[Feature] Improve encryption key rotation status (#571)

Author: ajanikow

pkg/apis/deployment/v1/deployment_status.go

@@ -70,6 +70,9 @@ type DeploymentStatus struct {
 	// detect changes in secret values.
 	SecretHashes *SecretHashes `json:"secret-hashes,omitempty"`
 
+	// CurrentEncryptionKeys keep list of currently applied encryption keys as SHA256 hash
+	CurrentEncryptionKeyHashes DeploymentStatusEncryptionKeyHashes `json:"currentEncryptionKeyHashes,omitempty"`
+
 	// ForceStatusReload if set to true forces a reload of the status from the custom resource.
 	ForceStatusReload *bool `json:"force-status-reload,omitempty"`
 }

pkg/apis/deployment/v1/encryption_key_hashes.go

@@ -0,0 +1,45 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package v1
+
+import "fmt"
+
+type DeploymentStatusEncryptionKeyHashes []string
+
+func (d DeploymentStatusEncryptionKeyHashes) Contains(hash string) bool {
+	if len(d) == 0 {
+		return false
+	}
+
+	for _, h := range d {
+		if h == hash {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (d DeploymentStatusEncryptionKeyHashes) ContainsSHA256(hash string) bool {
+	return d.Contains(fmt.Sprintf("sha256:%s", hash))
+}

pkg/apis/deployment/v1/plan.go

@@ -85,6 +85,8 @@ const (
 	ActionTypeEncryptionKeyRemove ActionType = "EncryptionKeyRemove"
 	// ActionTypeEncryptionKeyRefresh refresh encryption keys
 	ActionTypeEncryptionKeyRefresh ActionType = "EncryptionKeyRefresh"
+	// ActionTypeEncryptionKeyStatusUpdate update status object with current encryption keys
+	ActionTypeEncryptionKeyStatusUpdate ActionType = "EncryptionKeyStatusUpdate"
 )
 
 const (

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -60,24 +60,31 @@ func GroupEncryptionSupported(mode api.DeploymentMode, group api.ServerGroup) bo
 	}
 }
 
-func GetEncryptionKey(secrets k8sutil.SecretInterface, name string) (string, []byte, error) {
+func GetEncryptionKey(secrets k8sutil.SecretInterface, name string) (string, []byte, bool, error) {
 	keyfile, err := secrets.Get(name, meta.GetOptions{})
 	if err != nil {
-		return "", nil, errors.Wrapf(err, "Unable to fetch secret")
+		if k8sutil.IsNotFound(err) {
+			return "", nil, false, nil
+		}
+		return "", nil, false, errors.Wrapf(err, "Unable to fetch secret")
 	}
 
 	if len(keyfile.Data) == 0 {
-		return "", nil, errors.Errorf("Current encryption key is not valid")
+		return "", nil, false, nil
 	}
 
 	d, ok := keyfile.Data[constants.SecretEncryptionKey]
-	if !ok || len(d) != 32 {
-		return "", nil, errors.Errorf("Current encryption key is not valid")
+	if !ok {
+		return "", nil, false, nil
+	}
+
+	if len(d) != 32 {
+		return "", nil, false, errors.Errorf("Current encryption key is not valid")
 	}
 
 	sha := fmt.Sprintf("%0x", sha256.Sum256(d))
 
-	return sha, d, nil
+	return sha, d, true, nil
 }
 
 func GetKeyfolderSecretName(name string) string {

pkg/deployment/pod/encryption.go

@@ -82,12 +82,16 @@ func (a *encryptionKeyAddAction) Start(ctx context.Context) (bool, error) {
 		secret = s
 	}
 
-	sha, d, err := pod.GetEncryptionKey(a.actionCtx.SecretsInterface(), secret)
+	sha, d, exists, err := pod.GetEncryptionKey(a.actionCtx.SecretsInterface(), secret)
 	if err != nil {
 		a.log.Error().Err(err).Msgf("Unable to fetch current encryption key")
 		return true, nil
 	}
 
+	if !exists {
+		return true, nil
+	}
+
 	p := patch.NewPatch()
 	p.ItemAdd(patch.NewPath("data", sha), base64.StdEncoding.EncodeToString(d))
 

pkg/deployment/reconcile/action_encryption_add.go

@@ -0,0 +1,97 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package reconcile
+
+import (
+	"context"
+	"sort"
+
+	"github.com/arangodb/kube-arangodb/pkg/util"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"
+	"github.com/arangodb/kube-arangodb/pkg/deployment/pod"
+	"github.com/rs/zerolog"
+)
+
+func init() {
+	registerAction(api.ActionTypeEncryptionKeyStatusUpdate, newEncryptionKeyStatusUpdate)
+}
+
+func newEncryptionKeyStatusUpdate(log zerolog.Logger, action api.Action, actionCtx ActionContext) Action {
+	a := &encryptionKeyStatusUpdateAction{}
+
+	a.actionImpl = newActionImplDefRef(log, action, actionCtx, defaultTimeout)
+
+	return a
+}
+
+type encryptionKeyStatusUpdateAction struct {
+	actionImpl
+
+	actionEmptyCheckProgress
+}
+
+func (a *encryptionKeyStatusUpdateAction) Start(ctx context.Context) (bool, error) {
+	if err := ensureEncryptionSupport(a.actionCtx); err != nil {
+		a.log.Error().Err(err).Msgf("Action not supported")
+		return true, nil
+	}
+
+	f, err := a.actionCtx.SecretsInterface().Get(pod.GetKeyfolderSecretName(a.actionCtx.GetAPIObject().GetName()), meta.GetOptions{})
+	if err != nil {
+		a.log.Error().Err(err).Msgf("Unable to get folder info")
+		return true, nil
+	}
+
+	keys := make([]string, 0, len(f.Data))
+
+	for key := range f.Data {
+		keys = append(keys, key)
+	}
+
+	sort.Strings(keys)
+
+	keyHashes := util.PrefixStringArray(keys, "sha256:")
+
+	if err = a.actionCtx.WithStatusUpdate(func(s *api.DeploymentStatus) bool {
+		if len(keyHashes) == 0 {
+			if s.CurrentEncryptionKeyHashes != nil {
+				s.CurrentEncryptionKeyHashes = nil
+				return true
+			}
+
+			return false
+		}
+
+		if !util.CompareStringArray(keyHashes, s.CurrentEncryptionKeyHashes) {
+			s.CurrentEncryptionKeyHashes = keyHashes
+			return true
+		}
+		return false
+	}); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}

pkg/deployment/reconcile/action_encryption_status_update.go

@@ -25,6 +25,8 @@ package reconcile
 import (
 	"context"
 
+	"github.com/arangodb/kube-arangodb/pkg/util"
+
 	"github.com/arangodb/kube-arangodb/pkg/deployment/client"
 	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -43,12 +45,16 @@ func createEncryptionKey(ctx context.Context, log zerolog.Logger, spec api.Deplo
 		return nil
 	}
 
-	name, _, err := pod.GetEncryptionKey(context.SecretsInterface(), spec.RocksDB.Encryption.GetKeySecretName())
+	name, _, exists, err := pod.GetEncryptionKey(context.SecretsInterface(), spec.RocksDB.Encryption.GetKeySecretName())
 	if err != nil {
 		log.Err(err).Msgf("Unable to fetch encryption key")
 		return nil
 	}
 
+	if !exists {
+		return nil
+	}
+
 	keyfolder, err := context.SecretsInterface().Get(pod.GetKeyfolderSecretName(context.GetName()), meta.GetOptions{})
 	if err != nil {
 		log.Err(err).Msgf("Unable to fetch encryption folder")
@@ -112,6 +118,18 @@ func createEncryptionKey(ctx context.Context, log zerolog.Logger, spec api.Deplo
 		return plan
 	}
 
+	currentKeys := make([]string, 0, len(keyfolder.Data))
+
+	for key := range keyfolder.Data {
+		currentKeys = append(currentKeys, key)
+	}
+
+	currentKeyHashes := util.PrefixStringArray(currentKeys, "sha256:")
+
+	if !util.CompareStringArray(currentKeyHashes, status.CurrentEncryptionKeyHashes) {
+		return api.Plan{api.NewAction(api.ActionTypeEncryptionKeyStatusUpdate, api.ServerGroupUnknown, "")}
+	}
+
 	return api.Plan{}
 }
 
@@ -134,12 +152,16 @@ func cleanEncryptionKey(ctx context.Context, log zerolog.Logger, spec api.Deploy
 		return nil
 	}
 
-	name, _, err := pod.GetEncryptionKey(context.SecretsInterface(), spec.RocksDB.Encryption.GetKeySecretName())
+	name, _, exists, err := pod.GetEncryptionKey(context.SecretsInterface(), spec.RocksDB.Encryption.GetKeySecretName())
 	if err != nil {
 		log.Err(err).Msgf("Unable to fetch encryption key")
 		return nil
 	}
 
+	if !exists {
+		return nil
+	}
+
 	if _, ok := keyfolder.Data[name]; !ok {
 		log.Err(err).Msgf("Key from encryption is not in keyfolder - do nothing")
 		return nil

pkg/deployment/reconcile/plan_builder_encryption.go

@@ -88,12 +88,17 @@ func createRestorePlanEncryption(ctx context.Context, log zerolog.Logger, spec a
 				api.NewAction(api.ActionTypeEncryptionKeyAdd, api.ServerGroupUnknown, "").AddParam("secret", secret),
 			}
 		}
-		name, _, err := pod.GetEncryptionKey(builderCtx.SecretsInterface(), secret)
+		name, _, exists, err := pod.GetEncryptionKey(builderCtx.SecretsInterface(), secret)
 		if err != nil {
 			log.Err(err).Msgf("Unable to fetch encryption key")
 			return nil
 		}
 
+		if !exists {
+			log.Error().Msgf("Unable to fetch encryption key - key is empty or missing")
+			return nil
+		}
+
 		if _, ok := keyfolder.Data[name]; !ok {
 			log.Err(err).Msgf("Key from encryption is not in keyfolder")
 

pkg/deployment/reconcile/plan_builder_restore.go

@@ -0,0 +1,49 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Adam Janikowski
+//
+
+package util
+
+import "fmt"
+
+func CompareStringArray(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	for id, ak := range a {
+		if ak != b[id] {
+			return false
+		}
+	}
+
+	return true
+}
+
+func PrefixStringArray(a []string, prefix string) []string {
+	b := make([]string, len(a))
+
+	for id, element := range a {
+		b[id] = fmt.Sprintf("%s%s", prefix, element)
+	}
+
+	return b
+}