::crd::v1alpha1::TrinoCluster;
@@ -28,6 +30,10 @@ pub struct TrinoOpaConfig {
     /// such operations, they will be bulk allowed or denied depending
     /// on this setting
     pub(crate) allow_permission_management_operations: bool,
+    /// Optional TLS secret class for OPA communication.
+    /// If set, the CA certificate from this secret class will be added
+    /// to Trino's truststore to make it trust OPA's TLS certificate.
+    pub(crate) tls_secret_class: Option<String>,
 }
 
 impl TrinoOpaConfig {
@@ -66,12 +72,24 @@ impl TrinoOpaConfig {
                 OpaApiVersion::V1,
             )
             .await?;
+
+        let tls_secret_class = client
+            .get::<ConfigMap>(
+                &opa_config.config_map_name,
+                trino.namespace().as_deref().unwrap_or("default"),
+            )
+            .await
+            .ok()
+            .and_then(|cm| cm.data)
+            .and_then(|mut data| data.remove("OPA_SECRET_CLASS"));
+
         Ok(TrinoOpaConfig {
             non_batched_connection_string,
             batched_connection_string,
             row_filters_connection_string: Some(row_filters_connection_string),
             column_masking_connection_string: Some(column_masking_connection_string),
             allow_permission_management_operations: true,
+            tls_secret_class,
         })
     }
 

rust/operator-binary/src/controller.rs

@@ -123,6 +123,7 @@ pub const MAX_PREPARE_LOG_FILE_SIZE: MemoryQuantity = MemoryQuantity {
 };
 
 const DOCKER_IMAGE_BASE_NAME: &str = "trino";
+const OPA_TLS_VOLUME_NAME: &str = "opa-tls";
 
 #[derive(Snafu, Debug, EnumDiscriminants)]
 #[strum_discriminants(derive(IntoStaticStr))]
@@ -630,6 +631,7 @@ pub async fn reconcile_trino(
                 &rbac_sa.name_any(),
                 &resolved_fte_config,
                 &resolved_client_protocol_config,
+                &trino_opa_config,
             )?;
 
             cluster_resources
@@ -1037,6 +1039,7 @@ fn build_rolegroup_statefulset(
     sa_name: &str,
     resolved_fte_config: &Option<fault_tolerant_execution::ResolvedFaultTolerantExecutionConfig>,
     resolved_spooling_config: &Option<client_protocol::ResolvedClientProtocolConfig>,
+    trino_opa_config: &Option<TrinoOpaConfig>,
 ) -> Result<StatefulSet> {
     let role = trino
         .role(trino_role)
@@ -1140,6 +1143,7 @@ fn build_rolegroup_statefulset(
         &requested_secret_lifetime,
         resolved_fte_config,
         resolved_spooling_config,
+        trino_opa_config,
     )?;
 
     let mut prepare_args = vec![];
@@ -1165,6 +1169,18 @@ fn build_rolegroup_statefulset(
     prepare_args
         .extend(trino_authentication_config.commands(&TrinoRole::Coordinator, &Container::Prepare));
 
+    // Add OPA TLS certificate to truststore if configured
+    if trino_opa_config
+        .as_ref()
+        .and_then(|c| c.tls_secret_class.as_ref())
+        .is_some()
+    {
+        prepare_args.extend(command::add_cert_to_truststore(
+            &format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}/ca.crt"),
+            STACKABLE_CLIENT_TLS_DIR,
+        ));
+    }
+
     let container_prepare = cb_prepare
         .image_from_product_image(resolved_product_image)
         .command(vec![
@@ -1710,6 +1726,7 @@ fn tls_volume_mounts(
     requested_secret_lifetime: &Duration,
     resolved_fte_config: &Option<fault_tolerant_execution::ResolvedFaultTolerantExecutionConfig>,
     resolved_spooling_config: &Option<client_protocol::ResolvedClientProtocolConfig>,
+    trino_opa_config: &Option<TrinoOpaConfig>,
 ) -> Result<()> {
     if let Some(server_tls) = trino.get_server_tls() {
         cb_prepare
@@ -1789,6 +1806,28 @@ fn tls_volume_mounts(
             .context(AddVolumeSnafu)?;
     }
 
+    if let Some(opa_config) = trino_opa_config {
+        if let Some(opa_tls_secret_class) = &opa_config.tls_secret_class {
+            let opa_tls_mount_path = format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}");
+
+            cb_prepare
+                .add_volume_mount(OPA_TLS_VOLUME_NAME, &opa_tls_mount_path)
+                .context(AddVolumeMountSnafu)?;
+
+            let opa_tls_volume = VolumeBuilder::new(OPA_TLS_VOLUME_NAME)
+                .ephemeral(
+                    SecretOperatorVolumeSourceBuilder::new(opa_tls_secret_class)
+                        .build()
+                        .context(TlsCertSecretClassVolumeBuildSnafu)?,
+                )
+                .build();
+
+            pod_builder
+                .add_volume(opa_tls_volume)
+                .context(AddVolumeSnafu)?;
+        }
+    }
+
     // fault tolerant execution S3 credentials and other resources
     if let Some(resolved_fte) = resolved_fte_config {
         cb_prepare
@@ -2028,6 +2067,7 @@ mod tests {
                     .to_string(),
             ),
             allow_permission_management_operations: true,
+            tls_secret_class: None,
         });
         let resolved_fte_config = match &trino.spec.cluster_config.fault_tolerant_execution {
             Some(fault_tolerant_execution) => Some(

tests/templates/kuttl/opa-authorization/10-install-opa.yaml.j2

@@ -5,6 +5,19 @@ commands:
   - script: |
       kubectl apply -n $NAMESPACE -f - <<EOF
       ---
+      apiVersion: secrets.stackable.tech/v1alpha1
+      kind: SecretClass
+      metadata:
+        name: opa-tls-$NAMESPACE
+      spec:
+        backend:
+          autoTls:
+            ca:
+              autoGenerate: true
+              secret:
+                name: opa-tls-ca-$NAMESPACE
+                namespace: $NAMESPACE
+      ---
       apiVersion: opa.stackable.tech/v1alpha1
       kind: OpaCluster
       metadata:
@@ -19,6 +32,8 @@ commands:
 {% endif %}
           pullPolicy: IfNotPresent
         clusterConfig:
+          tls:
+            serverSecretClass: opa-tls-$NAMESPACE
           userInfo:
             backend:
               keycloak: