feat: migrate CA secret to new namespace (#476)

* feat: migrate CA secret to new namespace

* fix: add helm hook annotations to prevent race condition

* fix: separated secret migration RBAC

* fix: added shebang to fix shellcheck complaint

* Update deploy/helm/secret-operator/templates/secret_migration_job.yaml

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

* Update deploy/helm/secret-operator/templates/secret_migration_job.yaml

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

* Update deploy/helm/secret-operator/templates/secret_migration_job.yaml

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

* Update deploy/helm/secret-operator/templates/secret_migration_job.yaml

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

* Update deploy/helm/secret-operator/templates/secret_migration_job.yaml

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

* fix: copy paste error

* fix: merged migration resoures into one file

* fix: unmerged resources / added hook weights instead to guarantee order

---------

Co-authored-by: Natalie Klestrup Röijezon <teo@nullable.se>

Author: dervoeti

deploy/helm/secret-operator/templates/secret_migration_job.yaml

@@ -0,0 +1,55 @@
+---
+# Migrates the TLS CA keypair from the hard-coded default namespace to the operator namespace
+# See https://github.com/stackabletech/secret-operator/issues/453
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-5"
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+spec:
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "operator.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: migrate-secret
+        image: "{{ .Values.secretMigrationJob.image.repository }}:1.0.0-stackable{{ .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.secretMigrationJob.image.pullPolicy }}
+        resources:
+            {{ .Values.secretMigrationJob.resources | toYaml | nindent 12 }}
+        command: ["bash", "-c"]
+        args:
+        - |
+          #!/bin/bash
+          set -euo pipefail
+          SOURCE_NAMESPACE=default
+          TARGET_NAMESPACE={{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }}
+
+          # only continue if secret exists
+          if source_ca_secret="$(kubectl get secret -n $SOURCE_NAMESPACE secret-provisioner-tls-ca -o json)"; then
+            echo "secret exists in namespace $SOURCE_NAMESPACE"
+            # only continue if secret in target namespace does NOT exist
+            if ! kubectl get secret -n $TARGET_NAMESPACE secret-provisioner-tls-ca; then
+              echo "secret does not exist in namespace $TARGET_NAMESPACE"
+              # copy secret from default to {{ .Values.secretClasses.tls.caSecretNamespace | default .Release.Namespace }}
+              echo "$source_ca_secret" | jq 'del(.metadata["namespace","creationTimestamp","resourceVersion","selfLink","uid"])' | kubectl apply -n $TARGET_NAMESPACE -f -
+            fi
+          fi
+      restartPolicy: Never

deploy/helm/secret-operator/templates/secret_migration_rbac.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrolebinding
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+    {{- include "operator.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "operator.fullname" . }}-secret-migration-serviceaccount
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrole
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.fullname" . }}-secret-migration-clusterrole
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+    "helm.sh/hook-weight": "-10"
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update

deploy/helm/secret-operator/values.yaml

@@ -5,6 +5,18 @@ image:
   pullPolicy: IfNotPresent
   pullSecrets: []
 
+secretMigrationJob:
+  image:
+    repository: docker.stackable.tech/stackable/tools
+    pullPolicy: IfNotPresent
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 100m
+      memory: 128Mi
+
 csiProvisioner:
   image:
     repository: docker.stackable.tech/k8s/sig-storage/csi-provisioner