Rotate AutoTLS CAs

CHANGELOG.md

@@ -10,10 +10,13 @@ All notable changes to this project will be documented in this file.
 
 ## Changed
 
-- Use new annotation builder ([#341])
+- Use new annotation builder ([#341]).
+- `autoTLS` certificate authorities will now be rotated regularly ([#350]).
+  - [BREAKING] This changes the format of the CA secrets. Old secrets will be migrated automatically, but manual intervention will be required to downgrade back to 23.11.x.
 
 [#333]: https://github.com/stackabletech/secret-operator/pull/333
 [#341]: https://github.com/stackabletech/secret-operator/pull/341
+[#350]: https://github.com/stackabletech/secret-operator/pull/350
 
 ## [23.11.0] - 2023-11-24
 

deploy/helm/secret-operator/crds/crds.yaml

@@ -45,7 +45,7 @@ spec:
                           properties:
                             autoGenerate:
                               default: false
-                              description: Whether a new certificate authority should be generated if it does not already exist.
+                              description: Whether the certificate authority should be managed by Secret Operator, including being generated if it does not already exist.
                               type: boolean
                             secret:
                               description: Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.

deploy/helm/secret-operator/templates/roles.yaml

@@ -15,6 +15,7 @@ rules:
       - watch
       - create
       - patch
+      - update
   - apiGroups:
       - ""
     resources:

docs/modules/secret-operator/pages/secretclass.adoc

@@ -56,7 +56,16 @@ We have spent a considerate amount of time thinking about this issue and decided
 Most of our product operators will not set any specific certificate lifetime, so the default applies.
 In case an operator sets a higher lifetime, a tracking issue must be created to document and track the steps to reduce the certificate lifetime.
 
-Users can use podOverrides to extend the certificate lifetime by adding volume annotations. We might add native support to customize certificate lifetimes in the future by using the product CRDs.
+Users can use podOverrides to extend the certificate lifetime by adding volume annotations. We might add native support for customizing certificate lifetimes in the future to the Stacklet CRDs.
+
+==== Certificate Authority rotation
+
+Certificate authorities also have a limited lifetime, and need to be rotated before they expire to avoid cluster disruption.
+
+If configured to provision its own CA (`autoTls.ca.autoGenerate`), the Secret Operator will create CA certificates that are valid for 2 years,
+and initiate rotation when there is less than 1 year remaining. If configured _not_ to provision its own CA, a warning will be issued when there is less than 1 year remaining.
+
+To avoid disruption and let the new CA propagate through the cluster, the Secret Operator will prefer using the oldest CA that will last for the entire lifetime of the issued certificate.
 
 ==== Reference
 
@@ -77,7 +86,7 @@ spec:
 `autoTls.ca`:: Configures the certificate authority used to issue `Pod` certificates.
 `autoTls.ca.secret`:: Reference (`name` and `namespace`) to a K8s `Secret` object where the CA certificate and key is stored in the keys `ca.crt`
                       and `ca.key` respectively.
-`autoTls.ca.autoGenerate`:: Whether the certificate authority should be provisioned if it can not be found.
+`autoTls.ca.autoGenerate`:: Whether the certificate authority should be provisioned and managed by the Secret Operator.
 `autoTls.maxCertificateLifetime`:: Maximum lifetime the created certificates are allowed to have. In case consumers request a longer lifetime than allowed by this setting, the lifetime will be the minimum of both.
 
 [#backend-kerberoskeytab]