Add fernet key rotation cronjob

Author: xek

api/bases/keystone.openstack.org_keystoneapis.yaml

@@ -89,6 +89,16 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              fernetMaxActiveKeys:
+                default: "5"
+                description: FernetMaxActiveKeys - Maximum number of fernet token
+                  keys after rotation
+                type: string
+              fernetRotationSchedule:
+                default: 1 0 * * *
+                description: FernetRotationSchedule - Schedule rotate fernet token
+                  keys
+                type: string
               memcachedInstance:
                 default: memcached
                 description: Memcached instance name.

api/v1beta1/keystoneapi_types.go

@@ -119,6 +119,16 @@ type KeystoneAPISpecCore struct {
 	// TrustFlushSuspend - Suspend the cron job to purge trusts
 	TrustFlushSuspend bool `json:"trustFlushSuspend"`
 
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="1 0 * * *"
+	// FernetRotationSchedule - Schedule rotate fernet token keys
+	FernetRotationSchedule string `json:"fernetRotationSchedule"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="5"
+	// FernetMaxActiveKeys - Maximum number of fernet token keys after rotation
+	FernetMaxActiveKeys string `json:"fernetMaxActiveKeys"`
+
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default={admin: AdminPassword}
 	// PasswordSelectors - Selectors to identify the AdminUser password from the Secret
@@ -268,6 +278,16 @@ func (instance KeystoneAPI) RbacResourceName() string {
 	return "keystone-" + instance.Name
 }
 
+// KeystoneAPIFernet - used to create different role for fernet key rotation
+type KeystoneAPIFernet struct {
+	*KeystoneAPI
+}
+
+// RbacResourceName - return the name to be used for rbac objects used for fernet key rotation (serviceaccount, role, rolebinding)
+func (instance KeystoneAPIFernet) RbacResourceName() string {
+	return "keystone-fernet-" + instance.Name
+}
+
 // SetupDefaults - initializes any CRD field defaults based on environment variables (the defaulting mechanism itself is implemented via webhooks)
 func SetupDefaults() {
 	// Acquire environmental defaults and initialize Keystone defaults with them

api/v1beta1/zz_generated.deepcopy.go

@@ -89,6 +89,16 @@ spec:
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
                   policies
                 type: boolean
+              fernetMaxActiveKeys:
+                default: "5"
+                description: FernetMaxActiveKeys - Maximum number of fernet token
+                  keys after rotation
+                type: string
+              fernetRotationSchedule:
+                default: 1 0 * * *
+                description: FernetRotationSchedule - Schedule rotate fernet token
+                  keys
+                type: string
               memcachedInstance:
                 default: memcached
                 description: Memcached instance name.

config/crd/bases/keystone.openstack.org_keystoneapis.yaml

@@ -468,6 +468,29 @@ func (r *KeystoneAPIReconciler) reconcileInit(
 		return rbacResult, nil
 	}
 
+	//
+	// Service account, role, binding for fernet key rotation
+	//
+	fernetRbacRules := []rbacv1.PolicyRule{
+		{
+			APIGroups:     []string{"security.openshift.io"},
+			ResourceNames: []string{"anyuid"},
+			Resources:     []string{"securitycontextconstraints"},
+			Verbs:         []string{"use"},
+		},
+		{
+			APIGroups: []string{""},
+			Resources: []string{"secrets"},
+			Verbs:     []string{"patch"},
+		},
+	}
+	fernetRbacResult, err := common_rbac.ReconcileRbac(ctx, helper, keystonev1.KeystoneAPIFernet{KeystoneAPI: instance}, fernetRbacRules)
+	if err != nil {
+		return fernetRbacResult, err
+	} else if (rbacResult != ctrl.Result{}) {
+		return fernetRbacResult, nil
+	}
+
 	//
 	// run keystone db sync
 	//
@@ -1081,14 +1104,35 @@ func (r *KeystoneAPIReconciler) reconcileNormal(
 		}
 	}
 
-	// create CronJob
+	// create Trust Flush CronJob
 	cronjobDef := keystone.CronJob(instance, serviceLabels, serviceAnnotations)
-	cronjob := cronjob.NewCronJob(
+	trustflushjob := cronjob.NewCronJob(
 		cronjobDef,
 		5*time.Second,
 	)
 
-	ctrlResult, err = cronjob.CreateOrPatch(ctx, helper)
+	ctrlResult, err = trustflushjob.CreateOrPatch(ctx, helper)
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.CronJobReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			condition.CronJobReadyErrorMessage,
+			err.Error()))
+		return ctrlResult, err
+	}
+
+	instance.Status.Conditions.MarkTrue(condition.CronJobReadyCondition, condition.CronJobReadyMessage)
+	// create Trust Flush CronJob - end
+
+	// create Fernet Key Rotation CronJob
+	fernetjobDef := keystone.FernetCronJob(instance, serviceLabels, serviceAnnotations)
+	fernetjob := cronjob.NewCronJob(
+		fernetjobDef,
+		5*time.Second,
+	)
+
+	ctrlResult, err = fernetjob.CreateOrPatch(ctx, helper)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			condition.CronJobReadyCondition,
@@ -1100,7 +1144,7 @@ func (r *KeystoneAPIReconciler) reconcileNormal(
 	}
 
 	instance.Status.Conditions.MarkTrue(condition.CronJobReadyCondition, condition.CronJobReadyMessage)
-	// create CronJob - end
+	// create Fernet Key Rotation CronJob - end
 
 	//
 	// create OpenStackClient config

controllers/keystoneapi_controller.go

@@ -19,6 +19,13 @@ import (
 	"encoding/base64"
 
 	"math/rand"
+
+	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/env"
+
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GenerateFernetKey -
@@ -29,3 +36,159 @@ func GenerateFernetKey() string {
 	}
 	return base64.StdEncoding.EncodeToString(data)
 }
+
+const (
+	// FernetRotationCommand -
+	FernetRotationCommand = `
+              echo $(date -u) Starting...
+              case $MAX_ACTIVE_KEYS in
+                ''|*[!0-9]*)
+                  echo "MAX_ACTIVE_KEYS is not a number, exiting."
+                  exit 1
+                  ;;
+                [01])
+                  echo "MAX_ACTIVE_KEYS ($MAX_ACTIVE_KEYS) -lt 2, exiting."
+                  exit 1
+              esac
+
+              cd /var/lib/fernet-keys
+              mkdir /tmp/keys
+              for file in FernetKeys[0-9]*;
+              do
+                cat "$file" > /tmp/keys/"${file#FernetKeys}"
+              done
+
+              cd /tmp/keys
+
+              number_of_keys=$(ls -1 | wc -l)
+              max_key=$(ls -1 | sort -n | tail -1)
+
+              if [ $((number_of_keys - 1)) != $max_key ]; then
+                echo "Corrupted FernetKeys secret, exiting."
+                exit 1
+              fi
+
+              mv 0 $((max_key  + 1))
+              dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 > 0
+
+              while [ -f "$MAX_ACTIVE_KEYS" ]; do
+                i=2
+                while [ -f "$i" ]; do
+                  mv $i $((i-1))
+                  i=$((i+1))
+                done
+              done
+
+              echo '{"stringData": {' > /tmp/patch_file.json
+              i=0
+              while [ -f "$((i+1))" ]; do
+                echo '"FernetKeys'$i'": "'$(cat $i)'",' >> /tmp/patch_file.json
+                i=$((i+1))
+              done
+              echo '"FernetKeys'$i'": "'$(cat $i)'"' >> /tmp/patch_file.json
+              echo '}}' >> /tmp/patch_file.json
+
+              kubectl patch secret -n $NAMESPACE $SECRET_NAME \
+                --patch-file=/tmp/patch_file.json
+              echo $(date -u) $((i+1)) keys rotated.
+
+              cd /var/lib/fernet-keys
+              if [ -f "FernetKeys$MAX_ACTIVE_KEYS" ]; then
+                echo '[' > /tmp/patch_file.json
+                i=$((MAX_ACTIVE_KEYS-1))
+                while [ -f "FernetKeys$((i+1))" ]; do
+                  echo '{"op": "remove", "path": "/data/FernetKeys'$i'"},' \
+                  >> /tmp/patch_file.json
+                  i=$((i+1))
+                done
+                  echo '{"op": "remove", "path": "/data/FernetKeys'$i'"}' \
+                  >> /tmp/patch_file.json
+                echo ']' >> /tmp/patch_file.json
+
+                kubectl patch secret -n $NAMESPACE $SECRET_NAME \
+                   --type=json --patch-file=/tmp/patch_file.json
+                echo $(date -u) $MAX_ACTIVE_KEYS through $i keys deleted.
+              fi
+`
+)
+
+// FernetCronJob func
+func FernetCronJob(
+	keystoneapiinstance *keystonev1.KeystoneAPI,
+	labels map[string]string,
+	annotations map[string]string,
+) *batchv1.CronJob {
+	instance := &keystonev1.KeystoneAPIFernet{KeystoneAPI: keystoneapiinstance}
+	runAsUser := int64(0)
+	suspend := false
+	successfulJobsHistoryLimit := int32(3)
+	failedJobsHistoryLimit := int32(1)
+
+	args := []string{"-c", FernetRotationCommand}
+
+	envVars := map[string]env.Setter{}
+	envVars["KOLLA_CONFIG_STRATEGY"] = env.SetValue("COPY_ALWAYS")
+	envVars["SECRET_NAME"] = env.SetValue(ServiceName)
+	envVars["MAX_ACTIVE_KEYS"] = env.SetValue(
+		instance.Spec.FernetMaxActiveKeys)
+
+	backoffLimit := int32(0)
+	parallelism := int32(1)
+	completions := int32(1)
+
+	// create Volume and VolumeMounts
+	volumes := getVolumes(instance.Name)
+	volumeMounts := getVolumeMounts()
+
+	cronjob := &batchv1.CronJob{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      ServiceName + "-fernet-cronjob",
+			Namespace: instance.Namespace,
+		},
+		Spec: batchv1.CronJobSpec{
+			Schedule:                   instance.Spec.FernetRotationSchedule,
+			Suspend:                    &suspend,
+			ConcurrencyPolicy:          batchv1.ForbidConcurrent,
+			SuccessfulJobsHistoryLimit: &successfulJobsHistoryLimit,
+			FailedJobsHistoryLimit:     &failedJobsHistoryLimit,
+			JobTemplate: batchv1.JobTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: annotations,
+					Labels:      labels,
+				},
+				Spec: batchv1.JobSpec{
+					BackoffLimit: &backoffLimit,
+					Parallelism:  &parallelism,
+					Completions:  &completions,
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{
+								{
+									Name:  ServiceName + "-fernet-job",
+									Image: instance.Spec.ContainerImage,
+									Command: []string{
+										"/bin/bash",
+									},
+									Args:         args,
+									Env:          env.MergeEnvs([]corev1.EnvVar{}, envVars),
+									VolumeMounts: volumeMounts,
+									SecurityContext: &corev1.SecurityContext{
+										RunAsUser: &runAsUser,
+									},
+								},
+							},
+							Volumes:            volumes,
+							RestartPolicy:      corev1.RestartPolicyNever,
+							ServiceAccountName: instance.RbacResourceName(),
+						},
+					},
+				},
+			},
+		},
+	}
+	if instance.Spec.NodeSelector != nil && len(instance.Spec.NodeSelector) > 0 {
+		cronjob.Spec.JobTemplate.Spec.Template.Spec.NodeSelector = instance.Spec.NodeSelector
+	}
+
+	return cronjob
+}