Proposal: Investigate the possibility of using an Operator for generating shared secrets
shared-secrets
is the cornerstone and an established part of GitLab Helm Chart. However, the operation itself is less transparent and looks complicated. A recent issue highlighted the fragility of this important piece where all Secrets are accumulated into one component.
The proposal here is to replace the Jobs that generate Secrets with an Operator that can take over the logic and handle the initial generation and even Secret rotation.
This Operator, which we can call it GitLab Secrets Operator for now, opens up an opportunity to shift GitLab Chart toward Operator pattern and leverage this new approach. It also fits very well with GitLab Operator. Ultimately we can imagine that a GitLab instance is managed by multiple Operator each of which handle a specific aspect of the GitLab instance.
Proposal
GitLab Secrets Operator is namespace-scoped Operator that watches Secrets. It uses Secret type and annotations to find operating parameters and track their status. It can generate common Secret types including Opaque
, kubernetes.io/ssh-auth
, and kubernetes.io/tls
.
With this Operator the Secrets can be defined in the Chart with both static and placeholder values. Once they are created the Operator generates the actual values with the specified parameters and updates the Secrets.
Here is an example:
apiVersion: v1
kind: Secret
metadata:
name: test
namespace: demo
annotations:
generator.secrets.gitlab.com/touch: true
generator.secrets.gitlab.com/keys: password
generator.secrets.gitlab.com/age: 30d
generator.secrets.gitlab.com/length: 32
generator.secrets.gitlab.com/format: alphanumeric
generator.secrets.gitlab.com/status: regenerated
generator.secrets.gitlab.com/generated-at: "2022-01-01T14:07:47+02:00"
generator.secrets.gitlab.com/regenerated-at: "2020-01-31T14:07:47+02:00"
generator.secrets.gitlab.com/regenerated-times: 1
type: Opaque
data:
username: YWRtaW4=
In this example:
-
generator.secrets.gitlab.com/touch
indicates if the Operator is allowed to change this Secret when needed, i.e when the Secret payload is not generated yet or it is expired. -
generator.secrets.gitlab.com/keys
indicates which keys must generated. It can be a comma-separated list of multiple keys. The Secret can contain any other static keys which are not generated, in this exampleusername
. -
generator.secrets.gitlab.com/age
indicates for how long the generated values are valid. This can be used for secret rotation. By default the values do not expire. -
generator.secrets.gitlab.com/format
andgenerator.secrets.gitlab.com/length
are secret generator parameters which depend on Secret type. Forkubernetes.io/ssh-auth
andkubernetes.io/tls
they can key generation algorithms and their parameters. -
generator.secrets.gitlab.com/status
is the status of the Secret and is updated by the Operator. You should not add it to the Secret template. When it is missing it means that the secret has not been generated yet. It can one ofgenerated
,regenerated
, orfailed
. -
generator.secrets.gitlab.com/generated-at
is the timestamp of the first time that the Secret is generated and is updated by the Operator. You should not add it to the Secret template. It is used to calculate the Secret expiry. -
generator.secrets.gitlab.com/regenerated-at
is the timestamp of the last time that the Secret is generated and is updated by the Operator. You should not add it to the Secret template. It is used to calculate the Secret expiry. -
generator.secrets.gitlab.com/regenerated-times
is the counter that shows how many times the Operator updated the Secret.
Caveat
In GitLab Helm Chart we mount the Secrets and use them in mount points. The instance will not operate properly unless the Secrets are available and ready to use. Part of this can be fixed by adding these Secrets to pre-install
and pre-upgrade
hoos. But the way that Helm works a hook can only monitor Jobs and Pods status for completion. Therefore we still need a Job that checks if Secrets are annotated with generator.secrets.gitlab.com/status
.