use listener scope for tls

labrenbe · labrenbe · commit 09cb1751274c · 2025-07-02T15:51:52.000+02:00
diff --git a/rust/operator-binary/src/crd/security.rs b/rust/operator-binary/src/crd/security.rs
@@ -207,19 +207,28 @@ impl DruidTlsSecurity {
         druid: &mut ContainerBuilder,
         pod: &mut PodBuilder,
         requested_secret_lifetime: &Duration,
+        listener_scope: Option<String>,
     ) -> Result<(), Error> {
         // `ResolvedAuthenticationClasses::validate` already checked that the tls AuthenticationClass
         // uses the same SecretClass as the Druid server itself.
         if let Some(secret_class) = &self.server_and_internal_secret_class {
+            let mut secret_volume_source_builder =
+                SecretOperatorVolumeSourceBuilder::new(secret_class);
+
+            secret_volume_source_builder
+                .with_pod_scope()
+                .with_format(SecretFormat::TlsPkcs12)
+                .with_tls_pkcs12_password(TLS_STORE_PASSWORD)
+                .with_auto_tls_cert_lifetime(*requested_secret_lifetime);
+
+            if let Some(listener_scope) = &listener_scope {
+                secret_volume_source_builder.with_listener_volume_scope(listener_scope);
+            }
+
             pod.add_volume(
                 VolumeBuilder::new(TLS_MOUNT_VOLUME_NAME)
                     .ephemeral(
-                        SecretOperatorVolumeSourceBuilder::new(secret_class)
-                            .with_pod_scope()
-                            .with_node_scope()
-                            .with_format(SecretFormat::TlsPkcs12)
-                            .with_tls_pkcs12_password(TLS_STORE_PASSWORD)
-                            .with_auto_tls_cert_lifetime(*requested_secret_lifetime)
+                        secret_volume_source_builder
                             .build()
                             .context(SecretVolumeBuildSnafu)?,
                     )
diff --git a/rust/operator-binary/src/druid_controller.rs b/rust/operator-binary/src/druid_controller.rs
@@ -81,7 +81,7 @@ use crate::{
     internal_secret::{create_shared_internal_secret, env_var_from_secret},
     listener::{
         LISTENER_VOLUME_DIR, LISTENER_VOLUME_NAME, build_group_listener, build_group_listener_pvc,
-        group_listener_name,
+        group_listener_name, secret_volume_listener_scope,
     },
     operations::{graceful_shutdown::add_graceful_shutdown_config, pdb::add_pdbs},
     product_logging::extend_role_group_config_map,
@@ -968,6 +968,8 @@ fn build_rolegroup_statefulset(
             &mut cb_druid,
             &mut pb,
             &merged_rolegroup_config.requested_secret_lifetime,
+            // add listener
+            secret_volume_listener_scope(role),
         )
         .context(FailedToInitializeSecurityContextSnafu)?;
 
diff --git a/rust/operator-binary/src/listener.rs b/rust/operator-binary/src/listener.rs
@@ -126,3 +126,13 @@ pub fn build_listener_connection_string(
             })?
     ))
 }
+
+/// The listener volume name depending on the role
+pub fn secret_volume_listener_scope(role: &DruidRole) -> Option<String> {
+    match role {
+        DruidRole::Broker | DruidRole::Coordinator | DruidRole::Router => {
+            Some(LISTENER_VOLUME_NAME.to_string())
+        }
+        DruidRole::Historical | DruidRole::MiddleManager => None,
+    }
+}
