CA secret reconciliation

[mlavacca]

Problem Statement

At controller startup time the operator tries to retrieve the ca secret (name and namespace are passed as args or defaulted to kong-system/kong-operator-ca). If such a secret does not exist, it is created. The existence of the CA is never enforced. Thus, if the secret containing the CA is deleted the operator will not be able to issue mTLS certificates anymore (unless it restarts).

Proposed Solution

If the CA secret is not provided by the user but is created by the operator, it needs to be enforced in the cluster. This can be achieved through a controller that watches all the secrets with a specific label and whenever such a secret triggers an event, the desired state (i.e., having a valid CA secret) is enforced.

Additional information

This issue may considered one step in resolving Kong/gateway-operator#199, in which a secret controller has been mentioned as well.

Acceptance Criteria

• [ ] If the CA secret provided by the operator is deleted, it gets automatically recreated by the operator.
• [ ] certificates that were created using a deleted CA get re-issued

[mflendrich]

CA certificate recreation would effectively invalidate all the PKI that depends on being signed by that CA. Therefore, this feature likely needs rotation of all the certificates dependent on the deleted CA.

[shaneutt]

CA certificate recreation would effectively invalidate all the PKI that depends on being signed by that CA. Therefore, this feature likely needs rotation of all the certificates dependent on the deleted CA.

I've updated the acceptance criteria to incorporate this.