From d2a7617624db5cbdd737939d47353f2170666d3e Mon Sep 17 00:00:00 2001
From: Praveen M <m.praveen@ibm.com>
Date: Mon, 7 Oct 2024 16:49:30 +0530
Subject: [PATCH] kms: support key rotation for vault

Signed-off-by: Praveen M <m.praveen@ibm.com>
---
 pkg/system/phase2_creating.go |  7 +++++++
 pkg/util/kms/kms_vault.go     | 10 ++++++----
 pkg/util/kms/kms_version.go   | 14 +++++++++-----
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go
index b94f0626c5..a2680069cd 100644
--- a/pkg/system/phase2_creating.go
+++ b/pkg/system/phase2_creating.go
@@ -1030,6 +1030,13 @@ func (r *Reconciler) keyRotate() error {
 		return err
 	}
 
+	err = k.Get()
+	if err != nil {
+		r.Logger.Errorf("keyRotate, KMS Get error %v", err)
+		r.setKMSConditionStatus(nbv1.ConditionKMSErrorRead)
+		return err
+	}
+
 	// Generate new random root key and set it in the KMS
 	// Key - rotate begins
 	err = k.Set(util.RandomBase64(32))
diff --git a/pkg/util/kms/kms_vault.go b/pkg/util/kms/kms_vault.go
index 04ee40c8bd..76e834b58a 100644
--- a/pkg/util/kms/kms_vault.go
+++ b/pkg/util/kms/kms_vault.go
@@ -24,7 +24,9 @@ const (
 
 // Vault is a vault driver
 type Vault struct {
-	UID string // NooBaa system UID
+	UID  string // NooBaa system UID
+	name string // NooBaa system name
+	ns   string // NooBaa system namespace
 }
 
 // NewVault is vault driver constructor
@@ -33,7 +35,7 @@ func NewVault(
 	namespace string,
 	uid string,
 ) Driver {
-	return &Vault{uid}
+	return &Vault{uid, name, namespace}
 }
 
 //
@@ -179,8 +181,8 @@ func writeCrtsToFile(secretName string, namespace string, secretValue []byte, en
 
 // Version returns the current driver KMS version
 // either single string or map, i.e. rotating key
-func (*Vault) Version(kms *KMS) Version {
-	return &VersionSingleSecret{kms, nil}
+func (k *Vault) Version(kms *KMS) Version {
+	return &VersionRotatingSecret{VersionBase{kms, nil}, k.name, k.ns}
 }
 
 // Register Vault driver with KMS layer
diff --git a/pkg/util/kms/kms_version.go b/pkg/util/kms/kms_version.go
index d1c8e8e51a..24f665d794 100644
--- a/pkg/util/kms/kms_version.go
+++ b/pkg/util/kms/kms_version.go
@@ -102,7 +102,7 @@ func (v *VersionRotatingSecret) Reconcile(r SecretReconciler) error {
 
 // Get implements SecretStorage interface for the secret map, i.e. rotating master root key
 func (v *VersionRotatingSecret) Get() error {
-	s, _, err := v.k.GetSecret(v.backendSecretName(), v.k.driver.GetContext())
+	s, _, err := v.k.GetSecret(v.BackendSecretName(), v.k.driver.GetContext())
 	if err != nil {
 		// handle k8s get from non-existent secret
 		if strings.Contains(err.Error(), "not found") {
@@ -120,8 +120,8 @@ func (v *VersionRotatingSecret) Get() error {
 	return nil
 }
 
-// backendSecretName returns the rotating secret backend secret name
-func (v *VersionRotatingSecret) backendSecretName() string {
+// BackendSecretName returns the rotating secret backend secret name
+func (v *VersionRotatingSecret) BackendSecretName() string {
 	return v.name + "-root-master-key-backend"
 }
 
@@ -137,7 +137,7 @@ func (v *VersionRotatingSecret) Set(val string) error {
 	s[ActiveRootKey] = key
 	s[key] = val
 	v.data = s
-	_, err := v.k.PutSecret(v.backendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
+	_, err := v.k.PutSecret(v.BackendSecretName(), toInterfaceMap(s), v.k.driver.SetContext())
 	return err
 }
 
@@ -154,11 +154,15 @@ func (v *VersionRotatingSecret) deleteSingleStringSecret() bool {
 func (v *VersionRotatingSecret) Delete() error {
 	// Delete rotating secret backend
 	backendSecret := &corev1.Secret{}
-	backendSecret.Name = v.backendSecretName()
+	backendSecret.Name = v.BackendSecretName()
 	backendSecret.Namespace = v.ns
 	if !util.KubeDelete(backendSecret) {
 		return fmt.Errorf("KMS Delete error for the rotating master root secret backend")
+	}
 
+	err := v.k.DeleteSecret(v.BackendSecretName(), v.k.driver.DeleteContext())
+	if err != nil {
+		return err
 	}
 
 	return nil