Rotate Operator TLS certificate in-memory

[Alevsk]

• certNeedsRenewal didn't support kubernetes.io/tls,
  cert-manager.io/v1alpha2 or cert-manager.io/v1 secrets
• Rotate operator certificate if is expired and refresh it in-memory

Signed-off-by: Lenin Alevski alevsk.8772@gmail.com

[pjuarezd]

Did a little script to verify the Certs

#!/bin/bash

FINGERPRINT_IN_SECRET=$(kubectl get secret -n minio-operator operator-tls -o jsonpath="{.data['public\.crt']}" | base64 --decode | openssl x509 -noout -fingerprint -sha1 -in /dev/stdin)
echo "Cert fingerprint in minio-operator/operator-tls secret: $FINGERPRINT_IN_SECRET"

FINGERPRINT_IN_SERVER=$(kubectl exec $(kubectl get pods -n minio-operator  -l operator=leader -o name) -n minio-operator -- openssl s_client -connect  operator.minio-operator.svc.cluster.local:4222 < /dev/null 2>/dev/null | openssl x509 -noout -fingerprint -sha1 -in /dev/stdin)

echo "Cert fingerprint in running operator service: $FINGERPRINT_IN_SERVER"

if [ "$FINGERPRINT_IN_SECRET" == "$FINGERPRINT_IN_SERVER" ]; then
  echo "Fingerprins match!"
else
  echo "Oh no, certificates are different!"
fi

It seems to work, when I set in kubernetes a cluster-signing-duration lower than 48 hours, operator loops and re-create the operator-tls certificate when creating a new tenant, each time the operator-tls certificate rotated, the tumbprint between the secret and running operator concide.

➜  operator git:(1251) ✗ kubectl get secret -n minio-operator operator-tls -o jsonpath={.metadata.creationTimestamp}
2022-08-24T20:51:15Z%                                                                                                                                                                                    
➜  operator git:(1251) ✗ ./testing/cert-test/verify.sh 
Cert fingerprint in minio-operator/operator-tls secret: SHA1 Fingerprint=F0:16:C1:90:06:09:CB:C8:14:0D:40:FD:00:02:04:AA:D5:12:87:77
Cert fingerprint in running operator service: SHA1 Fingerprint=F0:16:C1:90:06:09:CB:C8:14:0D:40:FD:00:02:04:AA:D5:12:87:77
Fingerprins match!
➜  operator git:(1251) ✗ kubectl get secret -n minio-operator operator-tls -o jsonpath={.metadata.creationTimestamp}
2022-08-24T21:01:28Z%                                                                                                                                        
➜  operator git:(1251) ✗ ./testing/cert-test/verify.sh                                                              
Cert fingerprint in minio-operator/operator-tls secret: SHA1 Fingerprint=DE:41:D4:BE:D4:7F:CD:1F:89:68:36:03:5B:F1:B8:48:FE:1A:48:B5
Cert fingerprint in running operator service: SHA1 Fingerprint=DE:41:D4:BE:D4:7F:CD:1F:89:68:36:03:5B:F1:B8:48:FE:1A:48:B5
Fingerprins match!