feat: Introduce Dedicated Istio Gateway Secret

cmd/main.go

@@ -36,7 +36,9 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	machineryruntime "k8s.io/apimachinery/pkg/runtime"
 	machineryutilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes"
 	k8sclientscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
@@ -65,6 +67,7 @@ import (
 	"github.com/kyma-project/lifecycle-manager/pkg/matcher"
 	"github.com/kyma-project/lifecycle-manager/pkg/queue"
 	"github.com/kyma-project/lifecycle-manager/pkg/watcher"
+	"github.com/kyma-project/lifecycle-manager/pkg/zerodw"
 
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	_ "ocm.software/ocm/api/ocm"
@@ -201,12 +204,21 @@ func setupManager(flagVar *flags.FlagVar, cacheOptions cache.Options, scheme *ma
 	go cleanupStoredVersions(flagVar.DropCrdStoredVersionMap, mgr, setupLog)
 	go scheduleMetricsCleanup(kymaMetrics, flagVar.MetricsCleanupIntervalInMinutes, mgr, setupLog)
 
+	setupIstioGatewaySecretRotation(config, kcpClient, setupLog)
+
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(runtimeProblemExitCode)
 	}
 }
 
+func setupIstioGatewaySecretRotation(config *rest.Config, kcpClient *remote.ConfigAndClient, setupLog logr.Logger) {
+	kcpClientset := kubernetes.NewForConfigOrDie(config)
+	gatewaySecretHandler := zerodw.NewGatewaySecretHandler(kcpClient)
+
+	go zerodw.WatchChangesOnRootCertificate(kcpClientset, gatewaySecretHandler, setupLog)
+}
+
 func addHealthChecks(mgr manager.Manager, setupLog logr.Logger) {
 	// +kubebuilder:scaffold:builder
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
@@ -323,7 +335,6 @@ func setupKymaReconciler(mgr ctrl.Manager,
 func createSkrWebhookManager(mgr ctrl.Manager, skrContextFactory remote.SkrContextProvider,
 	flagVar *flags.FlagVar,
 ) (*watcher.SKRWebhookManifestManager, error) {
-	caCertificateCache := watcher.NewCACertificateCache(flagVar.CaCertCacheTTL)
 	config := watcher.SkrWebhookManagerConfig{
 		SKRWatcherPath:         flagVar.WatcherResourcesPath,
 		SkrWatcherImage:        flagVar.GetWatcherImage(),
@@ -353,7 +364,6 @@ func createSkrWebhookManager(mgr ctrl.Manager, skrContextFactory remote.SkrConte
 	return watcher.NewSKRWebhookManifestManager(
 		mgr.GetClient(),
 		skrContextFactory,
-		caCertificateCache,
 		config,
 		certConfig,
 		resolvedKcpAddr)

config/rbac/namespace_bindings/watcher_certmanager_role.yaml

@@ -15,6 +15,7 @@ rules:
     - watch
     - create
     - delete
+    - update
 - apiGroups:
     - cert-manager.io
   resources:

config/watcher/gateway.yaml

@@ -20,5 +20,5 @@ spec:
         number: 443
         protocol: HTTPS
       tls:
-        credentialName: klm-watcher
+        credentialName: istio-gateway-secret
         mode: MUTUAL

internal/pkg/flags/flags.go

@@ -43,7 +43,6 @@ const (
 	DefaultIstioGatewayNamespace                                        = "kcp-system"
 	DefaultIstioNamespace                                               = "istio-system"
 	DefaultCaCertName                                                   = "klm-watcher-serving"
-	DefaultCaCertCacheTTL                                 time.Duration = 1 * time.Hour
 	DefaultSelfSignedCertDuration                         time.Duration = 90 * 24 * time.Hour
 	DefaultSelfSignedCertRenewBefore                      time.Duration = 60 * 24 * time.Hour
 	DefaultSelfSignedCertificateRenewBuffer                             = 24 * time.Hour
@@ -203,8 +202,6 @@ func DefineFlagVar() *FlagVar {
 		"Name of the namespace for syncing remote Kyma and module catalog")
 	flag.StringVar(&flagVar.CaCertName, "ca-cert-name", DefaultCaCertName,
 		"Name of the CA Certificate in Istio Namespace which is used to sign SKR Certificates")
-	flag.DurationVar(&flagVar.CaCertCacheTTL, "ca-cert-cache-ttl", DefaultCaCertCacheTTL,
-		"The ttl for the CA Certificate Cache")
 	flag.DurationVar(&flagVar.SelfSignedCertDuration, "self-signed-cert-duration", DefaultSelfSignedCertDuration,
 		"The lifetime duration of self-signed certificate, minimum accepted duration is 1 hour.")
 	flag.DurationVar(&flagVar.SelfSignedCertRenewBefore, "self-signed-cert-renew-before",
@@ -287,7 +284,6 @@ type FlagVar struct {
 	SkipPurgingFor                         string
 	RemoteSyncNamespace                    string
 	CaCertName                             string
-	CaCertCacheTTL                         time.Duration
 	IsKymaManaged                          bool
 	SelfSignedCertDuration                 time.Duration
 	SelfSignedCertRenewBefore              time.Duration

internal/pkg/flags/flags_test.go

@@ -175,11 +175,6 @@ func Test_ConstantFlags(t *testing.T) {
 			constValue:    DefaultCaCertName,
 			expectedValue: "klm-watcher-serving",
 		},
-		{
-			constName:     "DefaultCaCertCacheTTL",
-			constValue:    DefaultCaCertCacheTTL.String(),
-			expectedValue: (1 * time.Hour).String(),
-		},
 		{
 			constName:     "DefaultSelfSignedCertDuration",
 			constValue:    DefaultSelfSignedCertDuration.String(),

pkg/testutils/watcher.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"time"
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	apicorev1 "k8s.io/api/core/v1"
@@ -14,8 +15,9 @@ import (
 )
 
 var (
-	errOldCreationTime = errors.New("certificate has an old creation timestamp")
-	errNotSyncedSecret = errors.New("secret is not synced to skr cluster")
+	errOldCreationTime     = errors.New("certificate has an old creation timestamp")
+	errNotSyncedSecret     = errors.New("secret is not synced to skr cluster")
+	errTLSSecretNotRotated = errors.New("tls secret did not rotated")
 )
 
 func CertificateSecretExists(ctx context.Context, secretName types.NamespacedName, k8sClient client.Client) error {
@@ -43,6 +45,19 @@ func CertificateSecretIsCreatedAfter(ctx context.Context,
 	return nil
 }
 
+func TLSSecretRotated(ctx context.Context, oldValue time.Time,
+	namespacedSecretName types.NamespacedName, kcpClient client.Client,
+) error {
+	secret, err := GetTLSSecret(ctx, namespacedSecretName, kcpClient)
+	if err != nil {
+		return fmt.Errorf("failed to fetch tls secret: %w", err)
+	}
+	if secret.CreationTimestamp.Time == oldValue {
+		return errTLSSecretNotRotated
+	}
+	return nil
+}
+
 func CertificateSecretIsSyncedToSkrCluster(ctx context.Context,
 	kcpSecretName types.NamespacedName, kcpClient client.Client,
 	skrSecretName types.NamespacedName, skrClient client.Client,
@@ -104,3 +119,13 @@ func GetCACertificate(ctx context.Context, namespacedCertName types.NamespacedNa
 
 	return caCert, nil
 }
+
+func GetTLSSecret(ctx context.Context, namespacedSecretName types.NamespacedName, k8sClient client.Client,
+) (*apicorev1.Secret, error) {
+	tlsSecret := &apicorev1.Secret{}
+	if err := k8sClient.Get(ctx, namespacedSecretName, tlsSecret); err != nil {
+		return nil, fmt.Errorf("failed to get secret %w", err)
+	}
+
+	return tlsSecret, nil
+}

pkg/watcher/certificate_manager.go

@@ -18,6 +18,7 @@ import (
 	"github.com/kyma-project/lifecycle-manager/api/v1beta2"
 	"github.com/kyma-project/lifecycle-manager/pkg/log"
 	"github.com/kyma-project/lifecycle-manager/pkg/util"
+	"github.com/kyma-project/lifecycle-manager/pkg/zerodw"
 )
 
 const (
@@ -43,7 +44,6 @@ type SubjectAltName struct {
 
 type CertificateManager struct {
 	kcpClient       client.Client
-	caCertCache     *CACertificateCache
 	certificateName string
 	secretName      string
 	labelSet        k8slabels.Set
@@ -76,14 +76,12 @@ type CertificateSecret struct {
 // NewCertificateManager returns a new CertificateManager, which can be used for creating a cert-manager Certificates.
 func NewCertificateManager(kcpClient client.Client, kymaName string,
 	config CertificateConfig,
-	caCertCache *CACertificateCache,
 ) *CertificateManager {
 	return &CertificateManager{
 		kcpClient:       kcpClient,
 		certificateName: ResolveTLSCertName(kymaName),
 		secretName:      ResolveTLSCertName(kymaName),
 		config:          config,
-		caCertCache:     caCertCache,
 		labelSet: k8slabels.Set{
 			shared.PurposeLabel: shared.CertManager,
 			shared.ManagedBy:    shared.OperatorName,
@@ -261,53 +259,29 @@ func (c *CertificateManager) getIssuer(ctx context.Context) (*certmanagerv1.Issu
 	return &issuerList.Items[0], nil
 }
 
-func (c *CertificateManager) getCertificateSecret(ctx context.Context) (*apicorev1.Secret, error) {
-	secret := &apicorev1.Secret{}
-	err := c.kcpClient.Get(ctx, client.ObjectKey{Name: c.secretName, Namespace: c.config.IstioNamespace},
-		secret)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get secret for certificate %s-%s: %w", c.secretName, c.config.IstioNamespace,
-			err)
-	}
-
-	return secret, nil
-}
-
 type CertificateNotReadyError struct{}
 
 func (e *CertificateNotReadyError) Error() string {
 	return "Certificate-Secret does not exist"
 }
 
-func (c *CertificateManager) GetCACertificateStatus(ctx context.Context) (certmanagerv1.CertificateStatus, error) {
-	cachedCertStatus := c.caCertCache.GetCACertStatusFromCache(c.config.CACertificateName)
-
-	if cachedCertStatus.RenewalTime == nil || certificateRenewalTimePassed(cachedCertStatus) {
-		caCert := certmanagerv1.Certificate{}
-		if err := c.kcpClient.Get(ctx,
-			client.ObjectKey{Namespace: c.config.IstioNamespace, Name: c.config.CACertificateName},
-			&caCert); err != nil {
-			return certmanagerv1.CertificateStatus{}, fmt.Errorf("failed to get CA certificate %w", err)
-		}
-		c.caCertCache.SetCACertToCache(caCert)
-		return caCert.Status, nil
-	}
-
-	return cachedCertStatus, nil
-}
-
 func (c *CertificateManager) RemoveSecretAfterCARotated(ctx context.Context, kymaObjKey client.ObjectKey) error {
-	caCertificateStatus, err := c.GetCACertificateStatus(ctx)
+	gatewaySecret, err := getCertificateSecret(ctx, c.kcpClient, client.ObjectKey{
+		Namespace: c.config.IstioNamespace,
+		Name:      zerodw.GatewaySecretName,
+	})
 	if err != nil {
-		return fmt.Errorf("error while fetching CA Certificate: %w", err)
+		return err
 	}
-
-	certSecret, err := c.getCertificateSecret(ctx)
+	watcherCert, err := getCertificateSecret(ctx, c.kcpClient, client.ObjectKey{
+		Namespace: c.config.IstioNamespace,
+		Name:      c.secretName,
+	})
 	if err != nil {
-		return fmt.Errorf("error while fetching certificate: %w", err)
+		return err
 	}
 
-	if certSecret != nil && (certSecret.CreationTimestamp.Before(caCertificateStatus.NotBefore)) {
+	if watcherCert != nil && isGatewaySecretNewerThanWatcherCert(gatewaySecret, watcherCert) {
 		logf.FromContext(ctx).V(log.DebugLevel).Info("CA Certificate was rotated, removing certificate",
 			"kyma", kymaObjKey)
 		if err = c.removeSecret(ctx); err != nil {
@@ -318,6 +292,14 @@ func (c *CertificateManager) RemoveSecretAfterCARotated(ctx context.Context, kym
 	return nil
 }
 
-func certificateRenewalTimePassed(certStatus certmanagerv1.CertificateStatus) bool {
-	return certStatus.RenewalTime.Before(&(apimetav1.Time{Time: time.Now()}))
+func isGatewaySecretNewerThanWatcherCert(gatewaySecret *apicorev1.Secret, watcherSecret *apicorev1.Secret) bool {
+	if gwSecretLastModifiedAtValue, ok := gatewaySecret.Annotations[zerodw.LastModifiedAtAnnotation]; ok {
+		if gwSecretLastModifiedAt, err := time.Parse(time.RFC3339, gwSecretLastModifiedAtValue); err == nil {
+			if watcherSecret.CreationTimestamp.Time.After(gwSecretLastModifiedAt) {
+				return false
+			}
+		}
+	}
+
+	return true
 }