feat: Support setting TLS certificate lifetimes

razvan · razvan · commit 9fb277a633f2 · 2024-12-02T18:06:02.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,13 +4,19 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- The lifetime of auto generated TLS certificates is now configurable with the role and roleGroup
+  config property `requestedSecretLifetime`. This helps reduce frequent Pod restarts ([#892]).
+
 ### Fixed
 
 - BREAKING: Use distinct ServiceAccounts for the Stacklets, so that multiple Stacklets can be
   deployed in one namespace. Existing Stacklets will use the newly created ServiceAccounts after
   restart ([#889]).
 
 [#889]: https://github.com/stackabletech/zookeeper-operator/pull/889
+[#892]: https://github.com/stackabletech/zookeeper-operator/pull/892
 
 ## [24.11.0] - 2024-11-18
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,8 +29,8 @@ tokio = { version = "1.40", features = ["full"] }
 tokio-zookeeper = "0.4"
 tracing = "0.1"
 
-# [patch."https://github.com/stackabletech/operator-rs.git"]
-# stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
+[patch."https://github.com/stackabletech/operator-rs.git"]
+stackable-operator = { git = "https://github.com/stackabletech//operator-rs.git", branch = "main" }
 
 [patch.crates-io]
 # tokio-zookeeper = { path = "../tokio-zookeeper" }
diff --git a/deploy/helm/zookeeper-operator/crds/crds.yaml b/deploy/helm/zookeeper-operator/crds/crds.yaml
@@ -298,6 +298,10 @@ spec:
                           minimum: 0.0
                           nullable: true
                           type: integer
+                        requestedSecretLifetime:
+                          description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                          nullable: true
+                          type: string
                         resources:
                           default:
                             cpu:
@@ -581,6 +585,10 @@ spec:
                                 minimum: 0.0
                                 nullable: true
                                 type: integer
+                              requestedSecretLifetime:
+                                description: Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`. This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+                                nullable: true
+                                type: string
                               resources:
                                 default:
                                   cpu:
diff --git a/rust/crd/src/lib.rs b/rust/crd/src/lib.rs
@@ -240,6 +240,11 @@ pub struct ZookeeperConfig {
     /// Time period Pods have to gracefully shut down, e.g. `30m`, `1h` or `2d`. Consult the operator documentation for details.
     #[fragment_attrs(serde(default))]
     pub graceful_shutdown_timeout: Option<Duration>,
+
+    /// Request secret (currently only autoTls certificates) lifetime from the secret operator, e.g. `7d`, or `30d`.
+    /// This can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
+    #[fragment_attrs(serde(default))]
+    pub requested_secret_lifetime: Option<Duration>,
 }
 
 #[derive(Clone, Debug, Default, JsonSchema, PartialEq, Fragment)]
@@ -291,6 +296,8 @@ impl ZookeeperConfig {
     pub const SERVER_JVMFLAGS: &'static str = "SERVER_JVMFLAGS";
     pub const ZK_SERVER_HEAP: &'static str = "ZK_SERVER_HEAP";
 
+    const DEFAULT_SECRET_LIFETIME: Duration = Duration::from_days_unchecked(7);
+
     fn default_server_config(cluster_name: &str, role: &ZookeeperRole) -> ZookeeperConfigFragment {
         ZookeeperConfigFragment {
             init_limit: None,
@@ -317,6 +324,7 @@ impl ZookeeperConfig {
             logging: product_logging::spec::default_logging(),
             affinity: get_affinity(cluster_name, role),
             graceful_shutdown_timeout: Some(DEFAULT_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT),
+            requested_secret_lifetime: Some(Self::DEFAULT_SECRET_LIFETIME),
         }
     }
 }
diff --git a/rust/crd/src/security.rs b/rust/crd/src/security.rs
@@ -6,7 +6,9 @@
 //! This is required due to overlaps between TLS encryption and e.g. mTLS authentication or Kerberos
 use std::collections::BTreeMap;
 
+use crate::{authentication, authentication::ResolvedAuthenticationClasses, tls, ZookeeperCluster};
 use snafu::{ResultExt, Snafu};
+use stackable_operator::time::Duration;
 use stackable_operator::{
     builder::{
         self,
@@ -24,8 +26,6 @@ use stackable_operator::{
     k8s_openapi::api::core::v1::Volume,
 };
 
-use crate::{authentication, authentication::ResolvedAuthenticationClasses, tls, ZookeeperCluster};
-
 type Result<T, E = Error> = std::result::Result<T, E>;
 
 #[derive(Snafu, Debug)]
@@ -147,6 +147,7 @@ impl ZookeeperSecurity {
         &self,
         pod_builder: &mut PodBuilder,
         cb_zookeeper: &mut ContainerBuilder,
+        requested_secret_lifetime: &Duration,
     ) -> Result<()> {
         let tls_secret_class = self.get_tls_secret_class();
 
@@ -156,7 +157,11 @@ impl ZookeeperSecurity {
                 .add_volume_mount(tls_volume_name, Self::SERVER_TLS_DIR)
                 .context(AddVolumeMountSnafu)?;
             pod_builder
-                .add_volume(Self::create_tls_volume(tls_volume_name, secret_class)?)
+                .add_volume(Self::create_tls_volume(
+                    tls_volume_name,
+                    secret_class,
+                    requested_secret_lifetime,
+                )?)
                 .context(AddVolumeSnafu)?;
         }
 
@@ -169,6 +174,7 @@ impl ZookeeperSecurity {
             .add_volume(Self::create_tls_volume(
                 tls_volume_name,
                 &self.quorum_secret_class,
+                requested_secret_lifetime,
             )?)
             .context(AddVolumeSnafu)?;
 
@@ -290,13 +296,18 @@ impl ZookeeperSecurity {
     }
 
     /// Creates ephemeral volumes to mount the `SecretClass` into the Pods
-    fn create_tls_volume(volume_name: &str, secret_class_name: &str) -> Result<Volume> {
+    fn create_tls_volume(
+        volume_name: &str,
+        secret_class_name: &str,
+        requested_secret_lifetime: &Duration,
+    ) -> Result<Volume> {
         let volume = VolumeBuilder::new(volume_name)
             .ephemeral(
                 SecretOperatorVolumeSourceBuilder::new(secret_class_name)
                     .with_pod_scope()
                     .with_node_scope()
                     .with_format(SecretFormat::TlsPkcs12)
+                    .with_auto_tls_cert_lifetime(*requested_secret_lifetime)
                     .build()
                     .context(BuildTlsVolumeSnafu { volume_name })?,
             )
diff --git a/rust/operator-binary/src/zk_controller.rs b/rust/operator-binary/src/zk_controller.rs
@@ -94,6 +94,9 @@ type Result<T, E = Error> = std::result::Result<T, E>;
 #[strum_discriminants(derive(IntoStaticStr))]
 #[allow(clippy::enum_variant_names)]
 pub enum Error {
+    #[snafu(display("missing secret lifetime"))]
+    MissingSecretLifetime,
+
     #[snafu(display("ZookeeperCluster object is invalid"))]
     InvalidZookeeperCluster {
         source: error_boundary::InvalidObject,
@@ -279,6 +282,7 @@ impl ReconcilerError for Error {
     }
     fn secondary_object(&self) -> Option<ObjectRef<DynamicObject>> {
         match self {
+            Error::MissingSecretLifetime => None,
             Error::InvalidZookeeperCluster { source: _ } => None,
             Error::CrdValidationFailure { .. } => None,
             Error::NoServerRole => None,
@@ -755,7 +759,7 @@ fn build_server_rolegroup_statefulset(
     server_config: &HashMap<PropertyNameKind, BTreeMap<String, String>>,
     zookeeper_security: &ZookeeperSecurity,
     resolved_product_image: &ResolvedProductImage,
-    config: &ZookeeperConfig,
+    merged_config: &ZookeeperConfig,
     service_account: &ServiceAccount,
 ) -> Result<StatefulSet> {
     let role = zk.role(zk_role).context(InternalOperatorFailureSnafu)?;
@@ -799,9 +803,16 @@ fn build_server_rolegroup_statefulset(
         ContainerBuilder::new(APP_NAME).expect("invalid hard-coded container name");
     let mut pod_builder = PodBuilder::new();
 
+    let requested_secret_lifetime = merged_config
+        .requested_secret_lifetime
+        .context(MissingSecretLifetimeSnafu)?;
     // add volumes and mounts depending on tls / auth settings
     zookeeper_security
-        .add_volume_mounts(&mut pod_builder, &mut cb_zookeeper)
+        .add_volume_mounts(
+            &mut pod_builder,
+            &mut cb_zookeeper,
+            &requested_secret_lifetime,
+        )
         .context(AddTlsVolumeMountsSnafu)?;
 
     let mut args = Vec::new();
@@ -932,7 +943,7 @@ fn build_server_rolegroup_statefulset(
         .image_pull_secrets_from_product_image(resolved_product_image)
         .add_init_container(container_prepare)
         .add_container(container_zk)
-        .affinity(&config.affinity)
+        .affinity(&merged_config.affinity)
         .add_volume(Volume {
             name: "config".to_string(),
             config_map: Some(ConfigMapVolumeSource {
@@ -1014,7 +1025,7 @@ fn build_server_rolegroup_statefulset(
         );
     }
 
-    add_graceful_shutdown_config(config, &mut pod_builder).context(GracefulShutdownSnafu)?;
+    add_graceful_shutdown_config(merged_config, &mut pod_builder).context(GracefulShutdownSnafu)?;
 
     let mut pod_template = pod_builder.build_template();
     pod_template.merge_from(role.config.pod_overrides.clone());
