Storage Encryption (#445)

* Generate random string (instead of base64 encoded random data)

* Switch to crypto/rand

* Make random storage encryption secret configurable

* Add finalizer to prevent manual deletion

* qualify finalizer name

Author: eberlep

controllers/postgres_controller.go

@@ -9,9 +9,11 @@ package controllers
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math/big"
 	"net"
 	"net/http"
 	"net/url"
@@ -49,6 +51,8 @@ const (
 	postgresExporterServicePortName                string = "metrics"
 	postgresExporterServiceTenantAnnotationName    string = pg.TenantLabelName
 	postgresExporterServiceProjectIDAnnotationName string = pg.ProjectIDLabelName
+	storageEncryptionKeyName                       string = "storage-encryption-key"
+	storageEncryptionKeyFinalizerName              string = "postgres.database.fits.cloud/secret-finalizer"
 )
 
 // requeue defines in how many seconds a requeue should happen
@@ -65,16 +69,17 @@ type PostgresReconciler struct {
 	PartitionID, Tenant, StorageClass string
 	*operatormanager.OperatorManager
 	*lbmanager.LBManager
-	recorder                    record.EventRecorder
-	PgParamBlockList            map[string]bool
-	StandbyClustersSourceRanges []string
-	PostgresletNamespace        string
-	SidecarsConfigMapName       string
-	EnableNetPol                bool
-	EtcdHost                    string
-	PatroniTTL                  uint32
-	PatroniLoopWait             uint32
-	PatroniRetryTimeout         uint32
+	recorder                            record.EventRecorder
+	PgParamBlockList                    map[string]bool
+	StandbyClustersSourceRanges         []string
+	PostgresletNamespace                string
+	SidecarsConfigMapName               string
+	EnableNetPol                        bool
+	EtcdHost                            string
+	PatroniTTL                          uint32
+	PatroniLoopWait                     uint32
+	PatroniRetryTimeout                 uint32
+	EnableRandomStorageEncryptionSecret bool
 }
 
 // Reconcile is the entry point for postgres reconciliation.
@@ -165,6 +170,11 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		}
 		log.Info("corresponding passwords secret deleted")
 
+		if err := r.deleteStorageEncryptionSecret(ctx, instance); err != nil {
+			return ctrl.Result{}, fmt.Errorf("error while deleting storage encryption secret: %w", err)
+		}
+		log.Info("storage encryption secret removed")
+
 		instance.RemoveFinalizer(pg.PostgresFinalizerName)
 		if err := r.CtrlClient.Update(ctx, instance); err != nil {
 			r.recorder.Eventf(instance, "Warning", "Self-Reconcilation", "failed to remove finalizer: %v", err)
@@ -251,6 +261,12 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		return ctrl.Result{}, fmt.Errorf("error while creating sidecars servicemonitor %v: %w", namespace, err)
 	}
 
+	// Make sure the storage secret exist, if neccessary
+	if err := r.ensureStorageEncryptionSecret(ctx, instance); err != nil {
+		r.recorder.Eventf(instance, "Warning", "Error", "failed to create storage secret: %v", err)
+		return ctrl.Result{}, fmt.Errorf("error while creating storage secret: %w", err)
+	}
+
 	if err := r.createOrUpdateZalandoPostgresql(ctx, instance, log, globalSidecarsCM, r.PatroniTTL, r.PatroniLoopWait, r.PatroniRetryTimeout); err != nil {
 		r.recorder.Eventf(instance, "Warning", "Error", "failed to create Zalando resource: %v", err)
 		return ctrl.Result{}, fmt.Errorf("failed to create or update zalando postgresql: %w", err)
@@ -1189,3 +1205,104 @@ func (r *PostgresReconciler) deleteExporterSidecarService(ctx context.Context, n
 
 	return nil
 }
+
+func (r *PostgresReconciler) ensureStorageEncryptionSecret(ctx context.Context, instance *pg.Postgres) error {
+
+	if !r.EnableRandomStorageEncryptionSecret {
+		r.Log.Info("storage secret disabled, no action needed")
+		return nil
+	}
+
+	// Check if secrets exist local in SERVICE Cluster
+	n := storageEncryptionKeyName
+	ns := instance.ToPeripheralResourceNamespace()
+	s := &corev1.Secret{}
+	r.Log.Info("checking for storage secret", "namespace", ns, "name", n)
+	err := r.SvcClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: n}, s)
+	if err == nil {
+		r.Log.Info("storage secret found, no action needed")
+		return nil
+	}
+
+	// we got an error other than not found, so we cannot continue!
+	if !apierrors.IsNotFound(err) {
+		return fmt.Errorf("error while fetching storage secret from service cluster: %w", err)
+	}
+
+	r.Log.Info("creating storage secret")
+
+	k, err := r.generateRandomString()
+	if err != nil {
+		return fmt.Errorf("error while generating random storage secret: %w", err)
+	}
+
+	postgresSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       n,
+			Namespace:  ns,
+			Finalizers: []string{storageEncryptionKeyFinalizerName},
+		},
+		StringData: map[string]string{
+			"host-encryption-passphrase": k,
+		},
+	}
+
+	if err := r.SvcClient.Create(ctx, postgresSecret); err != nil {
+		return fmt.Errorf("error while creating storage secret in service cluster: %w", err)
+	}
+	r.Log.Info("created storage secret", "secret", postgresSecret)
+
+	return nil
+
+}
+
+func (r *PostgresReconciler) generateRandomString() (string, error) {
+	const chars string = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
+	var size *big.Int = big.NewInt(int64(len(chars)))
+	b := make([]byte, 64)
+	for i := range b {
+		x, err := rand.Int(rand.Reader, size)
+		if err != nil {
+			return "", err
+		}
+		b[i] = chars[x.Int64()]
+	}
+	return string(b), nil
+}
+
+func (r *PostgresReconciler) deleteStorageEncryptionSecret(ctx context.Context, instance *pg.Postgres) error {
+
+	// Fetch secret
+	n := storageEncryptionKeyName
+	ns := instance.ToPeripheralResourceNamespace()
+	s := &corev1.Secret{}
+	r.Log.Info("Fetching storage secret", "namespace", ns, "name", n)
+	err := r.SvcClient.Get(ctx, types.NamespacedName{Namespace: ns, Name: n}, s)
+	if err != nil {
+		// TODO this would be blocking if we couldn't remove the finalizer!
+		return fmt.Errorf("error while fetching storage secret from service cluster: %w", err)
+	}
+
+	// Remove finalizer
+	s.ObjectMeta.Finalizers = removeElem(s.ObjectMeta.Finalizers, storageEncryptionKeyFinalizerName)
+	if err := r.SvcClient.Update(ctx, s); err != nil {
+		return fmt.Errorf("error while removing finalizer from storage secret in service cluster: %w", err)
+	}
+
+	// Delete secret
+	if err := r.SvcClient.Delete(ctx, s); err != nil {
+		return fmt.Errorf("error while deleting storage secret in service cluster: %w", err)
+	}
+
+	return nil
+}
+
+func removeElem(ss []string, s string) (out []string) {
+	for _, elem := range ss {
+		if elem == s {
+			continue
+		}
+		out = append(out, elem)
+	}
+	return
+}

main.go

@@ -36,39 +36,40 @@ import (
 
 const (
 	// envPrefix               = "pg"
-	metricsAddrSvcMgrFlg           = "metrics-addr-svc-mgr"
-	metricsAddrCtrlMgrFlg          = "metrics-addr-ctrl-mgr"
-	enableLeaderElectionFlg        = "enable-leader-election"
-	partitionIDFlg                 = "partition-id"
-	tenantFlg                      = "tenant"
-	ctrlPlaneKubeConfifgFlg        = "controlplane-kubeconfig"
-	loadBalancerIPFlg              = "load-balancer-ip"
-	portRangeStartFlg              = "port-range-start"
-	portRangeSizeFlg               = "port-range-size"
-	customPSPNameFlg               = "custom-psp-name"
-	storageClassFlg                = "storage-class"
-	postgresImageFlg               = "postgres-image"
-	etcdHostFlg                    = "etcd-host"
-	crdValidationFlg               = "enable-crd-validation"
-	operatorImageFlg               = "operator-image"
-	pgParamBlockListFlg            = "postgres-param-blocklist"
-	majorVersionUpgradeModeFlg     = "major-version-upgrade-mode"
-	standbyClustersSourceRangesFlg = "standby-clusters-source-ranges"
-	postgresletNamespaceFlg        = "postgreslet-namespace"
-	sidecarsCMNameFlg              = "sidecars-configmap-name"
-	enableNetPolFlg                = "enable-netpol"
-	enablePodAntiaffinityFlg       = "enable-pod-antiaffinity"
-	patroniRetryTimeoutFlg         = "patroni-retry-timeout"
-	enableStandbyLeaderSelectorFlg = "enable-standby-leader-selector"
-	ControlPlaneNamespaceFlg       = "control-plane-namespace"
-	enableLegacyStandbySelectorFlg = "enable-legacy-standby-selector"
-	deployEtcdFlg                  = "deploy-etcd"
-	etcdImageFlg                   = "etcd-image"
-	etcdBackupSidecarImageFlg      = "etcd-backup-sidecar-image"
-	etcdBackupSecretNameFlg        = "etcd-backup-secret-name" // nolint
-	etcdPSPNameFlg                 = "etcd-psp-name"
-	postgresletFullnameFlg         = "postgreslet-fullname"
-	enableLBSourceRangesFlg        = "enable-lb-source-ranges"
+	metricsAddrSvcMgrFlg                  = "metrics-addr-svc-mgr"
+	metricsAddrCtrlMgrFlg                 = "metrics-addr-ctrl-mgr"
+	enableLeaderElectionFlg               = "enable-leader-election"
+	partitionIDFlg                        = "partition-id"
+	tenantFlg                             = "tenant"
+	ctrlPlaneKubeConfifgFlg               = "controlplane-kubeconfig"
+	loadBalancerIPFlg                     = "load-balancer-ip"
+	portRangeStartFlg                     = "port-range-start"
+	portRangeSizeFlg                      = "port-range-size"
+	customPSPNameFlg                      = "custom-psp-name"
+	storageClassFlg                       = "storage-class"
+	postgresImageFlg                      = "postgres-image"
+	etcdHostFlg                           = "etcd-host"
+	crdValidationFlg                      = "enable-crd-validation"
+	operatorImageFlg                      = "operator-image"
+	pgParamBlockListFlg                   = "postgres-param-blocklist"
+	majorVersionUpgradeModeFlg            = "major-version-upgrade-mode"
+	standbyClustersSourceRangesFlg        = "standby-clusters-source-ranges"
+	postgresletNamespaceFlg               = "postgreslet-namespace"
+	sidecarsCMNameFlg                     = "sidecars-configmap-name"
+	enableNetPolFlg                       = "enable-netpol"
+	enablePodAntiaffinityFlg              = "enable-pod-antiaffinity"
+	patroniRetryTimeoutFlg                = "patroni-retry-timeout"
+	enableStandbyLeaderSelectorFlg        = "enable-standby-leader-selector"
+	ControlPlaneNamespaceFlg              = "control-plane-namespace"
+	enableLegacyStandbySelectorFlg        = "enable-legacy-standby-selector"
+	deployEtcdFlg                         = "deploy-etcd"
+	etcdImageFlg                          = "etcd-image"
+	etcdBackupSidecarImageFlg             = "etcd-backup-sidecar-image"
+	etcdBackupSecretNameFlg               = "etcd-backup-secret-name" // nolint
+	etcdPSPNameFlg                        = "etcd-psp-name"
+	postgresletFullnameFlg                = "postgreslet-fullname"
+	enableLBSourceRangesFlg               = "enable-lb-source-ranges"
+	enableRandomStorageEncrytionSecretFlg = "enable-random-storage-encryption-secret"
 )
 
 var (
@@ -110,14 +111,15 @@ func main() {
 		etcdPSPName             string
 		postgresletFullname     string
 
-		enableLeaderElection        bool
-		enableCRDValidation         bool
-		enableNetPol                bool
-		enablePodAntiaffinity       bool
-		enableStandbyLeaderSelector bool
-		enableLegacyStandbySelector bool
-		deployEtcd                  bool
-		enableLBSourceRanges        bool
+		enableLeaderElection               bool
+		enableCRDValidation                bool
+		enableNetPol                       bool
+		enablePodAntiaffinity              bool
+		enableStandbyLeaderSelector        bool
+		enableLegacyStandbySelector        bool
+		deployEtcd                         bool
+		enableLBSourceRanges               bool
+		enableRandomStorageEncrytionSecret bool
 
 		portRangeStart int
 		portRangeSize  int
@@ -245,6 +247,9 @@ func main() {
 	viper.SetDefault(enableLBSourceRangesFlg, true)
 	enableLBSourceRanges = viper.GetBool(enableLBSourceRangesFlg)
 
+	viper.SetDefault(enableRandomStorageEncrytionSecretFlg, false)
+	enableRandomStorageEncrytionSecret = viper.GetBool(enableRandomStorageEncrytionSecretFlg)
+
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
 	ctrl.Log.Info("flag",
@@ -281,6 +286,7 @@ func main() {
 		etcdPSPNameFlg, etcdPSPName,
 		postgresletFullnameFlg, postgresletFullname,
 		enableLBSourceRangesFlg, enableLBSourceRanges,
+		enableRandomStorageEncrytionSecretFlg, enableRandomStorageEncrytionSecret,
 	)
 
 	svcClusterConf := ctrl.GetConfigOrDie()
@@ -366,24 +372,25 @@ func main() {
 		EnableLBSourceRanges:        enableLBSourceRanges,
 	}
 	if err = (&controllers.PostgresReconciler{
-		CtrlClient:                  ctrlPlaneClusterMgr.GetClient(),
-		SvcClient:                   svcClusterMgr.GetClient(),
-		Log:                         ctrl.Log.WithName("controllers").WithName("Postgres"),
-		Scheme:                      ctrlPlaneClusterMgr.GetScheme(),
-		PartitionID:                 partitionID,
-		Tenant:                      tenant,
-		StorageClass:                storageClass,
-		OperatorManager:             opMgr,
-		LBManager:                   lbmanager.New(svcClusterMgr.GetClient(), lbMgrOpts),
-		PgParamBlockList:            pgParamBlockList,
-		StandbyClustersSourceRanges: standbyClusterSourceRanges,
-		PostgresletNamespace:        postgresletNamespace,
-		SidecarsConfigMapName:       sidecarsCMName,
-		EnableNetPol:                enableNetPol,
-		EtcdHost:                    etcdHost,
-		PatroniTTL:                  patroniTTL,
-		PatroniLoopWait:             patroniLoopWait,
-		PatroniRetryTimeout:         patroniRetryTimeout,
+		CtrlClient:                          ctrlPlaneClusterMgr.GetClient(),
+		SvcClient:                           svcClusterMgr.GetClient(),
+		Log:                                 ctrl.Log.WithName("controllers").WithName("Postgres"),
+		Scheme:                              ctrlPlaneClusterMgr.GetScheme(),
+		PartitionID:                         partitionID,
+		Tenant:                              tenant,
+		StorageClass:                        storageClass,
+		OperatorManager:                     opMgr,
+		LBManager:                           lbmanager.New(svcClusterMgr.GetClient(), lbMgrOpts),
+		PgParamBlockList:                    pgParamBlockList,
+		StandbyClustersSourceRanges:         standbyClusterSourceRanges,
+		PostgresletNamespace:                postgresletNamespace,
+		SidecarsConfigMapName:               sidecarsCMName,
+		EnableNetPol:                        enableNetPol,
+		EtcdHost:                            etcdHost,
+		PatroniTTL:                          patroniTTL,
+		PatroniLoopWait:                     patroniLoopWait,
+		PatroniRetryTimeout:                 patroniRetryTimeout,
+		EnableRandomStorageEncryptionSecret: enableRandomStorageEncrytionSecret,
 	}).SetupWithManager(ctrlPlaneClusterMgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Postgres")
 		os.Exit(1)