[Feature] Encryption Key rotation (#570)

Author: ajanikow

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Change Log
 
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
+- Add Encryption Key rotation feature for ArangoDB EE 3.7+
 
 ## [1.0.3](https://github.com/arangodb/kube-arangodb/tree/1.0.3) (2020-05-25)
 - Prevent deletion of not known PVC's

pkg/apis/deployment/v1/deployment_spec.go

@@ -67,6 +67,8 @@ type DeploymentSpec struct {
 
 	RestoreFrom *string `json:"restoreFrom,omitempty"`
 
+	RestoreEncryptionSecret *string `json:"restoreEncryptionSecret,omitempty"`
+
 	// AllowUnsafeUpgrade determines if upgrade on missing member or with not in sync shards is allowed
 	AllowUnsafeUpgrade *bool `json:"allowUnsafeUpgrade,omitempty"`
 

pkg/apis/deployment/v1/plan.go

@@ -79,6 +79,12 @@ const (
 	ActionTypeBackupRestore ActionType = "BackupRestore"
 	// ActionTypeBackupRestoreClean restore plan
 	ActionTypeBackupRestoreClean ActionType = "BackupRestoreClean"
+	// ActionTypeEncryptionKeyAdd add new encryption key to list
+	ActionTypeEncryptionKeyAdd ActionType = "EncryptionKeyAdd"
+	// ActionTypeEncryptionKeyRemove removes encryption key to list
+	ActionTypeEncryptionKeyRemove ActionType = "EncryptionKeyRemove"
+	// ActionTypeEncryptionKeyRefresh refresh encryption keys
+	ActionTypeEncryptionKeyRefresh ActionType = "EncryptionKeyRefresh"
 )
 
 const (

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -0,0 +1,152 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package client
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/arangodb/go-driver"
+)
+
+func NewClient(c driver.Connection) Client {
+	return &client{
+		c: c,
+	}
+}
+
+type Client interface {
+	GetTLS(ctx context.Context) (TLSDetails, error)
+	RefreshTLS(ctx context.Context) (TLSDetails, error)
+
+	GetEncryption(ctx context.Context) (EncryptionDetails, error)
+	RefreshEncryption(ctx context.Context) (EncryptionDetails, error)
+}
+
+type client struct {
+	c driver.Connection
+}
+
+func (c *client) parseTLSResponse(response driver.Response) (TLSDetails, error) {
+	if err := response.CheckStatus(http.StatusOK); err != nil {
+		return TLSDetails{}, err
+	}
+
+	var d TLSDetails
+
+	if err := response.ParseBody("", &d); err != nil {
+		return TLSDetails{}, err
+	}
+
+	return d, nil
+}
+
+func (c *client) parseEncryptionResponse(response driver.Response) (EncryptionDetails, error) {
+	if err := response.CheckStatus(http.StatusOK); err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	var d EncryptionDetails
+
+	if err := response.ParseBody("", &d); err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	return d, nil
+}
+
+func (c *client) GetTLS(ctx context.Context) (TLSDetails, error) {
+	r, err := c.c.NewRequest(http.MethodGet, "/_admin/server/tls")
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	response, err := c.c.Do(ctx, r)
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	d, err := c.parseTLSResponse(response)
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	return d, nil
+}
+
+func (c *client) RefreshTLS(ctx context.Context) (TLSDetails, error) {
+	r, err := c.c.NewRequest(http.MethodPost, "/_admin/server/tls")
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	response, err := c.c.Do(ctx, r)
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	d, err := c.parseTLSResponse(response)
+	if err != nil {
+		return TLSDetails{}, err
+	}
+
+	return d, nil
+}
+
+func (c *client) GetEncryption(ctx context.Context) (EncryptionDetails, error) {
+	r, err := c.c.NewRequest(http.MethodGet, "/_admin/server/encryption")
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	response, err := c.c.Do(ctx, r)
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	d, err := c.parseEncryptionResponse(response)
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	return d, nil
+}
+
+func (c *client) RefreshEncryption(ctx context.Context) (EncryptionDetails, error) {
+	r, err := c.c.NewRequest(http.MethodPost, "/_admin/server/encryption")
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	response, err := c.c.Do(ctx, r)
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	d, err := c.parseEncryptionResponse(response)
+	if err != nil {
+		return EncryptionDetails{}, err
+	}
+
+	return d, nil
+}

pkg/deployment/client/client.go

@@ -0,0 +1,56 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package client
+
+type EncryptionKeyEntry struct {
+	Sha string `json:"sha256,omitempty"`
+}
+
+type EncryptionDetailsResult struct {
+	Keys []EncryptionKeyEntry `json:"encryption-keys,omitempty"`
+}
+
+func (e EncryptionDetailsResult) KeysPresent(m map[string][]byte) bool {
+	if len(e.Keys) != len(m) {
+		return false
+	}
+
+	for key := range m {
+		ok := false
+		for _, entry := range e.Keys {
+			if entry.Sha == key {
+				ok = true
+				break
+			}
+		}
+		if !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
+type EncryptionDetails struct {
+	Result EncryptionDetailsResult `json:"result,omitempty"`
+}

pkg/deployment/client/encryption.go

@@ -0,0 +1,38 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package client
+
+type TLSKeyFile struct {
+	PrivateKeyHash string   `json:"privateKeySHA256,omitempty"`
+	Checksum       string   `json:"SHA256,omitempty"`
+	Certificates   []string `json:"certificates,omitempty"`
+}
+
+type TLSDetailsResult struct {
+	KeyFile TLSKeyFile            `json:"keyfile,omitempty"`
+	SNI     map[string]TLSKeyFile `json:"SNI,omitempty"`
+}
+
+type TLSDetails struct {
+	Result TLSDetailsResult `json:"result,omitempty"`
+}

pkg/deployment/client/tls.go

@@ -504,3 +504,7 @@ func (d *Deployment) WithStatusUpdate(action func(s *api.DeploymentStatus) bool,
 func (d *Deployment) SecretsInterface() k8sutil.SecretInterface {
 	return d.GetKubeCli().CoreV1().Secrets(d.GetNamespace())
 }
+
+func (d *Deployment) GetName() string {
+	return d.apiObject.GetName()
+}

pkg/deployment/context_impl.go

@@ -83,8 +83,8 @@ type deploymentEvent struct {
 
 const (
 	deploymentEventQueueSize = 256
-	minInspectionInterval    = util.Interval(time.Second) // Ensure we inspect the generated resources no less than with this interval
-	maxInspectionInterval    = util.Interval(time.Minute) // Ensure we inspect the generated resources no less than with this interval
+	minInspectionInterval    = 250 * util.Interval(time.Millisecond) // Ensure we inspect the generated resources no less than with this interval
+	maxInspectionInterval    = 30 * util.Interval(time.Second)       // Ensure we inspect the generated resources no less than with this interval
 )
 
 // Deployment is the in process state of an ArangoDeployment.