feat: migrate CA secret to new namespace

stackabletech / secret-operator

Other

11 stars 6 forks source link

Definition of Done Checklist

# Author - [ ] Changes are OpenShift compatible - [ ] Helm chart can be installed and deployed operator works - [ ] Integration tests passed (for non trivial changes) - [x] Changes need to be "offline" compatible

# Reviewer - [ ] Code contains useful comments - [ ] Code contains useful logging statements - [ ] (Integration-)Test cases added - [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs-style-guide). - [ ] Changelog updated - [ ] Cargo.toml only contains references to git tags (not specific commits or branches)

# Acceptance - [ ] Feature Tracker has been updated - [ ] Proper release label has been added - [ ] [Roadmap](https://github.com/orgs/stackabletech/projects/25/views/1) has been updated

I now created separate RBAC rules for the Job now instead of using the ones from secret-operator.

Reasoning (besides better security): The Job should run before secret-op starts and the SecretClass is created, because otherwise a race condition might occur where secret-op is already started but the Job did not finish yet, hence the Secret is not yet copied over to the new namespace and secret-op might create a new CA (if a Pod requests a cert). Since the Job needs a ServiceAccount to view/edit Secrets and that ServiceAccount needs to be created before the installation of secret-op as well, the ServiceAccount and other RBAC resources have been created and also annotated with the Hook annotations for Helm. I set the hook-delete-policy to hook-succeeded so all the resources from this one time job will automatically be deleted if it succeeds. The hook-weight annotations make sure the RBAC resources are created before the Job.

Just retested it a couple of times, works as expected.

stackabletech / secret-operator

feat: migrate CA secret to new namespace #476

Description

Definition of Done Checklist