service-ca-rotation: Ensure pod restart before expiry of pre-rotation CA

[marun]

/cc @sttts @deads2k @stlaz @mfojtik

[deads2k]

I think documentation for support is enough. This should be a rare edge that won't repeat.

/approve

/assign @sttts

[marun]

@deads2k Yes to this event won't repeat, but not sure 'rare' is the right word. This requirement affects every 4.x cluster deployed today that is upgraded to a release supporting automated rotation.

[marun]

I've updated this PR to ensure pod restart before expiry of the pre-rotation CA.

tl;dr The only mechanism to ensure services are using unexpired key material is pod restart, and the only dependable trigger for pod restart is a cluster upgrade. Since upgrades must occur every 12 months, ensuring upgrade before expiry of key material dictates a CA duration greater than 24 months to cover the worst case.

[sttts]

I cannot follow why there is this +.

[marun]

I've added an extra step that hopefully explains this.

[sttts]

what is "minimum" in this duration? If the validity of the CA is V and we rotate at >=50%, what is meant with M? 0.5*V ?

[marun]

Correct. I've updated 'minimum CA duration' to 'minimum remaining CA duration'. Does that make it clearer? And should I update D to be V (variable names are hard, single-letter variable names are harder).

[sttts]

where is the difference to M?

[marun]

Updated to specify that R should be greater than or equal to M. Given that the proposed duration is large, it makes sense to minimize R by simplifying to R = M.

[marun]

@sttts Updated with a fixup commit, PTAL.

[stlaz]

there's been whispers of an LTS version, wouldn't that break this assumption?

[marun]

afaik there will be no such thing as an LTS release that doesn't still require an upgrade at least once a year if only to a patch release. Any upgrade will do, not just between minor versions.

@smarterclayton Can you confirm?

[marun]

Added mention of LTS and upgrade to patch release in fixup #2

[sferich888]

We don't require that customers, "upgrade", but in general customers should be updating production clusters more than once a year; given that we are providing them (at least with micro-updates) weekly updates.

[stlaz]

s/should/will? Wouldn't it be easier to backport the rotation to a n-1 version so that no manual intervention is necessary and we're sure all pods contain the current certs?

[marun]

There is no such thing as 'no manual intervention' - one-time manual restart is required for any cluster upgrading to a release that supports automated rotation. There is no other way to ensure that the pre-rotation CA won't expire before a subsequent upgrade because it's remaining duration is by definition going to be less than the minimum upgrade interval of 12 months.

[marun]

updated will to should in fixup #2

[stlaz]

This should not include restarting control-plane pods that should be rotated by their operators

[marun]

Why would it make sense to differentiate between pods running user workloads and control plane pods if manual restart involves restarting all pods?

[stlaz]

They should be capable of rotating the certs for their payloads themselves, but I suppose it's safer to restart all anyway...

[sttts]

this I don't understand.

With D as the validity of the CA, and M as the minimum remaining CA duration, we have D = M + R. M only has an influence on the validity of the previous CA after rotation. With R >= M we enforce that the previous CA will expire before yet another rotation takes place. This means that the cross-signing will break earlier than it could be (= the moment of the following rotation). Is that intentional?

[marun]

The only requirement is that an upgrade/restart occurs after a rotation. Once that occurs, there is no harm in either a subsequent rotation or the expiry of the pre-rotation CA.

[marun]

Fixup #3 updates the section on rotation on upgrade to reflect that upgrade to a release supporting automated rotation will ensure an initial rotation at time of upgrade.

[marun]

PR implementing the proposed change: openshift/service-ca-operator#106

[sferich888]

Should we be discussing metrics and/or alerts that warn users of CA validity comparted to pod start time?

In short, if the CA is newer than a pods start time, users should be warned, that a pod restart (to pick up new cert material) is required.

• This may need to be a new enhancement?

[deads2k]

Add a note here that says that all pods in the openshift control plane automatically reload certificates, keys, and ca-bundles without a pod restart. I've received questions.

[marun]

Done

[deads2k]

@marun do we have e2e tests that check

1. old service ca, old serving cert
2. old service ca, new serving cert
3. new service ca, old serving cert
4. new service ca, new serving cert
   if so, can you link them, if not can you create a bug?

[deads2k]

/lgtm
/hold

hold for minor update, test link, and squash.

[marun]

@marun do we have e2e tests that check

1. old service ca, old serving cert
2. old service ca, new serving cert
3. new service ca, old serving cert
4. new service ca, new serving cert
   if so, can you link them, if not can you create a bug?

Added links to the code in the testing section.

[marun]

@deads2k Updated, PTAL

[deads2k]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, marun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment