Abstract client certificate handling

[katheris]

Type of change

Select the type of your PR

• Refactoring

Description

Addresses: #5630

• Creates PemTrustSet, PemAuthIdentity, and ClusterOperatorPKSC12AuthIdentity to encapsulate the certificates used during mutual TLS authentication.
• Updates KafkaReconciler and ZooKeeperReconciler to fetch clientSecrets once. Since the secret is updated as part of the CaReconciler there is no need to fetch it each time we do different parts of the reconcile loop.

Checklist

Please go through this checklist and make sure all applicable tasks have been done

• Write tests
• Make sure all tests pass
• Update documentation
• Check RBAC rights for Kubernetes / OpenShift roles
• Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
• Reference relevant issue(s) and close them after merging
• Update CHANGELOG.md
• Supply screenshots for visual changes, such as Grafana dashboards

[tombentley]

It feels like this code for getting a SecretKey and X509Certificate[] from a PemKeyStoreSupplier is likely to be needed in other places. Likewise going straight to a KeyStore. So if those are not methods on PemKeyStoreSupplier then they should probably belong in Util.

[katheris]

I agree but given the size of the changes already we should do this in a followup PR, since it's done in a few places in subtly different ways

[tombentley]

We should document what we're expecting here:

• Should it contain the root CA certificate (I assume just intermediate CA certificates?),
• What order are we expecting intermediates to be in?
• Does this class validate that the chain is, in fact, a chain (i.e. that the issuer of one is the subject of the next)?

[katheris]

I've removed the step to explicitly validate the certificates as it was proving very tricky to integrate with the existing tests. So it now only creates the Certificate object when needed

[katheris]

@strimzi/maintainers this is ready for review if any of you have time to take a look

[tombentley]

Thanks @katheris, I found a couple of nits, but I think this is a welcome refactoring.

[tombentley]

It seems a bit weird that this is not a sibling of PemAuthIdentity. I think they're in the same package, except this one itsn't in the operator-common module, which makes some sense, but I think I'd rather see them together, even though this happens to only see use in the cluster-operator.

[katheris]

This is currently only used by the ZooKeeper reconcile loop, all other components are using PEM, which is also what I think we want moving forwards. So I chose to put it in cluster-operator to limit it's scope, since the norm should be to use the PEM version. Then hopefully it could be removed when ZooKeeper is no longer required. Happy to move it if others also think it is weird to place it here but that was my thought process behind it.

[scholzj]

I think ZooKeeper can use PEM files now. I had it working here: https://github.com/strimzi/strimzi-kafka-operator/compare/main...scholzj:strimzi-kafka-operator:use-pem-files?expand=1#diff-e5e5e71484b286fed9dc8f2d7cf2003356fb2f441d60521cb2da028026bb0a43

Should we first move the ZooKeeper clients to PEM and get rid of this? I can have a look into it @katheris if you want. Or you can do it your self if you want either as a separate PR or as part of this PR.

[katheris]

Thanks @scholzj that's useful to know. There's a follow up PR I want to do to align the way we create truststores and keystores as we do it a few different ways in different places, shall I include it in that change? Since the migration code was added there are now a few places we construct a ZK client and the code is duplicated currently I believe. I didn't add the change to this PR since the set of changes was already quite big

[scholzj]

Would it make sense to do that first to have this PR cleaner?

[katheris]

It would make this PR cleaner, but I'm hesitant do it first because this PR touches quite a few commonly changed classes so I've had to rebase it multiple times already, so it would be good to get it in sooner than later. Plus the changes in this PR will make the truststore/keystore refactor simpler to do and review, since in this PR I made some small changes to close the gap a little. For example in KafkaAgentClient using the X509Certificate class directly, rather than the Certificate class.

[scholzj]

Ok, lets do it later.

[ppatierno]

I was also wondering why it's not called just PKCS12AuthIdentity. Isn't it the PKCS12 counterpart of the PemAuthIdentity? Isn't it good for better abstraction removing that ClusterOperator prefix from the class name? I see this class hosts SECRET_KEY which is specific to the cluster operator but maybe it should be something in a corresponding derived class? So I mean a PKCS12 auth identity class specific for cluster operator (even if we don't have any more in the end). I see something similar in the PemAuthIdentity which makes that abstraction by getting a secretCertName parameter to know which key to access in the hosted Secret, or?

[tombentley]

If passed malformed input (containing multiple keys) then this method would remove all the BEGIN and END lines, possibly yielding a single lump of base64 which we then silently decode. It wouldn't ultimately be usable as a private key. But I wonder if we should try to catch this possible error by checking more carefully that the private key does have the structure we're expecting.

[katheris]

I agree that we could have better validation here. However I think we should include it in a follow up PR where we better align the creation of keystores and truststores across the project, since I don't think this should stay in Util ultimately.

[scholzj]

Is this really an efficient and readable way to handle this? I would find using if constructs much easier to read and understand what exactly does this actually do.

[katheris]

It's probably a bit over the top, given that I'm assuming if the secret is not null then we can assume the name, namespace and data should also not be null, so can probably change to something like:

        if (secret == null) {
            throw new RuntimeException("Cannot fetch data from null secret");
        }
        String data = secret.getData().get(field);
        if (data != null) {
            return Base64.getDecoder().decode(data);
        } else {
            throw Util.missingDataInSecretException(secret.getMetadata().getNamespace(), secret.getMetadata().getName(), field);
        }

[katheris]

I've updated this to be simpler and make use of Objects.requireNonNull

[scholzj]

These methods seem strange. They do not seem to contain any real logic and seem to be used from a few places only - the places where they are used also do not seem to use the central facilities for whatever reason. Would it be better to just inline this or create a new exception types and use this in their constructors?

[katheris]

I wrote these methods here based on the method missingSecretException that was already in this class. I can create a new exception type if that is the preferred way to handle these kinds of exceptions.

[katheris]

I've moved these inline

[scholzj]

Maybe you can name these based on what they are? E.g. clusterCaTrustSet and coAuthIdentity? I think that can be in general applied to all the parameters and fields -> they should not just copy the type name but they should explain the expected value. E.g. in the BrokersInUseCheck above, you have some clear expectation that should be passed in. And I assume it will be the same in many places below.

[katheris]

Good point, I'll review the variable names across the board.

[katheris]

I've updated the variable names. I've used coAuthIdentity as you suggested and then clusterCaTrustSet if the variable is used for both ZooKeeper and Kafka clients, and kafkaCaTrustSet and zkCaTrustSet for the Kafka and ZooKeeper clients respectively, since it is the trustset for the certificate authority that issued and signed the Kafka/ZooKeeper end entity certificate

[scholzj]

Why is this needed?

[katheris]

We use it for the exceptions if we fail to parse the data somehow later. It's because we lazily parse the data rather than doing it in the constructor, since I was struggling to get the tests to work if we validate upfront.

[scholzj]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[katheris]

@scholzj Thanks for the review, I think I've responded to or addressed all of your comments

[ppatierno]

Nice work @katheris . I left a couple of comments.

[ppatierno]

I was also wondering why it's not called just PKCS12AuthIdentity. Isn't it the PKCS12 counterpart of the PemAuthIdentity? Isn't it good for better abstraction removing that ClusterOperator prefix from the class name? I see this class hosts SECRET_KEY which is specific to the cluster operator but maybe it should be something in a corresponding derived class? So I mean a PKCS12 auth identity class specific for cluster operator (even if we don't have any more in the end). I see something similar in the PemAuthIdentity which makes that abstraction by getting a secretCertName parameter to know which key to access in the hosted Secret, or?

[katheris]

@ppatierno @scholzj I believe I've addressed all your comments so feel free to review again

[ppatierno]

/azp run migration

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[ppatierno]

Thanks for the PR. LGTM! I started the migration pipeline because of the changes to the migration utils, just to be sure everything still works.

[katheris]

@scholzj Thanks for the review, I've addressed your comments

[scholzj]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[scholzj]

/azp run upgrade

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[scholzj]

/azp run migration

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[scholzj]

/azp run kraft-regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).