arangodb · ewoutp · Jun 15, 2018 · Jun 15, 2018
@@ -47,6 +47,8 @@ const (
  ActionTypeWaitForMemberUp ActionType = "WaitForMemberUp"
  // ActionTypeRenewTLSCertificate causes the TLS certificate of a member to be renewed.
  ActionTypeRenewTLSCertificate ActionType = "RenewTLSCertificate"
+ // ActionTypeRenewTLSCACertificate causes the TLS CA certificate of the entire deployment to be renewed.
+ ActionTypeRenewTLSCACertificate ActionType = "RenewTLSCACertificate"
 )
 
 // Action represents a single action to be taken to update a deployment.

@@ -108,7 +108,7 @@ func (d *Deployment) ensureAccessPackage(apSecretName string) error {
 
  // Fetch client authentication CA
  clientAuthSecretName := spec.Sync.Authentication.GetClientCASecretName()
- clientAuthCert, clientAuthKey, err := k8sutil.GetCASecret(d.deps.KubeCli.CoreV1(), clientAuthSecretName, ns)
+ clientAuthCert, clientAuthKey, _, err := k8sutil.GetCASecret(d.deps.KubeCli.CoreV1(), clientAuthSecretName, ns, nil)
  if err != nil {
  log.Debug().Err(err).Msg("Failed to get client-auth CA secret")
  return maskAny(err)

@@ -237,6 +237,25 @@ func (d *Deployment) CleanupPod(p v1.Pod) error {
  return nil
 }
 
+// RemovePodFinalizers removes all the finalizers from the Pod with given name in the namespace
+// of the deployment. If the pod does not exist, the error is ignored.
+func (d *Deployment) RemovePodFinalizers(podName string) error {
+ log := d.deps.Log
+ ns := d.GetNamespace()
+ kubecli := d.deps.KubeCli
+ p, err := kubecli.CoreV1().Pods(ns).Get(podName, metav1.GetOptions{})
+ if err != nil {
+ if k8sutil.IsNotFound(err) {
+ return nil
+ }
+ return maskAny(err)
+ }
+ if err := k8sutil.RemovePodFinalizers(log, d.deps.KubeCli, p, p.GetFinalizers(), true); err != nil {
+ return maskAny(err)
+ }
+ return nil
+}
+
 // DeletePvc deletes a persistent volume claim with given name in the namespace
 // of the deployment. If the pvc does not exist, the error is ignored.
 func (d *Deployment) DeletePvc(pvcName string) error {
@@ -307,3 +326,26 @@ func (d *Deployment) DeleteTLSKeyfile(group api.ServerGroup, member api.MemberSt
  }
  return nil
 }
+
+// GetTLSCA returns the TLS CA certificate in the secret with given name.
+// Returns: publicKey, privateKey, ownerByDeployment, error
+func (d *Deployment) GetTLSCA(secretName string) (string, string, bool, error) {
+ ns := d.apiObject.GetNamespace()
+ owner := d.apiObject.AsOwner()
+ cert, priv, isOwned, err := k8sutil.GetCASecret(d.deps.KubeCli.CoreV1(), secretName, ns, &owner)
+ if err != nil {
+ return "", "", false, maskAny(err)
+ }
+ return cert, priv, isOwned, nil
+
+}
+
+// DeleteSecret removes the Secret with given name.
+// If the secret does not exist, the error is ignored.
+func (d *Deployment) DeleteSecret(secretName string) error {
+ ns := d.apiObject.GetNamespace()
+ if err := d.deps.KubeCli.CoreV1().Secrets(ns).Delete(secretName, &metav1.DeleteOptions{}); err != nil && !k8sutil.IsNotFound(err) {
+ return maskAny(err)
+ }
+ return nil
+}
@@ -70,9 +70,14 @@ type ActionContext interface {
  // DeletePvc deletes a persistent volume claim with given name in the namespace
  // of the deployment. If the pvc does not exist, the error is ignored.
  DeletePvc(pvcName string) error
+ // RemovePodFinalizers removes all the finalizers from the Pod with given name in the namespace
+ // of the deployment. If the pod does not exist, the error is ignored.
+ RemovePodFinalizers(podName string) error
  // DeleteTLSKeyfile removes the Secret containing the TLS keyfile for the given member.
  // If the secret does not exist, the error is ignored.
  DeleteTLSKeyfile(group api.ServerGroup, member api.MemberStatus) error
+ // DeleteTLSCASecret removes the Secret containing the TLS CA certificate.
+ DeleteTLSCASecret() error
 }
 
 // newActionContext creates a new ActionContext implementation.
@@ -212,6 +217,15 @@ func (ac *actionContext) DeletePvc(pvcName string) error {
  return nil
 }
 
+// RemovePodFinalizers removes all the finalizers from the Pod with given name in the namespace
+// of the deployment. If the pod does not exist, the error is ignored.
+func (ac *actionContext) RemovePodFinalizers(podName string) error {
+ if err := ac.context.RemovePodFinalizers(podName); err != nil {
+ return maskAny(err)
+ }
+ return nil
+}
+
 // DeleteTLSKeyfile removes the Secret containing the TLS keyfile for the given member.
 // If the secret does not exist, the error is ignored.
 func (ac *actionContext) DeleteTLSKeyfile(group api.ServerGroup, member api.MemberStatus) error {
@@ -220,3 +234,28 @@ func (ac *actionContext) DeleteTLSKeyfile(group api.ServerGroup, member api.Memb
  }
  return nil
 }
+
+// DeleteTLSCASecret removes the Secret containing the TLS CA certificate.
+func (ac *actionContext) DeleteTLSCASecret() error {
+ spec := ac.context.GetSpec().TLS
+ if !spec.IsSecure() {
+ return nil
+ }
+ secretName := spec.GetCASecretName()
+ if secretName == "" {
+ return nil
+ }
+ // Remove secret hash, since it is going to change
+ status, lastVersion := ac.context.GetStatus()
+ if status.SecretHashes != nil {
+ status.SecretHashes.TLSCA = ""
+ if err := ac.context.UpdateStatus(status, lastVersion); err != nil {
+ return maskAny(err)
+ }
+ }
+ // Do delete the secret
+ if err := ac.context.DeleteSecret(secretName); err != nil {
+ return maskAny(err)
+ }
+ return nil
+}
@@ -0,0 +1,71 @@
+//
+// DISCLAIMER
+//
+// Copyright 2018 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Ewout Prangsma
+//
+
+package reconcile
+
+import (
+ "context"
+ "time"
+
+ api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1alpha"
+ "github.com/rs/zerolog"
+)
+
+// NewRenewTLSCACertificateAction creates a new Action that implements the given
+// planned RenewTLSCACertificate action.
+func NewRenewTLSCACertificateAction(log zerolog.Logger, action api.Action, actionCtx ActionContext) Action {
+ return &renewTLSCACertificateAction{
+ log: log,
+ action: action,
+ actionCtx: actionCtx,
+ }
+}
+
+// renewTLSCACertificateAction implements a RenewTLSCACertificate action.
+type renewTLSCACertificateAction struct {
+ log zerolog.Logger
+ action api.Action
+ actionCtx ActionContext
+}
+
+// Start performs the start of the action.
+// Returns true if the action is completely finished, false in case
+// the start time needs to be recorded and a ready condition needs to be checked.
+func (a *renewTLSCACertificateAction) Start(ctx context.Context) (bool, error) {
+ // Just delete the secret.
+ // It will be re-created.
+ if err := a.actionCtx.DeleteTLSCASecret(); err != nil {
+ return false, maskAny(err)
+ }
+ return true, nil
+}
+
+// CheckProgress checks the progress of the action.
+// Returns true if the action is completely finished, false otherwise.
+func (a *renewTLSCACertificateAction) CheckProgress(ctx context.Context) (bool, bool, error) {
+ return true, false, nil
+}
+
+// Timeout returns the amount of time after which this action will timeout.
+func (a *renewTLSCACertificateAction) Timeout() time.Duration {
+ return renewTLSCACertificateTimeout
+}
@@ -57,6 +57,10 @@ func (a *actionRotateMember) Start(ctx context.Context) (bool, error) {
  if !ok {
  log.Error().Msg("No such member")
  }
+ // Remove finalizers, so Kubernetes will quickly terminate the pod
+ if err := a.actionCtx.RemovePodFinalizers(m.PodName); err != nil {
+ return false, maskAny(err)
+ }
  if group.IsArangod() {
  // Invoke shutdown endpoint
  c, err := a.actionCtx.GetServerClient(ctx, group, a.action.MemberID)

@@ -69,6 +69,9 @@ type Context interface {
  // DeletePvc deletes a persistent volume claim with given name in the namespace
  // of the deployment. If the pvc does not exist, the error is ignored.
  DeletePvc(pvcName string) error
+ // RemovePodFinalizers removes all the finalizers from the Pod with given name in the namespace
+ // of the deployment. If the pod does not exist, the error is ignored.
+ RemovePodFinalizers(podName string) error
  // GetOwnedPods returns a list of all pods owned by the deployment.
  GetOwnedPods() ([]v1.Pod, error)
  // GetTLSKeyfile returns the keyfile encoded TLS certificate+key for
@@ -77,4 +80,10 @@ type Context interface {
  // DeleteTLSKeyfile removes the Secret containing the TLS keyfile for the given member.
  // If the secret does not exist, the error is ignored.
  DeleteTLSKeyfile(group api.ServerGroup, member api.MemberStatus) error
+ // GetTLSCA returns the TLS CA certificate in the secret with given name.
+ // Returns: publicKey, privateKey, ownerByDeployment, error
+ GetTLSCA(secretName string) (string, string, bool, error)
+ // DeleteSecret removes the Secret with given name.
+ // If the secret does not exist, the error is ignored.
+ DeleteSecret(secretName string) error
 }
@@ -23,10 +23,6 @@
 package reconcile
 
 import (
- "crypto/x509"
- "encoding/pem"
- "time"
-
  "github.com/rs/zerolog"
  "github.com/rs/zerolog/log"
  "k8s.io/api/core/v1"
@@ -58,7 +54,7 @@ func (d *Reconciler) CreatePlan() error {
  apiObject := d.context.GetAPIObject()
  spec := d.context.GetSpec()
  status, lastVersion := d.context.GetStatus()
- newPlan, changed := createPlan(d.log, apiObject, status.Plan, spec, status, pods, d.context.GetTLSKeyfile)
+ newPlan, changed := createPlan(d.log, apiObject, status.Plan, spec, status, pods, d.context.GetTLSKeyfile, d.context.GetTLSCA)
 
  // If not change, we're done
  if !changed {
@@ -83,7 +79,8 @@ func (d *Reconciler) CreatePlan() error {
 func createPlan(log zerolog.Logger, apiObject metav1.Object,
  currentPlan api.Plan, spec api.DeploymentSpec,
  status api.DeploymentStatus, pods []v1.Pod,
- getTLSKeyfile func(group api.ServerGroup, member api.MemberStatus) (string, error)) (api.Plan, bool) {
+ getTLSKeyfile func(group api.ServerGroup, member api.MemberStatus) (string, error),
+ getTLSCA func(string) (string, string, bool, error)) (api.Plan, bool) {
  if len(currentPlan) > 0 {
  // Plan already exists, complete that first
  return currentPlan, false
@@ -178,41 +175,14 @@ func createPlan(log zerolog.Logger, apiObject metav1.Object,
  })
  }
 
+ // Check for the need to rotate TLS CA certificate and all members
+ if len(plan) == 0 {
+ plan = createRotateTLSCAPlan(log, spec, status, getTLSCA)
+ }
+
  // Check for the need to rotate TLS certificate of a members
- if len(plan) == 0 && spec.TLS.IsSecure() {
- status.Members.ForeachServerGroup(func(group api.ServerGroup, members api.MemberStatusList) error {
- for _, m := range members {
- if len(plan) > 0 {
- // Only 1 change at a time
- continue
- }
- if m.Phase != api.MemberPhaseCreated {
- // Only make changes when phase is created
- continue
- }
- if group == api.ServerGroupSyncWorkers {
- // SyncWorkers have no externally created TLS keyfile
- continue
- }
- // Load keyfile
- keyfile, err := getTLSKeyfile(group, m)
- if err != nil {
- log.Warn().Err(err).
- Str("role", group.AsRole()).
- Str("id", m.ID).
- Msg("Failed to get TLS secret")
- continue
- }
- renewalNeeded := tlsKeyfileNeedsRenewal(log, keyfile)
- if renewalNeeded {
- plan = append(append(plan,
- api.NewAction(api.ActionTypeRenewTLSCertificate, group, m.ID)),
- createRotateMemberPlan(log, m, group, "TLS certificate renewal")...,
- )
- }
- }
- return nil
- })
+ if len(plan) == 0 {
+ plan = createRotateTLSServerCertificatePlan(log, spec, status, getTLSKeyfile)
  }
 
  // Return plan
@@ -304,44 +274,6 @@ func normalizeServiceAccountName(name string) string {
  return ""
 }
 
-// tlsKeyfileNeedsRenewal decides if the certificate in the given keyfile
-// should be renewed.
-func tlsKeyfileNeedsRenewal(log zerolog.Logger, keyfile string) bool {
- raw := []byte(keyfile)
- for {
- var derBlock *pem.Block
- derBlock, raw = pem.Decode(raw)
- if derBlock == nil {
- break
- }
- if derBlock.Type == "CERTIFICATE" {
- cert, err := x509.ParseCertificate(derBlock.Bytes)
- if err != nil {
- // We do not understand the certificate, let's renew it
- log.Warn().Err(err).Msg("Failed to parse x509 certificate. Renewing it")
- return true
- }
- if cert.IsCA {
- // Only look at the server certificate, not CA or intermediate
- continue
- }
- // Check expiration date. Renewal at 2/3 of lifetime.
- ttl := cert.NotAfter.Sub(cert.NotBefore)
- expirationDate := cert.NotBefore.Add((ttl / 3) * 2)
- if expirationDate.Before(time.Now()) {
- // We should renew now
- log.Debug().
- Str("not-before", cert.NotBefore.String()).
- Str("not-after", cert.NotAfter.String()).
- Str("expiration-date", expirationDate.String()).
- Msg("TLS certificate renewal needed")
- return true
- }
- }
- }
- return false
-}
-
 // createScalePlan creates a scaling plan for a single server group
 func createScalePlan(log zerolog.Logger, members api.MemberStatusList, group api.ServerGroup, count int) api.Plan {
  var plan api.Plan