feat: support rotationPolicy=Never for not rotating the private key (#189)

sebastiangaiser · web-flow · commit 526bb1f49638 · 2026-03-19T13:44:01.000+01:00
Signed-off-by: Sebastian Gaiser &lt;sebastiangaiser@users.noreply.github.com&gt;
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -48,7 +48,7 @@ jobs:
 
       - name: Install cert-manager
         run: |
-          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.2/cert-manager.yaml
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.0/cert-manager.yaml
           kubectl wait --for=condition=Available deployment/cert-manager -n cert-manager --timeout=120s
           kubectl wait --for=condition=Available deployment/cert-manager-webhook -n cert-manager --timeout=120s
           kubectl wait --for=condition=Available deployment/cert-manager-cainjector -n cert-manager --timeout=120s
diff --git a/README.md b/README.md
@@ -12,6 +12,42 @@ controller can be used...
 Please check the `examples/example-ca.yaml` how to use the controller after deploying it and using it with cert-manager but
 it also works with normal Kubernetes secrets of type TLS.
 
+## Configuration
+
+### Required annotations
+
+The controller watches secrets of type `kubernetes.io/tls` that carry the following annotations. Set them via cert-manager's `secretTemplate` or directly on a hand-crafted secret.
+
+| Annotation | Description |
+|---|---|
+| `sebastian.gaiser.bayern/tls-strimzi-ca: "reconcile"` | Opt the secret into reconciliation |
+| `sebastian.gaiser.bayern/target-cluster-name` | Name of the Strimzi Kafka cluster |
+| `sebastian.gaiser.bayern/target-secret-name` | Name of the target certificate secret (receives `ca.crt` and `tls.crt`) |
+| `sebastian.gaiser.bayern/target-secret-key-name` | Name of the target private key secret (receives `ca.key`) |
+
+### Private key rotation policy
+
+By default the controller keeps the private key secret in sync with the source secret on every reconciliation. If you configure cert-manager to never rotate the private key (`rotationPolicy: Never`), you should tell the controller the same so it does not overwrite the key secret on certificate renewals.
+
+Add the annotation `sebastian.gaiser.bayern/rotation-policy: "Never"` to the cert-manager `secretTemplate`. Use a YAML anchor to reference the value from `privateKey.rotationPolicy` directly so both fields are always in sync:
+
+```yaml
+spec:
+  privateKey:
+    rotationPolicy: &rotationPolicy Never
+  secretTemplate:
+    annotations:
+      sebastian.gaiser.bayern/rotation-policy: *rotationPolicy
+```
+
+With this annotation set the controller will:
+
+- **Create** the private key secret on the first reconciliation (Strimzi requires it to exist).
+- **Skip updating** the private key secret on subsequent reconciliations, even when the certificate is renewed.
+- **Skip creating historical snapshots** of the private key secret.
+
+The certificate secret (`ca.crt`, `tls.crt`) is always kept up to date regardless of this setting.
+
 ## Install the controller via Helm
 
 ```shell
@@ -26,7 +62,7 @@ helm upgrade --install -n kafka ca-controller-for-strimzi sebastiangaiser-ca-con
 # create cluster
 kind create cluster
 # install cert-manager
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.0/cert-manager.yaml
 # bootstrap strimzi in kafka namespace
 kubectl create namespace kafka
 helm install -n kafka strimzi-cluster-operator oci://quay.io/strimzi-helm/strimzi-kafka-operator
diff --git a/examples/example-ca.yaml b/examples/example-ca.yaml
@@ -43,6 +43,7 @@ spec:
   privateKey:
     algorithm: ECDSA
     size: 256
+    rotationPolicy: &rotationPolicy Never
   issuerRef:
     name: my-ca
     kind: ClusterIssuer
@@ -53,6 +54,7 @@ spec:
       sebastian.gaiser.bayern/target-cluster-name: "my-cluster"
       sebastian.gaiser.bayern/target-secret-name: "my-cluster-clients-ca-cert"
       sebastian.gaiser.bayern/target-secret-key-name: "my-cluster-clients-ca"
+      sebastian.gaiser.bayern/rotation-policy: *rotationPolicy
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -66,6 +68,7 @@ spec:
   privateKey:
     algorithm: ECDSA
     size: 256
+    rotationPolicy: &rotationPolicy Never
   issuerRef:
     group: cert-manager.io
     kind: ClusterIssuer
@@ -76,3 +79,4 @@ spec:
       sebastian.gaiser.bayern/target-cluster-name: "my-cluster"
       sebastian.gaiser.bayern/target-secret-name: "my-cluster-cluster-ca-cert"
       sebastian.gaiser.bayern/target-secret-key-name: "my-cluster-cluster-ca"
+      sebastian.gaiser.bayern/rotation-policy: *rotationPolicy
diff --git a/hack/e2e-test.sh b/hack/e2e-test.sh
@@ -102,10 +102,14 @@ cleanup_test_resources() {
     log_info "Cleaning up test resources..."
     kubectl delete certificate my-cluster-clients-ca-cert-tls -n "$NAMESPACE" --ignore-not-found
     kubectl delete certificate my-cluster-cluster-ca-cert-tls -n "$NAMESPACE" --ignore-not-found
+    kubectl delete certificate rotation-policy-never-ca-cert-tls -n "$NAMESPACE" --ignore-not-found
     kubectl delete secret my-cluster-clients-ca-cert -n "$NAMESPACE" --ignore-not-found
     kubectl delete secret my-cluster-clients-ca -n "$NAMESPACE" --ignore-not-found
     kubectl delete secret my-cluster-cluster-ca-cert -n "$NAMESPACE" --ignore-not-found
     kubectl delete secret my-cluster-cluster-ca -n "$NAMESPACE" --ignore-not-found
+    kubectl delete secret rotation-policy-never-ca-cert -n "$NAMESPACE" --ignore-not-found
+    kubectl delete secret rotation-policy-never-ca -n "$NAMESPACE" --ignore-not-found
+    kubectl delete secret rotation-policy-never-ca-cert-tls -n "$NAMESPACE" --ignore-not-found
     # Clean up any historical secrets
     kubectl delete secrets -n "$NAMESPACE" -l sebastian.gaiser.bayern/historical=true --ignore-not-found
     sleep 2
@@ -295,6 +299,105 @@ test_certificate_rotation() {
     fi
 }
 
+# ==============================================================================
+# Test: rotationPolicy Never creates key secret initially but skips updates
+# ==============================================================================
+test_rotation_policy_never() {
+    log_info "=== Test: rotationPolicy Never creates key secret initially but skips updates ==="
+
+    # Create a certificate with rotationPolicy: Never
+    log_info "Creating certificate with rotationPolicy: Never..."
+    cat <<EOF | kubectl apply -f -
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rotation-policy-never-ca-cert-tls
+  namespace: $NAMESPACE
+spec:
+  isCA: true
+  commonName: rotation-policy-never-ca-cert-tls
+  secretName: rotation-policy-never-ca-cert-tls
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+    rotationPolicy: &rotationPolicy Never
+  issuerRef:
+    name: my-ca
+    kind: ClusterIssuer
+    group: cert-manager.io
+  secretTemplate:
+    annotations:
+      sebastian.gaiser.bayern/tls-strimzi-ca: "reconcile"
+      sebastian.gaiser.bayern/target-cluster-name: "my-cluster"
+      sebastian.gaiser.bayern/target-secret-name: "rotation-policy-never-ca-cert"
+      sebastian.gaiser.bayern/target-secret-key-name: "rotation-policy-never-ca"
+      sebastian.gaiser.bayern/rotation-policy: *rotationPolicy
+EOF
+
+    # Wait for certificate to be ready
+    kubectl wait --for=condition=Ready certificate/rotation-policy-never-ca-cert-tls -n "$NAMESPACE" --timeout=60s
+
+    # Wait for controller to create the cert and key target secrets
+    wait_for_secret "rotation-policy-never-ca-cert" "$NAMESPACE" 30
+    wait_for_secret "rotation-policy-never-ca" "$NAMESPACE" 30
+
+    # Verify both secrets exist after initial creation
+    assert_secret_exists "rotation-policy-never-ca-cert" "$NAMESPACE"
+    assert_secret_exists "rotation-policy-never-ca" "$NAMESPACE"
+
+    # Verify cert secret has correct data
+    local ca_crt
+    ca_crt=$(kubectl get secret rotation-policy-never-ca-cert -n "$NAMESPACE" -o jsonpath='{.data.ca\.crt}')
+    assert_not_empty "$ca_crt" "Cert secret has ca.crt data"
+
+    # Verify key secret has correct data
+    local ca_key
+    ca_key=$(kubectl get secret rotation-policy-never-ca -n "$NAMESPACE" -o jsonpath='{.data.ca\.key}')
+    assert_not_empty "$ca_key" "Key secret has ca.key data"
+
+    # Record key and cert hashes before rotation
+    local key_hash_before cert_hash_before
+    key_hash_before=$(kubectl get secret rotation-policy-never-ca -n "$NAMESPACE" -o jsonpath='{.metadata.labels.sebastian\.gaiser\.bayern/hash}')
+    cert_hash_before=$(kubectl get secret rotation-policy-never-ca-cert -n "$NAMESPACE" -o jsonpath='{.metadata.labels.sebastian\.gaiser\.bayern/hash}')
+    log_info "Key hash before rotation: $key_hash_before"
+    log_info "Cert hash before rotation: $cert_hash_before"
+
+    # Trigger rotation by deleting the source secret
+    log_info "Triggering certificate rotation..."
+    kubectl delete secret rotation-policy-never-ca-cert-tls -n "$NAMESPACE"
+
+    # Wait for cert-manager to recreate the secret
+    sleep 5
+    kubectl wait --for=condition=Ready certificate/rotation-policy-never-ca-cert-tls -n "$NAMESPACE" --timeout=60s
+
+    # Wait for controller to process the change
+    sleep 10
+
+    # Verify key secret was NOT updated (hash unchanged)
+    local key_hash_after
+    key_hash_after=$(kubectl get secret rotation-policy-never-ca -n "$NAMESPACE" -o jsonpath='{.metadata.labels.sebastian\.gaiser\.bayern/hash}')
+    log_info "Key hash after rotation: $key_hash_after"
+
+    assert_equals "$key_hash_before" "$key_hash_after" "Key secret hash unchanged after rotation (rotationPolicy: Never)"
+
+    # Verify no historical key secret was created
+    local historical_key_secret="rotation-policy-never-ca-generation-0"
+    assert_secret_not_exists "$historical_key_secret" "$NAMESPACE"
+
+    # Verify cert secret was updated (hash changed)
+    local cert_hash_after
+    cert_hash_after=$(kubectl get secret rotation-policy-never-ca-cert -n "$NAMESPACE" -o jsonpath='{.metadata.labels.sebastian\.gaiser\.bayern/hash}')
+    log_info "Cert hash after rotation: $cert_hash_after"
+
+    if [[ "$cert_hash_before" != "$cert_hash_after" ]]; then
+        log_info "PASS: Cert secret hash changed after rotation"
+        ((TEST_PASSED++)) || true
+    else
+        log_error "FAIL: Cert secret hash did not change after rotation"
+        ((TEST_FAILED++)) || true
+    fi
+}
+
 # ==============================================================================
 # Main
 # ==============================================================================
@@ -309,6 +412,7 @@ main() {
     test_controller_running
     test_certificate_creation
     test_certificate_rotation
+    test_rotation_policy_never
 
     # Cleanup after tests
     cleanup_test_resources
diff --git a/main.go b/main.go
@@ -45,6 +45,8 @@ var (
 	strimziKindValue                 = "Kafka"
 	strimziCaCertGeneration          = "strimzi.io/ca-cert-generation"
 	strimziCaKeyGeneration           = "strimzi.io/ca-key-generation"
+	rotationPolicyAnnotationKey      = "sebastian.gaiser.bayern/rotation-policy"
+	rotationPolicyNever              = "Never"
 )
 
 func init() {
@@ -191,6 +193,11 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrlRuntime.Request) (ct
 	tlsCrt := string(tlsSecret.Data["tls.crt"])
 	tlsKey := string(tlsSecret.Data["tls.key"])
 
+	rotationPolicyIsNever := tlsSecretAnnotations[rotationPolicyAnnotationKey] == rotationPolicyNever
+	if rotationPolicyIsNever {
+		ctrlRuntime.Log.Info(fmt.Sprintf("Secret with name '%s' has rotationPolicy 'Never', skipping private key secret operations", tlsSecret.Name))
+	}
+
 	// check if target secrets are existing
 	targetSecret := &corev1.Secret{}
 	targetSecretExists := false
@@ -226,15 +233,17 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrlRuntime.Request) (ct
 		ctrlRuntime.Log.Info(fmt.Sprintf("Secret %s already exists", tlsSecretAnnotations[targetSecretAnnotationKeyNameKey]))
 		targetSecretKeyExists = true
 
-		// check if target secret need an update
-		// but first check if the hash label exists...
-		targetSecretKeyHash, ok := targetSecretKey.Labels[hashLabelKey]
-		if !ok {
-			return ctrlRuntime.Result{}, fmt.Errorf("label '%s' not found for target secret '%s'", targetSecretKey, hashLabelKey)
-		}
-		// now check if it needs an update
-		if tlsSecretHash != targetSecretKeyHash {
-			targetSecretKeyNeedsUpdate = true
+		if !rotationPolicyIsNever {
+			// check if target secret need an update
+			// but first check if the hash label exists...
+			targetSecretKeyHash, ok := targetSecretKey.Labels[hashLabelKey]
+			if !ok {
+				return ctrlRuntime.Result{}, fmt.Errorf("label '%s' not found for target secret '%s'", targetSecretKey, hashLabelKey)
+			}
+			// now check if it needs an update
+			if tlsSecretHash != targetSecretKeyHash {
+				targetSecretKeyNeedsUpdate = true
+			}
 		}
 	}
 
