OCPBUGS-30119: certrotation: update all secret types to kubernetes.io/tls preserving existing content

[vrutkovs]

Pre-4.7 clusters had SecretTypeTLS type set, so on 4.15 upgrade these clusters had the secret delete and recreated. This commit will ensure these are being created without cert and key being regenerated.

Fixes two issues wrt handling secrets:

• existing secret type is converted to kubernetes.io/tls. If it cannot be done (i.e. tls.crt or tls.key is missing) it would be regenerated with SignerUpdateRequired event
• if the type can be converted existing data is preserved, so born-before-4.7 clusters look identical to 4.15 clusters in regards to secret type

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-30119, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Pre-4.7 clusters had SecretTypeTLS type set, so on 4.15 upgrade these clusters had the secret delete and recreated. This commit will ensure these are being created without cert and key being regenerated

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/retest

[benluddy]

I'm still concerned about the recreate path of ApplySecretImproved. If control flow is interrupted between the delete and create (e.g. due to process crash), or the context being used for the client requests is canceled, what happens to the cert data? It seems to me like we would lose it in that case. Even if unlikely, the consequences could be painful. Could we temporarily stage the data in a second secret before deleting the target secret, or something similar?

[benluddy]

Would it be worthwhile to check that the secret we're converting has tls.crt and tls.key before updating the type, since updating the type makes validation stricter (https://github.com/kubernetes/kubernetes/blob/d51e2da869350b2b20a33d060e17bd1d2165e02d/pkg/apis/core/validation/validation.go#L6392-L6398), or will it be enough to see UpdateSecretFailed event spam?

[vrutkovs]

Right, we'd get UpdateSecretFailed event and have it re-created. If the existing secret doesn't have tls.crt and tls.key then its contents is unusable and it needs to be recreated

[stlaz]

Recreated by whom? We don't react to events but the secret content, right?

[vrutkovs]

Recreated by ApplySecret, which attempts apply first, but if it fails it does delete+create. If create with kubernetes.io/tls and existing content fails, it would throw an error, delete the content and generate a new cert.

[vrutkovs]

it would throw an error, delete the content and generate a new cert

It would throw the error, but probably would loop

[vrutkovs]

Updated ensureMetadataUpdate to update secret type (removing data if tls.crt/tls.key are missing) in this case, added unit tests

[vrutkovs]

the context being used for the client requests is canceled, what happens to the cert data? It seems to me like we would lose it in that case

Right, ApplySecretImproved is not atomic - imo we should first create a copy, then do delete + recreate. I'd however solve this separately, as it may affect a lot more cases - and doesn't need to be merged urgently. Tracking this in https://issues.redhat.com/browse/API-1716

[benluddy]

the context being used for the client requests is canceled, what happens to the cert data? It seems to me like we would lose it in that case

Right, ApplySecretImproved is not atomic - imo we should first create a copy, then do delete + recreate. I'd however solve this separately, as it may affect a lot more cases - and doesn't need to be merged urgently

Is it safe to solve separately? IIUC, merging this PR to migrate secret types will present a lot of chances to force an unnecessary rotation on older clusters.

[vrutkovs]

We already do "migration" in 4.15 with content replace anyway, so this PR helps in happy path. Corner case - cert sync is interrupted right during the migration - can be safely fixed outside of this PR

[benluddy]

"migration"

😂 Oh, of course. Thanks!

[benluddy]

/lgtm

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-30119, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

Pre-4.7 clusters had SecretTypeTLS type set, so on 4.15 upgrade these clusters had the secret delete and recreated. This commit will ensure these are being created without cert and key being regenerated.

Fixes two issues wrt handling secrets:

• existing secret type is converted to kubernetes.io/tls. If it cannot be done (i.e. tls.crt or tls.key is missing) it would be regenerated with SignerUpdateRequired event
• if the type can be converted existing data is preserved, so born-before-4.7 clusters look identical to 4.15 clusters in regards to secret type

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[stlaz]

nit: the following seems as a bit of a cleaner method to achieve the same

var err error
signingCertKeyPairSecret, _, err = resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret)

[vrutkovs]

Following the pattern as in if needed, reason := needNewSigningCertKeyPair

[stlaz]

this probably belongs to the other function, otherwise nothing sets the ownerRef - or does it?

[vrutkovs]

Yeah, good point, this also shows different function flows

[vrutkovs]

Fixed

[stlaz]

/approve

[sdodson]

Adding approved label based on #1681 (comment)

[benluddy]

It should behave the same in practice, but since we're correcting for a specific mistake, how about:

Suggested change

	if secret.Type != corev1.SecretTypeTLS {
	if secret.Type == "SecretTypeTLS" {

And as an aside, can we have an issue to track removing this after N releases?

[vrutkovs]

Confusingly SecretTypeTLS is kubernetes.io/tls and not "SecretTypeTLS". So if secret.Type != corev1.SecretTypeTLS would make sure any non-kubernetes.io/tls secret would converted to kubernetes.io/tls (clearing up data if necessary)

[benluddy]

Right, I understand, but my point is that we expect any secret managed by this controller will either have type kubernetes.io/tls or, if it was created pre-4.7, SecretTypeTLS. If we discover that there is some instance of a managed secret with a completely unexpected type, I would rather understand why our expectation was wrong than stomp it.

[vrutkovs]

Its perfectly possible for users to find a way to replace these certificates behind cert-syncer back and replace it with invalid contents. This code will ensure that we attempt to convert cases like pre-4.7 if possible, but also prioritize availability - invalid content would be stomped for cluster to continue functioning. Why the bad secret was stomped can be found out via audit logs (or etcd contents).
This change will also protects us from other similar cases like "old/misconfigured installer has generated certificates which we no longer expect"

[benluddy]

This looks redundant, any value for annotations that would fail here is also going to fail below.

[vrutkovs]

Yes, but I'd prefer to a clear error message

[benluddy]

Fine with me given that nothing out of the control of this test should be touching annotations.

[benluddy]

I prefer to avoid sharing values like this between tests and implementation, since it creates the opportunity to accidentally make a breaking change without seeing a test failure.

Feel free to ignore if you disagree or are comfortable with it in this instance because it is declared in openshift/api.

[vrutkovs]

it creates the opportunity to accidentally make a breaking change without seeing a test failure

We explicitly set AdditionalAnnotations in https://github.com/openshift/library-go/pull/1681/files#diff-d7a4e30c6635930d8721bf060fe2803587326298e0eace9bada256f1b7377459R228-R230

[benluddy]

That link didn't work for me. In this case I'm specifically referring to a change to the constant OpenShiftComponent, which would be a breaking change but would not cause this test to fail.

[vrutkovs]

Ah, hmm, JiraComponent and OpenshiftComponent are linked in https://github.com/openshift/library-go/blob/master/pkg/operator/certrotation/annotations.go#L27-L30, not sure how to make sure unit tests don't depend on it though

[benluddy]

Suggested change

	t.Error(actions[0])
	t.Error(actions[2])

[vrutkovs]

Fixed

[benluddy]

Suggested change

	t.Error(actions[0])
	t.Error(actions[2])

[benluddy]

There are few more of these:

Suggested change

	t.Error(actions[0])
	t.Error(actions[2])

[benluddy]

Why is this && and not ||?

[vrutkovs]

We want to update labels before content changes only when:

• secret type won't change (ensureSecretTLSTypeSet returns true)
• metadata (annotations, ownership) needs updating (ensureMetadataUpdate returns true)

The function are also mutating signingCertKeyPairSecret, changing it type and clearing data, so the secret would be deleted + created during if needed, reason := needNewSigningCertKeyPair clause. It needs to be done once to avoid updating it twice for metadata and content ("update no annotations" and "update SecretTLSType secrets" unit test cases)

[stlaz]

You'll want to make sure your secret always passes both functions, right?

Either operator might short-circuit in a different scenario.

[vrutkovs]

You'll want to make sure your secret always passes both functions, right?

correct, if either doesn't pass possible updates will be applied by ApplySecret in needNewSigningCertKeyPair

[benluddy]

so the secret would be deleted + created during if needed, reason := needNewSigningCertKeyPair clause

Thanks, this is the part that I was missing.

[vrutkovs]

This would stuck on invalid secret type with valid metadata, #1687 fixes this case

[openshift-ci]

@vrutkovs: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[benluddy]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: benluddy, stlaz, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/certrotation/OWNERS [stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@vrutkovs: Jira Issue OCPBUGS-30119: All pull requests linked via external trackers have merged:

• openshift/library-go#1681

Jira Issue OCPBUGS-30119 has been moved to the MODIFIED state.

Details

In response to this:

Pre-4.7 clusters had SecretTypeTLS type set, so on 4.15 upgrade these clusters had the secret delete and recreated. This commit will ensure these are being created without cert and key being regenerated.

Fixes two issues wrt handling secrets:

• existing secret type is converted to kubernetes.io/tls. If it cannot be done (i.e. tls.crt or tls.key is missing) it would be regenerated with SignerUpdateRequired event
• if the type can be converted existing data is preserved, so born-before-4.7 clusters look identical to 4.15 clusters in regards to secret type

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sdodson]

/cherry-pick release-4.14

[openshift-cherrypick-robot]

@sdodson: #1681 failed to apply on top of branch "release-4.14":

Applying: certrotation: update all secret types to `kubernetes.io/tls` preserving existing content
Using index info to reconstruct a base tree...
M	pkg/operator/certrotation/signer.go
M	pkg/operator/certrotation/target.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/operator/certrotation/target.go
CONFLICT (content): Merge conflict in pkg/operator/certrotation/target.go
Auto-merging pkg/operator/certrotation/signer.go
CONFLICT (content): Merge conflict in pkg/operator/certrotation/signer.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 certrotation: update all secret types to `kubernetes.io/tls` preserving existing content
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick release-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2024-03-06-073110