Mark pods for expiry when secrets are no longer applicable (#114)

## Description

Fixes #92.

Author: nightkr

CHANGELOG.md

@@ -4,12 +4,18 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Pods that use autoTls volumes are now evicted when their certificates are about to expire ([#114], [commons-#20]).
+
 ### Changed
 
 - autoTls CA generation now requires opt-in ([#77]).
   - The default `tls` `SecretClass` now has this opt-in by default.
 
 [#77]: https://github.com/stackabletech/secret-operator/pull/77
+[#114]: https://github.com/stackabletech/secret-operator/pull/114
+[commons-#20]: https://github.com/stackabletech/commons-operator/pull/20
 
 ## [0.2.0] - 2022-02-14
 

Tiltfile

@@ -1,7 +1,7 @@
 custom_build(
     'docker.stackable.tech/teozkr/secret-provisioner',
     'nix run -f . crate2nix generate && nix-build . -A docker --arg dockerTag null && ./result/load-image | docker load',
-    deps=['src', 'Cargo.toml', 'Cargo.lock', 'default.nix', 'build.rs', 'vendor'],
+    deps=['rust', 'Cargo.toml', 'Cargo.lock', 'default.nix', 'build.rs', 'vendor'],
     # ignore=['result*', 'Cargo.nix', 'target', *.yaml],
     outputs_image_ref_to='result/ref',
 )

deploy/helm/secret-operator/templates/roles.yaml

@@ -15,10 +15,16 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - pods
       - nodes
     verbs:
       - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - patch
   - apiGroups:
       - secrets.stackable.tech
     resources:

deploy/manifests/roles.yaml

@@ -15,10 +15,16 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - pods
       - nodes
     verbs:
       - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - patch
   - apiGroups:
       - secrets.stackable.tech
     resources:

provisioner.yaml

@@ -60,27 +60,33 @@ kind: ClusterRole
 metadata:
   name: secret-provisioner
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - list
-  - create
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - nodes
-  verbs:
-  - get
-- apiGroups:
-  - secrets.stackable.tech
-  resources:
-  - secretclasses
-  verbs:
-  - get
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - list
+      - create
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - secrets.stackable.tech
+    resources:
+      - secretclasses
+    verbs:
+      - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

rust/operator-binary/Cargo.toml

@@ -10,7 +10,7 @@ repository = "https://github.com/stackabletech/secret-operator"
 [dependencies]
 anyhow = "1.0.53"
 async-trait = "0.1.52"
-clap = { version = "3.1.9", features = ["derive", "env"] }
+clap = { version = "3.1.11", features = ["derive", "env"] }
 futures = "0.3.21"
 libc = "0.2.117"
 openssl = "0.10.38"
@@ -34,6 +34,9 @@ tracing = "0.1.30"
 # Need to keep this in sync with our patched h2 build
 h2 = "=0.3.7"
 
+[dev-dependencies]
+time = { version = "0.3.7", features = ["parsing"] }
+
 [build-dependencies]
 built = { version = "0.5.1", features = ["chrono", "git2"] }
 tonic-build = "0.6.2"

rust/operator-binary/src/backend/dynamic.rs

@@ -34,9 +34,9 @@ impl<B: SecretBackend + Send + Sync> SecretBackend for DynamicAdapter<B> {
 
     async fn get_secret_data(
         &self,
-        selector: super::SecretVolumeSelector,
+        selector: &super::SecretVolumeSelector,
         pod_info: PodInfo,
-    ) -> Result<super::SecretFiles, Self::Error> {
+    ) -> Result<super::SecretContents, Self::Error> {
         self.0
             .get_secret_data(selector, pod_info)
             .await

rust/operator-binary/src/backend/k8s_search.rs

@@ -12,7 +12,7 @@ use stackable_operator::{
 use crate::crd::SearchNamespace;
 
 use super::{
-    pod_info::PodInfo, scope::SecretScope, SecretBackend, SecretBackendError, SecretFiles,
+    pod_info::PodInfo, scope::SecretScope, SecretBackend, SecretBackendError, SecretContents,
     SecretVolumeSelector,
 };
 
@@ -52,15 +52,15 @@ impl SecretBackend for K8sSearch {
 
     async fn get_secret_data(
         &self,
-        selector: SecretVolumeSelector,
+        selector: &SecretVolumeSelector,
         pod_info: PodInfo,
-    ) -> Result<SecretFiles, Self::Error> {
+    ) -> Result<SecretContents, Self::Error> {
         let mut label_selector = self.secret_labels.clone();
         label_selector.insert(
             "secrets.stackable.tech/class".to_string(),
             selector.class.to_string(),
         );
-        for scope in selector.scope {
+        for scope in &selector.scope {
             match scope {
                 SecretScope::Node => {
                     label_selector.insert(
@@ -75,7 +75,8 @@ impl SecretBackend for K8sSearch {
                     );
                 }
                 SecretScope::Service { name } => {
-                    label_selector.insert("secrets.stackable.tech/service".to_string(), name);
+                    label_selector
+                        .insert("secrets.stackable.tech/service".to_string(), name.clone());
                 }
             }
         }
@@ -101,11 +102,13 @@ impl SecretBackend for K8sSearch {
             .into_iter()
             .next()
             .context(NoSecretSnafu { label_selector })?;
-        Ok(secret
-            .data
-            .unwrap_or_default()
-            .into_iter()
-            .map(|(k, v)| (k.into(), v.0))
-            .collect())
+        Ok(SecretContents::new(
+            secret
+                .data
+                .unwrap_or_default()
+                .into_iter()
+                .map(|(k, v)| (k.into(), v.0))
+                .collect(),
+        ))
     }
 }

rust/operator-binary/src/backend/mod.rs

@@ -8,6 +8,7 @@ pub mod tls;
 
 use async_trait::async_trait;
 use serde::Deserialize;
+use stackable_operator::k8s_openapi::chrono::{DateTime, FixedOffset};
 use std::{collections::HashMap, convert::Infallible, path::PathBuf};
 
 pub use dynamic::Dynamic;
@@ -85,6 +86,26 @@ impl SecretVolumeSelector {
 
 type SecretFiles = HashMap<PathBuf, Vec<u8>>;
 
+#[derive(Default, Debug)]
+pub struct SecretContents {
+    pub files: SecretFiles,
+    pub expires_after: Option<DateTime<FixedOffset>>,
+}
+
+impl SecretContents {
+    fn new(files: SecretFiles) -> Self {
+        Self {
+            files,
+            ..Self::default()
+        }
+    }
+
+    fn expires_after(mut self, deadline: DateTime<FixedOffset>) -> Self {
+        self.expires_after = Some(deadline);
+        self
+    }
+}
+
 /// This trait needs to be implemented by all secret providers.
 /// It gets the pod information as well as volume definition and has to
 /// return any number of files.
@@ -94,9 +115,9 @@ pub trait SecretBackend: Send + Sync {
 
     async fn get_secret_data(
         &self,
-        selector: SecretVolumeSelector,
+        selector: &SecretVolumeSelector,
         pod_info: pod_info::PodInfo,
-    ) -> Result<SecretFiles, Self::Error>;
+    ) -> Result<SecretContents, Self::Error>;
 }
 
 pub trait SecretBackendError: std::error::Error + Send + Sync + 'static {

rust/operator-binary/src/backend/tls.rs

@@ -22,13 +22,16 @@ use stackable_operator::{
     builder::ObjectMetaBuilder,
     k8s_openapi::{
         api::core::v1::{Secret, SecretReference},
+        chrono::{self, FixedOffset, TimeZone},
         ByteString,
     },
     kube::runtime::reflector::ObjectRef,
 };
 use time::{Duration, OffsetDateTime};
 
-use super::{pod_info::Address, pod_info::PodInfo, SecretBackend, SecretBackendError, SecretFiles};
+use super::{
+    pod_info::Address, pod_info::PodInfo, SecretBackend, SecretBackendError, SecretContents,
+};
 
 #[derive(Debug, Snafu)]
 pub enum Error {
@@ -238,12 +241,13 @@ impl SecretBackend for TlsGenerate {
     /// Then add the ca certificate and return these files for provisioning to the volume.
     async fn get_secret_data(
         &self,
-        selector: super::SecretVolumeSelector,
+        selector: &super::SecretVolumeSelector,
         pod_info: PodInfo,
-    ) -> Result<SecretFiles, Self::Error> {
+    ) -> Result<SecretContents, Self::Error> {
         let now = OffsetDateTime::now_utc();
         let not_before = now - Duration::minutes(5);
         let not_after = now + Duration::days(1);
+        let expire_pod_after = not_after - Duration::minutes(30);
         let conf = Conf::new(ConfMethod::default()).unwrap();
         let pod_key = Rsa::generate(2048)
             .and_then(PKey::try_from)
@@ -307,26 +311,53 @@ impl SecretBackend for TlsGenerate {
             })
             .context(BuildCertificateSnafu { tpe: CertType::Pod })?
             .build();
-        Ok([
-            (
-                "ca.crt".into(),
-                self.ca_cert
-                    .to_pem()
-                    .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
-            ),
-            (
-                "tls.crt".into(),
-                pod_cert
-                    .to_pem()
-                    .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
-            ),
-            (
-                "tls.key".into(),
-                pod_key
-                    .private_key_to_pem_pkcs8()
-                    .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
+        Ok(SecretContents::new(
+            [
+                (
+                    "ca.crt".into(),
+                    self.ca_cert
+                        .to_pem()
+                        .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
+                ),
+                (
+                    "tls.crt".into(),
+                    pod_cert
+                        .to_pem()
+                        .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
+                ),
+                (
+                    "tls.key".into(),
+                    pod_key
+                        .private_key_to_pem_pkcs8()
+                        .context(SerializeCertificateSnafu { tpe: CertType::Pod })?,
+                ),
+            ]
+            .into(),
+        )
+        .expires_after(time_datetime_to_chrono(expire_pod_after)))
+    }
+}
+
+fn time_datetime_to_chrono(dt: time::OffsetDateTime) -> chrono::DateTime<FixedOffset> {
+    let tz = chrono::FixedOffset::east(dt.offset().whole_seconds());
+    tz.timestamp(dt.unix_timestamp(), dt.nanosecond())
+}
+
+#[cfg(test)]
+mod tests {
+    use time::format_description::well_known::Rfc3339;
+
+    use super::chrono;
+    use super::time_datetime_to_chrono;
+
+    #[test]
+    fn datetime_conversion() {
+        // Conversion should preserve timezone and fractional seconds
+        assert_eq!(
+            time_datetime_to_chrono(
+                time::OffsetDateTime::parse("2021-02-04T05:23:00.123+01:00", &Rfc3339).unwrap()
             ),
-        ]
-        .into())
+            chrono::DateTime::parse_from_rfc3339("2021-02-04T06:23:00.123+02:00").unwrap()
+        );
     }
 }