TLS is automatically turned on by applying (almost) the same cluster definition twice

[razvan]

Affected version

0.9.0-nightly

Current and expected behavior

Description

TLS is turned on even though the cluster definition contains tls: null. BUT it happens the second time the manifest is applied after changing something completely unrelated to security.

How to reproduce

1. Run the unmodified authorizer kuttl test and keep the druid cluster around:

kuttl test --test=authorizer_druid-24.0.0-stackable0.2.0_zookeeper-latest-3.8.0-stackable0.8.0_opa-0.45.0-stackable0.2.0_hadoop-3.3.4-stackable0.2.0 --skip-delete

2. Edit the generated file 03-install-druid.yaml by changing something unrelated to security, for example replacing the string MyBasicMetadataAuthenticator with something else (everywhere).

3. Reapply the Druid cluster manifest only:

k apply -n <kuttl-namespace> -f 03-install-druid.yaml

Now all Pods are restarted and the services use tls. See how tls: null has been aplyed but the operator has changed it:

k get -n kuttl-test-premium-sawfish druidclusters.druid.stackable.tech/derby-druid -o yaml | grep tls
      {"apiVersion":"druid.stackable.tech/v1alpha1","kind":"DruidCluster","metadata":{"annotations":{},"name":"derby-druid","namespace":"kuttl-test-premium-sawfish"},"spec":{"brokers":{"configOverrides":{"runtime.properties":{"druid.auth.authenticator.MyBasicOPAAuthorizer2.authorizerName":"OpaAuthorizer","druid.auth.authenticator.MyBasicOPAAuthorizer2.credentialsValidator.type":"metadata","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialAdminPassword":"password1","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialInternalClientPassword":"password2","druid.auth.authenticator.MyBasicOPAAuthorizer2.skipOnFailure":"false","druid.auth.authenticator.MyBasicOPAAuthorizer2.type":"basic","druid.auth.authenticatorChain":"[\"MyBasicOPAAuthorizer2\"]","druid.escalator.authorizerName":"OpaAuthorizer","druid.escalator.internalClientPassword":"password2","druid.escalator.internalClientUsername":"druid_system","druid.escalator.type":"basic"}},"roleGroups":{"default":{"replicas":1}}},"clusterConfig":{"authorization":{"opa":{"configMapName":"test-opa","package":"druid"}},"deepStorage":{"hdfs":{"configMapName":"druid-hdfs","directory":"/druid"}},"metadataStorageDatabase":{"connString":"jdbc:derby://localhost:1527/var/druid/metadata.db;create=true","dbType":"derby","host":"localhost","port":1527},"tls":null,"zookeeperConfigMapName":"druid-znode"},"coordinators":{"configOverrides":{"runtime.properties":{"druid.auth.authenticator.MyBasicOPAAuthorizer2.authorizerName":"OpaAuthorizer","druid.auth.authenticator.MyBasicOPAAuthorizer2.credentialsValidator.type":"metadata","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialAdminPassword":"password1","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialInternalClientPassword":"password2","druid.auth.authenticator.MyBasicOPAAuthorizer2.skipOnFailure":"false","druid.auth.authenticator.MyBasicOPAAuthorizer2.type":"basic","druid.auth.authenticatorChain":"[\"MyBasicOPAAuthorizer2\"]","druid.escalator.authorizerName":"OpaAuthorizer","druid.escalator.internalClientPassword":"password2","druid.escalator.internalClientUsername":"druid_system","druid.escalator.type":"basic"}},"roleGroups":{"default":{"replicas":1}}},"historicals":{"configOverrides":{"runtime.properties":{"druid.auth.authenticator.MyBasicOPAAuthorizer2.authorizerName":"OpaAuthorizer","druid.auth.authenticator.MyBasicOPAAuthorizer2.credentialsValidator.type":"metadata","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialAdminPassword":"password1","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialInternalClientPassword":"password2","druid.auth.authenticator.MyBasicOPAAuthorizer2.skipOnFailure":"false","druid.auth.authenticator.MyBasicOPAAuthorizer2.type":"basic","druid.auth.authenticatorChain":"[\"MyBasicOPAAuthorizer2\"]","druid.escalator.authorizerName":"OpaAuthorizer","druid.escalator.internalClientPassword":"password2","druid.escalator.internalClientUsername":"druid_system","druid.escalator.type":"basic"}},"roleGroups":{"default":{"replicas":1}}},"middleManagers":{"configOverrides":{"runtime.properties":{"druid.auth.authenticator.MyBasicOPAAuthorizer2.authorizerName":"OpaAuthorizer","druid.auth.authenticator.MyBasicOPAAuthorizer2.credentialsValidator.type":"metadata","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialAdminPassword":"password1","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialInternalClientPassword":"password2","druid.auth.authenticator.MyBasicOPAAuthorizer2.skipOnFailure":"false","druid.auth.authenticator.MyBasicOPAAuthorizer2.type":"basic","druid.auth.authenticatorChain":"[\"MyBasicOPAAuthorizer2\"]","druid.escalator.authorizerName":"OpaAuthorizer","druid.escalator.internalClientPassword":"password2","druid.escalator.internalClientUsername":"druid_system","druid.escalator.type":"basic"}},"roleGroups":{"default":{"replicas":1}}},"routers":{"configOverrides":{"runtime.properties":{"druid.auth.authenticator.MyBasicOPAAuthorizer2.authorizerName":"OpaAuthorizer","druid.auth.authenticator.MyBasicOPAAuthorizer2.credentialsValidator.type":"metadata","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialAdminPassword":"password1","druid.auth.authenticator.MyBasicOPAAuthorizer2.initialInternalClientPassword":"password2","druid.auth.authenticator.MyBasicOPAAuthorizer2.skipOnFailure":"false","druid.auth.authenticator.MyBasicOPAAuthorizer2.type":"basic","druid.auth.authenticatorChain":"[\"MyBasicOPAAuthorizer2\"]","druid.escalator.authorizerName":"OpaAuthorizer","druid.escalator.internalClientPassword":"password2","druid.escalator.internalClientUsername":"druid_system","druid.escalator.type":"basic"}},"roleGroups":{"default":{"replicas":1}}},"version":"24.0.0-stackable0.2.0"}}
    tls:
      secretClass: tls

Possible solution

No response

Additional context

No response

Environment

No response

Would you like to work on fixing this bug?

No response

[sbernauer]

Very strange! Might be fixed by #365 and needs to be re-tested