[release-0.64] Nmstate add selfsigned api (#1029)

* nmstate, api: Add SelfSign configuration API to NMState

Add SelfSign API to achieve feature parity with CNAO.
For future implementation of Cert Rotation.

Signed-off-by: Radim Hrazdil <[email protected]>

* make vendor

Signed-off-by: Radim Hrazdil <[email protected]>

* operator: pass SelfSignedConfiguration from NMState spec

If defined, pass SelfSignedConfiguration from NMState.
If not specified, keep using the same defaults as of now.

Signed-off-by: Radim Hrazdil <[email protected]>

* set defaults of SelfSignConfiguration in the operator

Signed-off-by: Radim Hrazdil <[email protected]>

api/v1/nmstate_types.go

@@ -50,6 +50,19 @@ type NMStateSpec struct {
 	// If InfraTolerations is specified, the webhook and certmanager will be able to be scheduled on nodes with corresponding taints
 	// +optional
 	InfraTolerations []corev1.Toleration `json:"infraTolerations,omitempty"`
+	// SelfSignConfiguration defines self signed certificate configuration
+	SelfSignConfiguration *SelfSignConfiguration `json:"selfSignConfiguration,omitempty"`
+}
+
+type SelfSignConfiguration struct {
+	// CARotateInterval defines duration for CA expiration
+	CARotateInterval string `json:"caRotateInterval,omitempty"`
+	// CAOverlapInterval defines the duration where expired CA certificate can overlap with new one, in order to allow fluent CA rotation transitioning
+	CAOverlapInterval string `json:"caOverlapInterval,omitempty"`
+	// CertRotateInterval defines duration for of service certificate expiration
+	CertRotateInterval string `json:"certRotateInterval,omitempty"`
+	// CertOverlapInterval defines the duration where expired service certificate can overlap with new one, in order to allow fluent service rotation transitioning
+	CertOverlapInterval string `json:"certOverlapInterval,omitempty"`
 }
 
 // NMStateStatus defines the observed state of NMState

controllers/operator/nmstate_controller.go

@@ -209,6 +209,16 @@ func (r *NMStateReconciler) applyHandler(instance *nmstatev1.NMState) error {
 		infraAffinity = &corev1.Affinity{}
 	}
 
+	selfSignConfiguration := instance.Spec.SelfSignConfiguration
+	if selfSignConfiguration == nil {
+		selfSignConfiguration = &nmstatev1.SelfSignConfiguration{
+			CARotateInterval:    "8760h0m0s",
+			CAOverlapInterval:   "24h0m0s",
+			CertRotateInterval:  "4380h0m0s",
+			CertOverlapInterval: "24h0m0s",
+		}
+	}
+
 	data.Data["HandlerNamespace"] = os.Getenv("HANDLER_NAMESPACE")
 	data.Data["HandlerImage"] = os.Getenv("RELATED_IMAGE_HANDLER_IMAGE")
 	data.Data["HandlerPullPolicy"] = os.Getenv("HANDLER_IMAGE_PULL_POLICY")
@@ -221,12 +231,8 @@ func (r *NMStateReconciler) applyHandler(instance *nmstatev1.NMState) error {
 	data.Data["HandlerNodeSelector"] = archAndCRNodeSelector
 	data.Data["HandlerTolerations"] = handlerTolerations
 	data.Data["HandlerAffinity"] = handlerAffinity
-	// TODO: This is just a place holder to make template renderer happy
-	//       proper variable has to be read from env or CR
-	data.Data["CARotateInterval"] = ""
-	data.Data["CAOverlapInterval"] = ""
-	data.Data["CertRotateInterval"] = ""
-	data.Data["CertOverlapInterval"] = ""
+	data.Data["SelfSignConfiguration"] = selfSignConfiguration
+
 	return r.renderAndApply(instance, data, "handler", true)
 }
 

deploy/crds/nmstate.io_nmstates.yaml

@@ -1750,6 +1750,28 @@ spec:
                   that have each of the indicated key-value pairs as labels applied
                   to the node.
                 type: object
+              selfSignConfiguration:
+                description: SelfSignConfiguration defines self signed certificate
+                  configuration
+                properties:
+                  caOverlapInterval:
+                    description: CAOverlapInterval defines the duration where expired
+                      CA certificate can overlap with new one, in order to allow fluent
+                      CA rotation transitioning
+                    type: string
+                  caRotateInterval:
+                    description: CARotateInterval defines duration for CA expiration
+                    type: string
+                  certOverlapInterval:
+                    description: CertOverlapInterval defines the duration where expired
+                      service certificate can overlap with new one, in order to allow
+                      fluent service rotation transitioning
+                    type: string
+                  certRotateInterval:
+                    description: CertRotateInterval defines duration for of service
+                      certificate expiration
+                    type: string
+                type: object
               tolerations:
                 description: Tolerations is an optional list of tolerations to be
                   added to handler DaemonSet manifest If Tolerations is specified,

deploy/handler/operator.yaml

@@ -165,13 +165,13 @@ spec:
             - name: PROFILER_PORT
               value: "6060"
             - name: CA_ROTATE_INTERVAL
-              value: {{ .CARotateInterval | default "8760h0m0s" }}
+              value: {{ .SelfSignConfiguration.CARotateInterval }}
             - name: CA_OVERLAP_INTERVAL
-              value: {{ .CAOverlapInterval | default "24h0m0s" }}
+              value: {{ .SelfSignConfiguration.CAOverlapInterval }}
             - name: CERT_ROTATE_INTERVAL
-              value: {{ .CertRotateInterval | default "4380h0m0s" }}
+              value: {{ .SelfSignConfiguration.CertRotateInterval }}
             - name: CERT_OVERLAP_INTERVAL
-              value: {{ .CertOverlapInterval | default "24h0m0s" }}
+              value: {{ .SelfSignConfiguration.CertOverlapInterval }}
 ---
 apiVersion: apps/v1
 kind: DaemonSet