From 8f084e17433decbc145f12ba7c4cd144929e7e67 Mon Sep 17 00:00:00 2001
From: Steffen Moldenhauer <s.moldenhauer@intershop.de>
Date: Fri, 5 Apr 2024 13:39:48 +0200
Subject: [PATCH] fix: gen-pkcs12-keystore adds ca.crt input option if it
 exists (#684)

 * use -certfile option for ca.crt if present
 * add to changelog
---
 controllers/solrcloud_controller_tls_test.go | 5 +++--
 controllers/util/solr_tls_util.go            | 7 ++++---
 helm/solr-operator/Chart.yaml                | 8 ++++++++
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/controllers/solrcloud_controller_tls_test.go b/controllers/solrcloud_controller_tls_test.go
index b0be0c82..374f28f7 100644
--- a/controllers/solrcloud_controller_tls_test.go
+++ b/controllers/solrcloud_controller_tls_test.go
@@ -22,6 +22,8 @@ import (
 	"crypto/md5"
 	b64 "encoding/base64"
 	"fmt"
+	"strings"
+
 	solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
 	"github.com/apache/solr-operator/controllers/util"
 	. "github.com/onsi/ginkgo/v2"
@@ -31,7 +33,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strings"
 )
 
 var _ = FDescribe("SolrCloud controller - TLS", func() {
@@ -522,7 +523,7 @@ func expectTLSConfigOnPodTemplateWithGomega(g Gomega, solrCloud *solrv1beta1.Sol
 				break
 			}
 		}
-		expCmd := "OPTIONAL_CACRT=\"$(test -e /var/solr/tls/ca.crt && echo ' -in /var/solr/tls/ca.crt')\"; openssl pkcs12 -export -in /var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
+		expCmd := "OPTIONAL_CACRT=\"$(test -e /var/solr/tls/ca.crt && echo ' -certfile /var/solr/tls/ca.crt')\"; openssl pkcs12 -export -in /var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
 		g.Expect(expInitContainer).To(Not(BeNil()), "Didn't find the gen-pkcs12-keystore InitContainer in the sts!")
 		g.Expect(expInitContainer.Command[2]).To(Equal(expCmd), "Wrong TLS initContainer command")
 	}
diff --git a/controllers/util/solr_tls_util.go b/controllers/util/solr_tls_util.go
index b1988778..85287577 100644
--- a/controllers/util/solr_tls_util.go
+++ b/controllers/util/solr_tls_util.go
@@ -21,13 +21,14 @@ import (
 	"context"
 	"crypto/md5"
 	"fmt"
+	"strconv"
+	"strings"
+
 	solr "github.com/apache/solr-operator/api/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"strconv"
-	"strings"
 )
 
 const (
@@ -709,7 +710,7 @@ func (tls *TLSConfig) generatePkcs12InitContainer(imageName string, imagePullPol
 
 	caCrtFileName := DefaultKeyStorePath + "/ca.crt"
 
-	cmd := "OPTIONAL_CACRT=\"$(test -e " + caCrtFileName + " && echo ' -in " + caCrtFileName + "')\"; " +
+	cmd := "OPTIONAL_CACRT=\"$(test -e " + caCrtFileName + " && echo ' -certfile " + caCrtFileName + "')\"; " +
 		"openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" + TLSCertKey + " $OPTIONAL_CACRT " +
 		"-inkey " + DefaultKeyStorePath + "/tls.key -out " + DefaultKeyStorePath +
 		"/pkcs12/" + DefaultPkcs12KeystoreFile + " -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 5a954c28..4f274146 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -54,6 +54,13 @@ annotations:
   # Add change log for a single release here.
   # Allowed syntax is described at: https://artifacthub.io/docs/topics/annotations/helm/#example
   artifacthub.io/changes: |
+    - kind: fixed
+      description: gen-pkcs12-keystore init container fails if the tls secret contains no ca.crt
+      links:
+        - name: Github Issue
+          url: https://github.com/apache/solr-operator/issues/684
+        - name: Github PR
+          url: https://github.com/apache/solr-operator/pull/685
     - kind: changed
       description: SolrClouds now support auto-readOnlyRootFilesystem setting.
       links:
@@ -61,6 +68,7 @@ annotations:
           url: https://github.com/apache/solr-operator/issues/624
         - name: Github PR
           url: https://github.com/apache/solr-operator/pull/648
+    - kind: fixed
       description: Avoid reset of security.json if get request fails  
       links:
         - name: Github Issue