[Feature] Improved TLS rotation (#577)

Author: ajanikow

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
 - Add Encryption Key rotation feature for ArangoDB EE 3.7+
+- Improve TLS CA and Keyfile rotation for CE and EE
+- Add runtime TLS rotation for ArangoDB EE 3.7+
 
 ## [1.0.3](https://github.com/arangodb/kube-arangodb/tree/1.0.3) (2020-05-25)
 - Prevent deletion of not known PVC's

pkg/apis/deployment/v1/deployment_mode.go

@@ -58,6 +58,16 @@ func (m *DeploymentMode) Get() DeploymentMode {
 	return *m
 }
 
+// String return string from mode
+func (m *DeploymentMode) String() string {
+	return string(m.Get())
+}
+
+// Nww return pointer to mode
+func (m DeploymentMode) New() *DeploymentMode {
+	return &m
+}
+
 // HasSingleServers returns true when the given mode is "Single" or "ActiveFailover".
 func (m DeploymentMode) HasSingleServers() bool {
 	return m == DeploymentModeSingle || m == DeploymentModeActiveFailover

pkg/apis/deployment/v1/deployment_status.go

@@ -70,8 +70,8 @@ type DeploymentStatus struct {
 	// detect changes in secret values.
 	SecretHashes *SecretHashes `json:"secret-hashes,omitempty"`
 
-	// CurrentEncryptionKeys keep list of currently applied encryption keys as SHA256 hash
-	CurrentEncryptionKeyHashes DeploymentStatusEncryptionKeyHashes `json:"currentEncryptionKeyHashes,omitempty"`
+	// Hashes keep status of hashes in deployment
+	Hashes DeploymentStatusHashes `json:"hashes,omitempty"`
 
 	// ForceStatusReload if set to true forces a reload of the status from the custom resource.
 	ForceStatusReload *bool `json:"force-status-reload,omitempty"`

pkg/apis/deployment/v1/hashes.go

@@ -0,0 +1,33 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package v1
+
+type DeploymentStatusHashes struct {
+	Encryption DeploymentStatusHashList  `json:"encryption,omitempty"`
+	TLS        DeploymentStatusHashesTLS `json:"tls,omitempty"`
+}
+
+type DeploymentStatusHashesTLS struct {
+	CA         *string                  `json:"ca,omitempty"`
+	Truststore DeploymentStatusHashList `json:"truststore,omitempty"`
+}

…s/deployment/v1/encryption_key_hashes.go pkg/apis/deployment/v1/key_hashes.gopkg/apis/deployment/v1/encryption_key_hashes.go renamed to pkg/apis/deployment/v1/key_hashes.go pkg/apis/deployment/v1/encryption_key_hashes.go renamed to pkg/apis/deployment/v1/key_hashes.go

@@ -24,9 +24,9 @@ package v1
 
 import "fmt"
 
-type DeploymentStatusEncryptionKeyHashes []string
+type DeploymentStatusHashList []string
 
-func (d DeploymentStatusEncryptionKeyHashes) Contains(hash string) bool {
+func (d DeploymentStatusHashList) Contains(hash string) bool {
 	if len(d) == 0 {
 		return false
 	}
@@ -40,6 +40,6 @@ func (d DeploymentStatusEncryptionKeyHashes) Contains(hash string) bool {
 	return false
 }
 
-func (d DeploymentStatusEncryptionKeyHashes) ContainsSHA256(hash string) bool {
+func (d DeploymentStatusHashList) ContainsSHA256(hash string) bool {
 	return d.Contains(fmt.Sprintf("sha256:%s", hash))
 }

pkg/apis/deployment/v1/plan.go

@@ -32,6 +32,10 @@ import (
 // ActionType is a strongly typed name for a plan action item
 type ActionType string
 
+func (a ActionType) String() string {
+	return string(a)
+}
+
 const (
 	// ActionTypeIdle causes a plan to be recalculated.
 	ActionTypeIdle ActionType = "Idle"
@@ -61,6 +65,16 @@ const (
 	ActionTypeRenewTLSCertificate ActionType = "RenewTLSCertificate"
 	// ActionTypeRenewTLSCACertificate causes the TLS CA certificate of the entire deployment to be renewed.
 	ActionTypeRenewTLSCACertificate ActionType = "RenewTLSCACertificate"
+	// ActionTypeAppendTLSCACertificate add TLS CA certificate to local truststore.
+	ActionTypeAppendTLSCACertificate ActionType = "AppendTLSCACertificate"
+	// ActionTypeCleanTLSCACertificate clean TLS CA certificate from local truststore.
+	ActionTypeCleanTLSCACertificate ActionType = "CleanTLSCACertificate"
+	// ActionTypeCleanTLSKeyfileCertificate clean server keyfile
+	ActionTypeCleanTLSKeyfileCertificate ActionType = "CleanTLSKeyfileCertificate"
+	// ActionTypeRefreshTLSKeyfileCertificate refresh server keyfile using API
+	ActionTypeRefreshTLSKeyfileCertificate ActionType = "RefreshTLSKeyfileCertificate"
+	// ActionTypeTLSKeyStatusUpdate update status with current data from deployment
+	ActionTypeTLSKeyStatusUpdate ActionType = "TLSKeyStatusUpdate"
 	// ActionTypeUpdateTLSSNI update SNI inplace.
 	ActionTypeUpdateTLSSNI ActionType = "UpdateTLSSNI"
 	// ActionTypeSetCurrentImage causes status.CurrentImage to be updated to the image given in the action.

pkg/apis/deployment/v1/tls_sni_spec.go

@@ -27,25 +27,9 @@ import (
 	"github.com/pkg/errors"
 )
 
-type TLSSNIRotateMode string
-
-func (t *TLSSNIRotateMode) Get() TLSSNIRotateMode {
-	if t == nil {
-		return TLSSNIRotateModeInPlace
-	}
-
-	return *t
-}
-
-const (
-	TLSSNIRotateModeInPlace  TLSSNIRotateMode = "inplace"
-	TLSSNIRotateModeRecreate TLSSNIRotateMode = "recreate"
-)
-
 // TLSSNISpec holds TLS SNI additional certificates
 type TLSSNISpec struct {
 	Mapping map[string][]string `json:"mapping,omitempty"`
-	Mode    *TLSSNIRotateMode   `json:"mode,omitempty"`
 }
 
 func (s TLSSNISpec) Validate() error {

pkg/apis/deployment/v1/tls_spec.go

@@ -31,16 +31,36 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/validation"
 )
 
+type TLSRotateMode string
+
+func (t *TLSRotateMode) Get() TLSRotateMode {
+	if t == nil {
+		return TLSRotateModeInPlace
+	}
+
+	return *t
+}
+
+func (t TLSRotateMode) New() *TLSRotateMode {
+	return &t
+}
+
+const (
+	TLSRotateModeInPlace  TLSRotateMode = "inplace"
+	TLSRotateModeRecreate TLSRotateMode = "recreate"
+)
+
 const (
 	defaultTLSTTL = Duration("2610h") // About 3 month
 )
 
 // TLSSpec holds TLS specific configuration settings
 type TLSSpec struct {
-	CASecretName *string     `json:"caSecretName,omitempty"`
-	AltNames     []string    `json:"altNames,omitempty"`
-	TTL          *Duration   `json:"ttl,omitempty"`
-	SNI          *TLSSNISpec `json:"sni,omitempty"`
+	CASecretName *string        `json:"caSecretName,omitempty"`
+	AltNames     []string       `json:"altNames,omitempty"`
+	TTL          *Duration      `json:"ttl,omitempty"`
+	SNI          *TLSSNISpec    `json:"sni,omitempty"`
+	Mode         *TLSRotateMode `json:"mode,omitempty"`
 }
 
 const (

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -150,7 +150,7 @@ func (d *Deployment) inspectDeploymentWithError(ctx context.Context, lastInterva
 		}
 	}
 
-	if err := d.resources.EnsureSecrets(cachedStatus); err != nil {
+	if err := d.resources.EnsureSecrets(d.deps.Log, cachedStatus); err != nil {
 		return minInspectionInterval, errors.Wrapf(err, "Secret creation failed")
 	}