diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cb6f283..44099637 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup + config property `requestedSecretLifetime`. This helps reducing frequent Pod restarts ([#660]). + ### Fixed - Fix OIDC endpoint construction in case the `rootPath` does have a trailing slash ([#656]). @@ -13,6 +18,7 @@ All notable changes to this project will be documented in this file. [#656]: https://github.com/stackabletech/druid-operator/pull/656 [#657]: https://github.com/stackabletech/druid-operator/pull/657 +[#660]: https://github.com/stackabletech/druid-operator/pull/660 ## [24.11.0] - 2024-11-18 diff --git a/Cargo.lock b/Cargo.lock index 5014a2c7..977ed63f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -488,17 +488,6 @@ dependencies = [ "powerfmt", ] -[[package]] -name = "derivative" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" -dependencies = [ - "proc-macro2", - "quote", - "syn 1.0.109", -] - [[package]] name = "digest" version = "0.10.7" @@ -2039,9 +2028,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.18" +version = "0.23.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c9cc1d47e243d655ace55ed38201c19ae02c148ae56412ab8750e8f0166ab7f" +checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1" dependencies = [ "log", "once_cell", @@ -2443,15 +2432,15 @@ dependencies = [ [[package]] name = "stackable-operator" -version = "0.82.0" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +version = "0.83.0" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "chrono", "clap", "const_format", "delegate", - "derivative", "dockerfile-parser", + "educe", "either", "futures 0.3.31", "indexmap", @@ -2482,7 +2471,7 @@ dependencies = [ [[package]] name = "stackable-operator-derive" version = "0.3.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "darling", "proc-macro2", @@ -2493,7 +2482,7 @@ dependencies = [ [[package]] name = "stackable-shared" version = "0.0.1" -source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#415bbd031bd52e9c0c5392060235030e9930b46b" +source = "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.83.0#3ce7bcbdb58097cde0c0f19488a104c96f69dbc3" dependencies = [ "kube", "semver", diff --git a/Cargo.nix b/Cargo.nix index 5e3f89ad..c9139fa0 100644 --- a/Cargo.nix +++ b/Cargo.nix @@ -1405,33 +1405,6 @@ rec { }; resolvedDefaultFeatures = [ "alloc" "powerfmt" "std" ]; }; - "derivative" = rec { - crateName = "derivative"; - version = "2.2.0"; - edition = "2015"; - sha256 = "02vpb81wisk2zh1d5f44szzxamzinqgq2k8ydrfjj2wwkrgdvhzw"; - procMacro = true; - authors = [ - "mcarton " - ]; - dependencies = [ - { - name = "proc-macro2"; - packageId = "proc-macro2"; - } - { - name = "quote"; - packageId = "quote"; - } - { - name = "syn"; - packageId = "syn 1.0.109"; - features = [ "visit" "extra-traits" ]; - } - ]; - features = { - }; - }; "digest" = rec { crateName = "digest"; version = "0.10.7"; @@ -1593,7 +1566,7 @@ rec { "default" = [ "Debug" "Clone" "Copy" "PartialEq" "Eq" "PartialOrd" "Ord" "Hash" "Default" "Deref" "DerefMut" "Into" ]; "full" = [ "syn/full" ]; }; - resolvedDefaultFeatures = [ "Clone" "Debug" "Hash" "PartialEq" ]; + resolvedDefaultFeatures = [ "Clone" "Debug" "Default" "Hash" "PartialEq" ]; }; "either" = rec { crateName = "either"; @@ -7559,9 +7532,9 @@ rec { edition = "2021"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; }; libName = "stackable_operator"; authors = [ @@ -7586,14 +7559,16 @@ rec { name = "delegate"; packageId = "delegate"; } - { - name = "derivative"; - packageId = "derivative"; - } { name = "dockerfile-parser"; packageId = "dockerfile-parser"; } + { + name = "educe"; + packageId = "educe"; + usesDefaultFeatures = false; + features = [ "Clone" "Debug" "Default" "PartialEq" ]; + } { name = "either"; packageId = "either"; @@ -7717,9 +7692,9 @@ rec { edition = "2021"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; }; procMacro = true; libName = "stackable_operator_derive"; @@ -7752,9 +7727,9 @@ rec { edition = "2021"; workspace_member = null; src = pkgs.fetchgit { - url = "https://github.com/stackabletech/operator-rs.git"; - rev = "415bbd031bd52e9c0c5392060235030e9930b46b"; - sha256 = "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy"; + url = "https://github.com/stackabletech//operator-rs.git"; + rev = "f6aa3c46948d4cb59f92c5daa08f685068a393ba"; + sha256 = "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh"; }; libName = "stackable_shared"; authors = [ @@ -7906,7 +7881,7 @@ rec { "quote" = [ "dep:quote" ]; "test" = [ "syn-test-suite/all-features" ]; }; - resolvedDefaultFeatures = [ "clone-impls" "default" "derive" "extra-traits" "full" "parsing" "printing" "proc-macro" "quote" "visit" ]; + resolvedDefaultFeatures = [ "clone-impls" "default" "derive" "full" "parsing" "printing" "proc-macro" "quote" ]; }; "syn 2.0.89" = rec { crateName = "syn"; diff --git a/Cargo.toml b/Cargo.toml index a66977b4..af394b09 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,7 +25,7 @@ serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" serde_yaml = "0.9" snafu = "0.8" -stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.82.0" } +stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.83.0" } strum = { version = "0.26", features = ["derive"] } tokio = { version = "1.40", features = ["full"] } tracing = "0.1" diff --git a/crate-hashes.json b/crate-hashes.json index 0ca37e6e..cf8cfc73 100644 --- a/crate-hashes.json +++ b/crate-hashes.json @@ -1,6 +1,6 @@ { - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator-derive@0.3.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-operator@0.82.0": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", - "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.82.0#stackable-shared@0.0.1": "0phasjwb64rxgn5hs8vks92icmx9255bd5v9dms280clrfpcg4hy", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-operator-derive@0.3.1": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-operator@0.82.0": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", + "git+https://github.com/stackabletech//operator-rs.git?branch=feat%2Frequest-secret-lifetime#stackable-shared@0.0.1": "09l6s6yjskp3a2ab71z4cba20lrihscs11b3q19rlz252r5pvyqh", "git+https://github.com/stackabletech/product-config.git?tag=0.7.0#product-config@0.7.0": "0gjsm80g6r75pm3824dcyiz4ysq1ka4c1if6k1mjm9cnd5ym0gny" } \ No newline at end of file diff --git a/deploy/helm/druid-operator/crds/crds.yaml b/deploy/helm/druid-operator/crds/crds.yaml index a1e148ad..70ed1b32 100644 --- a/deploy/helm/druid-operator/crds/crds.yaml +++ b/deploy/helm/druid-operator/crds/crds.yaml @@ -154,6 +154,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -372,6 +376,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -994,6 +1002,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -1212,6 +1224,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -1410,6 +1426,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -1659,6 +1679,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -1936,6 +1960,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -2154,6 +2182,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -2352,6 +2384,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: @@ -2570,6 +2606,10 @@ spec: nullable: true type: boolean type: object + requestedSecretLifetime: + description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + nullable: true + type: string resources: default: cpu: diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs index 0f164d52..873321e5 100644 --- a/rust/crd/src/lib.rs +++ b/rust/crd/src/lib.rs @@ -152,10 +152,20 @@ const DEFAULT_MIDDLEMANAGER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = const DEFAULT_ROUTER_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5); const DEFAULT_HISTORICAL_GRACEFUL_SHUTDOWN_TIMEOUT: Duration = Duration::from_minutes_unchecked(5); +// Auto TLS certificate lifetime +const DEFAULT_BROKER_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_COORDINATOR_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_MIDDLE_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_ROUTER_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); +const DEFAULT_HISTORICAL_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7); + #[derive(Snafu, Debug, EnumDiscriminants)] #[strum_discriminants(derive(IntoStaticStr))] #[allow(clippy::enum_variant_names)] pub enum Error { + #[snafu(display("missing secret lifetime"))] + MissingSecretLifetime, + #[snafu(display("failed to resolve S3 connection"))] ResolveS3Connection { source: S3Error }, @@ -348,6 +358,7 @@ pub struct CommonRoleGroupConfig { pub replicas: Option, pub affinity: StackableAffinity, pub graceful_shutdown_timeout: Option, + pub requested_secret_lifetime: Duration, } /// Container for the merged and validated role group configurations @@ -387,6 +398,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Coordinator => { @@ -400,6 +416,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Historical => { @@ -415,6 +436,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::MiddleManager => { @@ -428,6 +454,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .context(MissingSecretLifetimeSnafu)?, }) } DruidRole::Router => { @@ -441,6 +472,11 @@ impl MergedConfig { replicas: rolegroup.replicas, affinity: rolegroup.config.config.affinity.clone(), graceful_shutdown_timeout: rolegroup.config.config.graceful_shutdown_timeout, + requested_secret_lifetime: rolegroup + .config + .config + .requested_secret_lifetime + .context(MissingSecretLifetimeSnafu)?, }) } } @@ -1105,6 +1141,11 @@ pub struct BrokerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl BrokerConfig { @@ -1118,6 +1159,7 @@ impl BrokerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_BROKER_SECRET_LIFETIME), } } } @@ -1148,6 +1190,11 @@ pub struct CoordinatorConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl CoordinatorConfig { @@ -1161,6 +1208,7 @@ impl CoordinatorConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_COORDINATOR_SECRET_LIFETIME), } } } @@ -1191,6 +1239,11 @@ pub struct MiddleManagerConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl MiddleManagerConfig { @@ -1204,6 +1257,7 @@ impl MiddleManagerConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_MIDDLE_SECRET_LIFETIME), } } } @@ -1234,6 +1288,11 @@ pub struct RouterConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl RouterConfig { @@ -1247,6 +1306,7 @@ impl RouterConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_ROUTER_SECRET_LIFETIME), } } } @@ -1277,6 +1337,11 @@ pub struct HistoricalConfig { /// [graceful shutdown documentation](DOCS_BASE_URL_PLACEHOLDER/druid/usage-guide/operations/graceful-shutdown). #[fragment_attrs(serde(default))] pub graceful_shutdown_timeout: Option, + + /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. + /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate. + #[fragment_attrs(serde(default))] + pub requested_secret_lifetime: Option, } impl HistoricalConfig { @@ -1290,6 +1355,7 @@ impl HistoricalConfig { logging: product_logging::spec::default_logging(), affinity: get_affinity(cluster_name, role, deep_storage), graceful_shutdown_timeout: Some(role.default_graceful_shutdown_timeout()), + requested_secret_lifetime: Some(DEFAULT_HISTORICAL_SECRET_LIFETIME), } } } diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs index e4b74ad6..627f0277 100644 --- a/rust/crd/src/security.rs +++ b/rust/crd/src/security.rs @@ -20,6 +20,7 @@ use stackable_operator::{ api::core::v1::{ContainerPort, Probe, ServicePort, TCPSocketAction}, apimachinery::pkg::util::intstr::IntOrString, }, + time::Duration, }; use std::collections::BTreeMap; @@ -190,6 +191,7 @@ impl DruidTlsSecurity { prepare: &mut ContainerBuilder, druid: &mut ContainerBuilder, pod: &mut PodBuilder, + requested_secret_lifetime: &Duration, ) -> Result<(), Error> { // `ResolvedAuthenticationClasses::validate` already checked that the tls AuthenticationClass // uses the same SecretClass as the Druid server itself. @@ -202,6 +204,7 @@ impl DruidTlsSecurity { .with_node_scope() .with_format(SecretFormat::TlsPkcs12) .with_tls_pkcs12_password(TLS_STORE_PASSWORD) + .with_auto_tls_cert_lifetime(*requested_secret_lifetime) .build() .context(SecretVolumeBuildSnafu)?, ) diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs index dad2e8f3..1ed6a666 100644 --- a/rust/operator-binary/src/druid_controller.rs +++ b/rust/operator-binary/src/druid_controller.rs @@ -981,7 +981,12 @@ fn build_rolegroup_statefulset( // volume and volume mounts druid_tls_security - .add_tls_volume_and_volume_mounts(&mut cb_prepare, &mut cb_druid, &mut pb) + .add_tls_volume_and_volume_mounts( + &mut cb_prepare, + &mut cb_druid, + &mut pb, + &merged_rolegroup_config.requested_secret_lifetime, + ) .context(FailedToInitializeSecurityContextSnafu)?; if let Some(s3) = s3_conn {