-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix renewal of user provided CAs #6180
Conversation
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java
Outdated
Show resolved
Hide resolved
So, how does this deal with existing clusters which will not have the generation set? You can easily tell new users to set it. But we need to make sure that when an existing user wich custom CA secret without the generation upgrades, it doesn't fall all over. |
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java
Outdated
Show resolved
Hide resolved
...rator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaAssemblyOperator.java
Show resolved
Hide resolved
This seems a bit weird ... since the secret has nothing to do with the Clients CA. Will it stay in sync? Because the secret will not change when the Clients CA is renewed. |
But the thumbprint is update; the flow follows the Secret creation as usual by creating the same one but with a different thumbprint. I just added that to the usual build Secret creation in this case. |
9889067
to
04b20dc
Compare
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ModelUtils.java
Outdated
Show resolved
Hide resolved
/* | ||
if (isCaCertThumbprintChanged(secret)) { | ||
reasons.add("new certificate generated"); | ||
} | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this should be removed?
operator-common/src/main/java/io/strimzi/operator/cluster/model/Ca.java
Outdated
Show resolved
Hide resolved
operator-common/src/main/java/io/strimzi/operator/cluster/model/Ca.java
Outdated
Show resolved
Hide resolved
operator-common/src/main/java/io/strimzi/operator/cluster/model/Ca.java
Outdated
Show resolved
Hide resolved
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java
Outdated
Show resolved
Hide resolved
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/CruiseControl.java
Outdated
Show resolved
Hide resolved
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/ClusterCa.java
Outdated
Show resolved
Hide resolved
cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java
Outdated
Show resolved
Hide resolved
operator-common/src/main/java/io/strimzi/operator/cluster/model/ClientsCa.java
Outdated
Show resolved
Hide resolved
1541ad0
to
61ca1be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit wich I think you should address. LGTM otherwise.
operator-common/src/main/java/io/strimzi/operator/cluster/model/ClientsCa.java
Outdated
Show resolved
Hide resolved
/azp run regression |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The errors from Azure are not related to this PR and should be fixed here #6245
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the companion doc PR (#6240) made me wonder whether we should really be using an extra annotation for the thumbprint when we already have the generation annotation. I'd like to understand if the generation on its own is enough to track the changing dependency (and if not why not).
@tombentley it's a good point ... thinking more about it, the generation annotation is on the CA certificate Secret only so when it's replaced by a new CA with a newer generation we lost that information and the CO cannot infer that CA is changed. The thumbprint annotation is on the Secrets (ZK, K, EO, CO, ...) containing server certificates signed with the CA certificate so that on reconcile we can compare the new CA thumbprint with the one on those Secrets. Using the generation could work but not out of box, we would need to store it on the Secrets (instead of the thumbprint) as well to be able to make a comparison and detect the CA certificate update. |
@tombentley @scholzj I changed the code by saving the |
operator-common/src/main/java/io/strimzi/operator/cluster/model/Ca.java
Outdated
Show resolved
Hide resolved
...rator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaAssemblyOperator.java
Show resolved
Hide resolved
cluster-operator/src/test/java/io/strimzi/operator/cluster/model/CaRenewalTest.java
Outdated
Show resolved
Hide resolved
operator-common/src/main/java/io/strimzi/operator/cluster/model/Ca.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ppatierno
/azp run regression |
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Paolo Patierno <[email protected]> Fixed unit test Signed-off-by: Paolo Patierno <[email protected]> Fixed NPE when no thumbprint annotation is on Secret Signed-off-by: Paolo Patierno <[email protected]> Factored out a common method to check CA cert thumbprint is changed Defined a method to return the annotation for CA cert thumbprint Signed-off-by: Paolo Patierno <[email protected]> Addressed different comments Signed-off-by: Paolo Patierno <[email protected]> Changed printing CA certificate thumbprint to DEBUG log level Signed-off-by: Paolo Patierno <[email protected]>
Signed-off-by: Paolo Patierno <[email protected]>
Signed-off-by: Paolo Patierno <[email protected]>
Trivial methods refactoring Signed-off-by: Paolo Patierno <[email protected]>
eba09a9
to
dd9e48b
Compare
/azp run regression |
Azure Pipelines successfully started running 1 pipeline(s). |
Type of change
Description
This PR fixes #5466.
Today, when a user provides his own CA certificate (cluster or client) but then he tries to follow the renew process as we documented, the procedure doesn't work at all.
The current code doesn't have logic for the CO to detect that a new CA certificate was provided by the user (by following the documentation and having a
Secret
with both the new CA certificate together with the old one CA-).With this PR, this first detection issue is resolved by adding the thumbprint of the cluster CA certificate, as an annotation, on all the
Secret
(s) that contains server certificates signed by that CA certificate. For example, the<cluster>-zookeeper-nodes
,<cluster>-kafka-brokers
and the same for the CO and EO (TO and UO) relatedSecret
(s).Just for the Kafka brokers related
Secret
(s) there is also a corresponding annotation with the thumbprint of the clients CA certificate.During the periodic reconcile, the CO is able to detect that the thumbprint of the provided CA certificate is different from the one stored in such
Secret
(s).When the change is detected, it just sets the renewal type as
REPLACE_KEY
, starting the same flow which runs when the CA certificates are handled by Strimzi itself (of course a part the CA certificate generation that is skipped).So it runs the right pods rolls to first trust the new CA certificate and then generating the new server certificates for the different components (CO itself, Kafka, ZooKeeper, TO, UO).
In order to do so there are a couple of things to take into account that needs the documentation to be updated because the user has to follow them in order to renew the CA certificate properly:
v1
(compared to the previousv0
) in the CN to make them different, so manual renewal should follow same path.Secret
containing the CA certificate has to have thestrimzi.io/ca-cert-generation
annotation as well as the one containing the key has to have thestrimzi.io/ca-key-generation
. This generation should start from 0 and increased on each renewal; even this time this is exactly how the auto-renewal process works in Strimzi doing that for you.So the above steps need to be documented to make "handmade" renewal the same as the "auto" renewal from Strimzi operator.
Fixing this way, I made a couple of assumptions:
REPLACE_KEY
renewal type.Secret
.Documentation will come with a different PR.
Checklist
Please go through this checklist and make sure all applicable tasks have been done