Mount tls secrets using projected volume not subpath

- secrets and configmaps mounted with subpath do not
not get updated in pods when changed, as reported in
issue: kubernetes/kubernetes#50345
- RabbitMQ itself supports TLS credential rotation without restart.
By mounting tls secrets without using subpath, rabbitmq pods
will pick up cert changes and support tls rotation
without server restart.
- certificate rotation tested in system tests

Author: ChunyiLyu

controllers/reconcile_tls_test.go

@@ -3,6 +3,7 @@ package controllers_test
 import (
 	"context"
 	"fmt"
+	"k8s.io/utils/pointer"
 
 	rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1"
 
@@ -43,13 +44,31 @@ var _ = Describe("Reconcile TLS", func() {
 
 				sts, err := clientSet.AppsV1().StatefulSets(cluster.Namespace).Get(ctx, cluster.ChildResourceName("server"), metav1.GetOptions{})
 				Expect(err).NotTo(HaveOccurred())
-				volumeMount := corev1.VolumeMount{
+				
+				Expect(sts.Spec.Template.Spec.Volumes).To(ContainElement(corev1.Volume{
+					Name: "rabbitmq-tls",
+					VolumeSource: corev1.VolumeSource{
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{
+								{
+									Secret: &corev1.SecretProjection{
+										LocalObjectReference: corev1.LocalObjectReference{
+											Name: "tls-secret",
+										},
+										Optional: pointer.BoolPtr(true),
+									},
+								},
+							},
+							DefaultMode: pointer.Int32Ptr(400),
+						},
+					},
+				}))
+
+				Expect(extractContainer(sts.Spec.Template.Spec.Containers, "rabbitmq").VolumeMounts).To(ContainElement(corev1.VolumeMount{
 					Name:      "rabbitmq-tls",
-					MountPath: "/etc/rabbitmq-tls/ca.crt",
-					SubPath:   "ca.crt",
+					MountPath: "/etc/rabbitmq-tls/",
 					ReadOnly:  true,
-				}
-				Expect(sts.Spec.Template.Spec.Containers[0].VolumeMounts).To(ContainElement(volumeMount))
+				}))
 			})
 
 			It("Does not deploy if the cert name does not match the contents of the secret", func() {

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/streadway/amqp v0.0.0-20200108173154-1c71cc93ed71
 	go.uber.org/multierr v1.2.0 // indirect
 	golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb
+	golang.org/x/tools v0.0.0-20200616195046-dc31b401abb5
 	gopkg.in/ini.v1 v1.62.0
 	k8s.io/api v0.18.6
 	k8s.io/apimachinery v0.18.8

internal/resource/statefulset.go

@@ -421,67 +421,44 @@ func (builder *StatefulSetBuilder) podTemplateSpec(previousPodAnnotations map[st
 
 	tlsSpec := builder.Instance.Spec.TLS
 	if builder.Instance.TLSEnabled() {
-		// add tls volume
-		filePermissions := int32(400)
-		secretEnforced := true
-		tlsSecretName := tlsSpec.SecretName
-		volumes = append(volumes, corev1.Volume{
-			Name: "rabbitmq-tls",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName:  tlsSecretName,
-					DefaultMode: &filePermissions,
-					Optional:    &secretEnforced,
-				},
-			},
-		})
-
-		// add volume mount
 		rabbitmqContainerVolumeMounts = append(rabbitmqContainerVolumeMounts, corev1.VolumeMount{
 			Name:      "rabbitmq-tls",
-			MountPath: "/etc/rabbitmq-tls/tls.crt",
-			SubPath:   "tls.crt",
-			ReadOnly:  true,
-		})
-		rabbitmqContainerVolumeMounts = append(rabbitmqContainerVolumeMounts, corev1.VolumeMount{
-			Name:      "rabbitmq-tls",
-			MountPath: "/etc/rabbitmq-tls/tls.key",
-			SubPath:   "tls.key",
+			MountPath: "/etc/rabbitmq-tls/",
 			ReadOnly:  true,
 		})
 
-		if builder.Instance.MutualTLSEnabled() {
-			if builder.Instance.SingleTLSSecret() {
-				//Mount CaCert in TLS Secret
-				rabbitmqContainerVolumeMounts = append(rabbitmqContainerVolumeMounts, corev1.VolumeMount{
-					Name:      "rabbitmq-tls",
-					MountPath: "/etc/rabbitmq-tls/ca.crt",
-					SubPath:   "ca.crt",
-					ReadOnly:  true,
-				})
-			} else {
-				// add tls volume
-				filePermissions := int32(400)
-				secretEnforced := true
-				volumes = append(volumes, corev1.Volume{
-					Name: "rabbitmq-mutual-tls",
-					VolumeSource: corev1.VolumeSource{
-						Secret: &corev1.SecretVolumeSource{
-							SecretName:  tlsSpec.CaSecretName,
-							DefaultMode: &filePermissions,
-							Optional:    &secretEnforced,
+		secretEnforced := true
+		filePermissions := pointer.Int32Ptr(400)
+		tlsProjectedVolume := corev1.Volume{
+			Name: "rabbitmq-tls",
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					Sources: []corev1.VolumeProjection{
+						{
+							Secret: &corev1.SecretProjection{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: tlsSpec.SecretName,
+								},
+								Optional: &secretEnforced,
+							},
 						},
 					},
-				})
-				//Mount new volume to same path as TLS cert and key
-				rabbitmqContainerVolumeMounts = append(rabbitmqContainerVolumeMounts, corev1.VolumeMount{
-					Name:      "rabbitmq-mutual-tls",
-					MountPath: "/etc/rabbitmq-tls/ca.crt",
-					SubPath:   "ca.crt",
-					ReadOnly:  true,
-				})
+					DefaultMode: filePermissions,
+				},
+			},
+		}
+
+		if builder.Instance.MutualTLSEnabled() && !builder.Instance.SingleTLSSecret() {
+			caSecretProjection := corev1.VolumeProjection{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{Name: tlsSpec.CaSecretName},
+					Optional:             &secretEnforced,
+				},
 			}
+			tlsProjectedVolume.VolumeSource.Projected.Sources = append(tlsProjectedVolume.VolumeSource.Projected.Sources, caSecretProjection)
 		}
+
+		volumes = append(volumes, tlsProjectedVolume)
 	}
 
 	return corev1.PodTemplateSpec{

internal/resource/statefulset_test.go

@@ -563,39 +563,38 @@ var _ = Describe("StatefulSet", func() {
 		})
 
 		Context("TLS", func() {
-			It("adds a TLS volume to the pod template spec", func() {
+			It("adds a TLS projected volume to the pod template spec", func() {
 				instance.Spec.TLS.SecretName = "tls-secret"
 				Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
-				filePermissions := int32(400)
-				secretEnforced := true
 				Expect(statefulSet.Spec.Template.Spec.Volumes).To(ContainElement(corev1.Volume{
 					Name: "rabbitmq-tls",
 					VolumeSource: corev1.VolumeSource{
-						Secret: &corev1.SecretVolumeSource{
-							SecretName:  "tls-secret",
-							DefaultMode: &filePermissions,
-							Optional:    &secretEnforced,
+						Projected: &corev1.ProjectedVolumeSource{
+							Sources: []corev1.VolumeProjection{
+								{
+									Secret: &corev1.SecretProjection{
+										LocalObjectReference: corev1.LocalObjectReference{
+											Name: "tls-secret",
+										},
+										Optional: pointer.BoolPtr(true),
+									},
+								},
+							},
+							DefaultMode: pointer.Int32Ptr(400),
 						},
 					},
 				}))
 			})
 
-			It("adds two TLS volume mounts to the rabbitmq container", func() {
+			It("adds a TLS volume mount to the rabbitmq container", func() {
 				instance.Spec.TLS.SecretName = "tls-secret"
 				Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
 				rabbitmqContainerSpec := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
 				Expect(rabbitmqContainerSpec.VolumeMounts).To(ContainElement(corev1.VolumeMount{
 					Name:      "rabbitmq-tls",
-					MountPath: "/etc/rabbitmq-tls/tls.crt",
-					SubPath:   "tls.crt",
-					ReadOnly:  true,
-				}))
-				Expect(rabbitmqContainerSpec.VolumeMounts).To(ContainElement(corev1.VolumeMount{
-					Name:      "rabbitmq-tls",
-					MountPath: "/etc/rabbitmq-tls/tls.key",
-					SubPath:   "tls.key",
+					MountPath: "/etc/rabbitmq-tls/",
 					ReadOnly:  true,
 				}))
 			})
@@ -636,21 +635,7 @@ var _ = Describe("StatefulSet", func() {
 				}))
 			})
 
-			Context("Mutual TLS (same secret)", func() {
-				It("add a TLS CA cert volume mount to the rabbitmq container", func() {
-					instance.Spec.TLS.SecretName = "tls-secret"
-					instance.Spec.TLS.CaSecretName = "tls-secret"
-					Expect(stsBuilder.Update(statefulSet)).To(Succeed())
-
-					rabbitmqContainerSpec := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
-					Expect(rabbitmqContainerSpec.VolumeMounts).To(ContainElement(corev1.VolumeMount{
-						Name:      "rabbitmq-tls",
-						MountPath: "/etc/rabbitmq-tls/ca.crt",
-						SubPath:   "ca.crt",
-						ReadOnly:  true,
-					}))
-				})
-
+			When("Mutual TLS (same secret) is enabled", func() {
 				It("opens tls ports when rabbitmq_web_mqtt and rabbitmq_web_stomp are configured", func() {
 					instance.Spec.TLS.SecretName = "tls-secret"
 					instance.Spec.TLS.CaSecretName = "tls-secret"
@@ -672,35 +657,35 @@ var _ = Describe("StatefulSet", func() {
 				})
 			})
 
-			Context("Mutual TLS (different secret)", func() {
-				It("add a TLS CA cert volume mount to the rabbitmq container", func() {
-					instance.Spec.TLS.SecretName = "tls-secret"
-					instance.Spec.TLS.CaSecretName = "mutual-tls-secret"
-					Expect(stsBuilder.Update(statefulSet)).To(Succeed())
-
-					rabbitmqContainerSpec := extractContainer(statefulSet.Spec.Template.Spec.Containers, "rabbitmq")
-					Expect(rabbitmqContainerSpec.VolumeMounts).To(ContainElement(corev1.VolumeMount{
-						Name:      "rabbitmq-mutual-tls",
-						MountPath: "/etc/rabbitmq-tls/ca.crt",
-						SubPath:   "ca.crt",
-						ReadOnly:  true,
-					}))
-				})
-
-				It("adds a mutual TLS volume to the pod template spec", func() {
+			When("Mutual TLS (different secret) is enabled", func() {
+				It("adds the CA cert secret to tls project volume", func() {
 					instance.Spec.TLS.SecretName = "tls-secret"
 					instance.Spec.TLS.CaSecretName = "mutual-tls-secret"
 					Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 
-					filePermissions := int32(400)
-					secretEnforced := true
 					Expect(statefulSet.Spec.Template.Spec.Volumes).To(ContainElement(corev1.Volume{
-						Name: "rabbitmq-mutual-tls",
+						Name: "rabbitmq-tls",
 						VolumeSource: corev1.VolumeSource{
-							Secret: &corev1.SecretVolumeSource{
-								SecretName:  "mutual-tls-secret",
-								DefaultMode: &filePermissions,
-								Optional:    &secretEnforced,
+							Projected: &corev1.ProjectedVolumeSource{
+								Sources: []corev1.VolumeProjection{
+									{
+										Secret: &corev1.SecretProjection{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: "tls-secret",
+											},
+											Optional: pointer.BoolPtr(true),
+										},
+									},
+									{
+										Secret: &corev1.SecretProjection{
+											LocalObjectReference: corev1.LocalObjectReference{
+												Name: "mutual-tls-secret",
+											},
+											Optional: pointer.BoolPtr(true),
+										},
+									},
+								},
+								DefaultMode: pointer.Int32Ptr(400),
 							},
 						},
 					}))