Don't set an ownerRef on secrets users are susceptible to copy around

A k8s bug (kubernetes/kubernetes#65200) may cause the
k8s garbage collection to delete undesired resources in case users manually
copy an operator-managed secret to another namespace.

To avoid that situation, this commit ensures no ownerRef is set on a subset of
managed secrets users are susceptible to copy around:
- the elastic user password secret
- elasticsearch public transport certs
- elasticsearch, kibana, enterprise search, apm server public http certs

Existing ownerReferences set with earlier ECK versions will be removed when
reconciled.

Since they do not have an ownerRef anymore, those secrets are not automatically
deleted when the Elasticsearch resource is deleted. To work around that situation,
the secret reconciliation logic adds an additional set of labels to the reconciled
secrets that don't have an ownerRef specified. These labels reference the "soft"
owner ("soft" as in handled through some custom code and not through k8s builtin
garbage collection logic).
Once a controller receives a deletion event for the resource it manages, it will
automatically remove the soft-owned secrets.
This is done as best-effort. Secrets will remain orphan if:
- the operator is not running when the owner is deleted
- an error happens while deleting the soft-owned secrets

Author: sebgl

pkg/controller/apmserver/controller.go

@@ -308,6 +308,12 @@ func (r *ReconcileApmServer) onDelete(obj types.NamespacedName) {
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(keystore.SecureSettingsWatchName(obj))
 	// Clean up watches set on custom http tls certificates
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(certificates.CertificateWatchKey(Namer, obj.Name))
+	if err := reconciler.GarbageCollectSoftOwnedSecrets(r.Client, obj); err != nil {
+		// this is best-effort only, some secrets may remain orphan in case of error here,
+		// or if the operator was down during the owner deletion
+		log.Error(err, "namespace", obj.Namespace, "apm_name", obj.Name,
+			"Failed to garbage collect secrets, they should be removed manually")
+	}
 }
 
 // reconcileApmServerToken reconciles a Secret containing the APM Server token.
@@ -333,7 +339,9 @@ func reconcileApmServerToken(c k8s.Client, as *apmv1.ApmServer) (corev1.Secret,
 		expectedApmServerSecret.Data[SecretTokenKey] = common.RandomBytes(24)
 	}
 
-	return reconciler.ReconcileSecret(c, expectedApmServerSecret, as)
+	// Don't set an ownerRef for the APM token secret, likely to be copied into different namespaces.
+	// See https://github.com/elastic/cloud-on-k8s/issues/3986.
+	return reconciler.ReconcileSecretNoOwnerRef(c, expectedApmServerSecret, as)
 }
 
 func (r *ReconcileApmServer) updateStatus(ctx context.Context, state State) error {

pkg/controller/beat/controller.go

@@ -152,6 +152,12 @@ func (r *ReconcileBeat) Reconcile(request reconcile.Request) (reconcile.Result,
 	}
 
 	if beat.IsMarkedForDeletion() {
+		if err := reconciler.GarbageCollectSoftOwnedSecrets(r.Client, request.NamespacedName); err != nil {
+			// this is best-effort only, some secrets may remain orphan in case of error here,
+			// or if the operator was down during the owner deletion
+			log.Error(err, "namespace", beat.Namespace, "beat_name", beat.Name,
+				"Failed to garbage collect secrets, they should be removed manually")
+		}
 		return reconcile.Result{}, nil
 	}
 

pkg/controller/common/certificates/http_reconcile.go

@@ -45,7 +45,9 @@ func (r Reconciler) ReconcilePublicHTTPCerts(internalCerts *CertificatesSecret)
 		expected.Data[CAFileName] = caPem
 	}
 
-	_, err := reconciler.ReconcileSecret(r.K8sClient, expected, r.Object)
+	// Don't set an ownerRef for public http certs secrets, likely to be copied into different namespaces.
+	// See https://github.com/elastic/cloud-on-k8s/issues/3986.
+	_, err := reconciler.ReconcileSecretNoOwnerRef(r.K8sClient, expected, r.Object)
 	return err
 }
 

pkg/controller/common/reconciler/secret.go

@@ -10,7 +10,17 @@ import (
 	"github.com/elastic/cloud-on-k8s/pkg/utils/k8s"
 	"github.com/elastic/cloud-on-k8s/pkg/utils/maps"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// Labels set on secrets which cannot rely on owner references due to https://github.com/kubernetes/kubernetes/issues/65200,
+// but should still be garbage-collected (best-effort) by the operator upon owner deletion.
+const (
+	SoftOwnerNamespaceLabel = "eck.k8s.elastic.co/soft-owner-namespace"
+	SoftOwnerNameLabel      = "eck.k8s.elastic.co/soft-owner-name"
 )
 
 // ReconcileSecret creates or updates the actual secret to match the expected one.
@@ -41,3 +51,120 @@ func ReconcileSecret(c k8s.Client, expected corev1.Secret, owner metav1.Object)
 	}
 	return reconciled, nil
 }
+
+// ReconcileSecretNoOwnerRef should be called to reconcile a Secret for which we explicitly don't want
+// an owner reference to be set, and want existing ownerRefs from previous operator versions to be removed,
+// because of this k8s bug: https://github.com/kubernetes/kubernetes/issues/65200 (fixed in k8s 1.20).
+//
+// It makes sense to use this function for secrets which are likely to be manually
+// copied into other namespaces by the end user.
+// Because of the k8s bug mentioned above, the ownerRef could trigger a racy garbage collection
+// that deletes all children resources, potentially resulting in data loss.
+// See https://github.com/elastic/cloud-on-k8s/issues/3986 for more details.
+//
+// Since they won't have an ownerRef specified, reconciled secrets will not be deleted automatically on parent deletion.
+// To account for that, we add a label for best-effort garbage collection by the operator on parent resource deletion.
+func ReconcileSecretNoOwnerRef(c k8s.Client, expected corev1.Secret, theoreticalOwner metav1.Object) (corev1.Secret, error) {
+	// this function is similar to "ReconcileSecret", but:
+	// - we don't pass an owner
+	// - we remove the existing owner
+	// - we set additional labels to perform garbage collection on owner deletion (best-effort)
+	expected.Labels[SoftOwnerNamespaceLabel] = theoreticalOwner.GetNamespace()
+	expected.Labels[SoftOwnerNameLabel] = theoreticalOwner.GetName()
+
+	var reconciled corev1.Secret
+	if err := ReconcileResource(Params{
+		Client:     c,
+		Owner:      nil,
+		Expected:   &expected,
+		Reconciled: &reconciled,
+		NeedsUpdate: func() bool {
+			// update if expected labels and annotations are not there
+			return !maps.IsSubset(expected.Labels, reconciled.Labels) ||
+				!maps.IsSubset(expected.Annotations, reconciled.Annotations) ||
+				// or if secret data is not strictly equal
+				!reflect.DeepEqual(expected.Data, reconciled.Data) ||
+				// or if an existing owner should be removed
+				hasOwner(&reconciled, theoreticalOwner)
+		},
+		UpdateReconciled: func() {
+			// set expected annotations and labels, but don't remove existing ones
+			// that may have been defaulted or set by the user on the existing resource
+			reconciled.Labels = maps.Merge(reconciled.Labels, expected.Labels)
+			reconciled.Annotations = maps.Merge(reconciled.Annotations, expected.Annotations)
+			reconciled.Data = expected.Data
+			// remove existing owner
+			removeOwner(&reconciled, theoreticalOwner)
+		},
+	}); err != nil {
+		return corev1.Secret{}, err
+	}
+	return reconciled, nil
+}
+
+// GarbageCollectSoftOwnedSecrets deletes all secrets whose labels reference a soft owner.
+// To be called once that owner gets deleted.
+func GarbageCollectSoftOwnedSecrets(c k8s.Client, deletedParent types.NamespacedName) error {
+	var secrets corev1.SecretList
+	if err := c.List(
+		&secrets,
+		// restrict to secrets in the parent namespace, we don't want to delete
+		// secrets users may have manually copied into other namespaces
+		client.InNamespace(deletedParent.Namespace),
+		// restrict to secrets on which we set the soft owner label
+		client.MatchingLabels{
+			SoftOwnerNamespaceLabel: deletedParent.Namespace,
+			SoftOwnerNameLabel:      deletedParent.Name,
+		},
+	); err != nil {
+		return err
+	}
+	for i := range secrets.Items {
+		s := secrets.Items[i]
+		log.Info("Garbage collecting secret", "namespace", deletedParent.Namespace, "secret_name", s.Name)
+		err := c.Delete(&s)
+		if apierrors.IsNotFound(err) {
+			// already deleted, all good
+			continue
+		}
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func hasOwner(resource metav1.Object, owner metav1.Object) bool {
+	if owner == nil || resource == nil {
+		return false
+	}
+	found, _ := findOwner(resource, owner)
+	return found
+}
+
+func removeOwner(resource metav1.Object, owner metav1.Object) {
+	if resource == nil || owner == nil {
+		return
+	}
+	found, index := findOwner(resource, owner)
+	if !found {
+		return
+	}
+	owners := resource.GetOwnerReferences()
+	// remove the owner at index i from the slice
+	newOwners := append(owners[:index], owners[index+1:]...)
+	resource.SetOwnerReferences(newOwners)
+}
+
+func findOwner(resource metav1.Object, owner metav1.Object) (found bool, index int) {
+	if owner == nil || resource == nil {
+		return false, 0
+	}
+	ownerRefs := resource.GetOwnerReferences()
+	for i := range ownerRefs {
+		if ownerRefs[i].Name == owner.GetName() && ownerRefs[i].UID == owner.GetUID() {
+			return true, i
+		}
+	}
+	return false, 0
+}

pkg/controller/elasticsearch/certificates/transport/public_secret.go

@@ -32,7 +32,10 @@ func ReconcileTransportCertsPublicSecret(
 			certificates.CAFileName: certificates.EncodePEMCert(ca.Cert.Raw),
 		},
 	}
-	_, err := reconciler.ReconcileSecret(c, expected, &es)
+
+	// Don't set an ownerRef for public transport certs secrets, likely to be copied into different namespaces.
+	// See https://github.com/elastic/cloud-on-k8s/issues/3986.
+	_, err := reconciler.ReconcileSecretNoOwnerRef(c, expected, &es)
 	return err
 }
 

pkg/controller/elasticsearch/elasticsearch_controller.go

@@ -321,4 +321,10 @@ func (r *ReconcileElasticsearch) onDelete(es types.NamespacedName) {
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(certificates.CertificateWatchKey(esv1.ESNamer, es.Name))
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(user.UserProvidedRolesWatchName(es))
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(user.UserProvidedFileRealmWatchName(es))
+	if err := reconciler.GarbageCollectSoftOwnedSecrets(r.Client, es); err != nil {
+		// this is best-effort only, some secrets may remain orphan in case of error here,
+		// or if the operator was down during the owner deletion
+		log.Error(err, "namespace", es.Namespace, "es_name", es.Name,
+			"Failed to garbage collect secrets, they should be removed manually")
+	}
 }

pkg/controller/elasticsearch/user/predefined.go

@@ -39,6 +39,9 @@ func reconcileElasticUser(c k8s.Client, es esv1.Elasticsearch, existingFileRealm
 			{Name: ElasticUserName, Roles: []string{SuperUserBuiltinRole}},
 		},
 		esv1.ElasticUserSecret(es.Name),
+		// Don't set an ownerRef for the elastic user secret, likely to be copied into different namespaces.
+		// See https://github.com/elastic/cloud-on-k8s/issues/3986.
+		false,
 	)
 }
 
@@ -52,7 +55,9 @@ func reconcileInternalUsers(c k8s.Client, es esv1.Elasticsearch, existingFileRea
 			{Name: ControllerUserName, Roles: []string{SuperUserBuiltinRole}},
 			{Name: ProbeUserName, Roles: []string{ProbeUserRole}},
 		},
-		esv1.InternalUsersSecret(es.Name))
+		esv1.InternalUsersSecret(es.Name),
+		true,
+	)
 }
 
 // reconcilePredefinedUsers reconciles a secret with the given name holding the given users.
@@ -63,6 +68,7 @@ func reconcilePredefinedUsers(
 	existingFileRealm filerealm.Realm,
 	users users,
 	secretName string,
+	setOwnerRef bool,
 ) (users, error) {
 	secretNsn := types.NamespacedName{Namespace: es.Namespace, Name: secretName}
 
@@ -92,7 +98,11 @@ func reconcilePredefinedUsers(
 		Data: secretData,
 	}
 
-	_, err = reconciler.ReconcileSecret(c, expected, &es)
+	if setOwnerRef {
+		_, err = reconciler.ReconcileSecret(c, expected, &es)
+	} else {
+		_, err = reconciler.ReconcileSecretNoOwnerRef(c, expected, &es)
+	}
 	return users, err
 }
 

pkg/controller/enterprisesearch/enterprisesearch_controller.go

@@ -11,19 +11,6 @@ import (
 	"reflect"
 	"sync/atomic"
 
-	"go.elastic.co/apm"
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
-
 	entv1beta1 "github.com/elastic/cloud-on-k8s/pkg/apis/enterprisesearch/v1beta1"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/association"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common"
@@ -33,11 +20,24 @@ import (
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/driver"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/events"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/operator"
+	"github.com/elastic/cloud-on-k8s/pkg/controller/common/reconciler"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/tracing"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/version"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/watches"
 	entName "github.com/elastic/cloud-on-k8s/pkg/controller/enterprisesearch/name"
 	"github.com/elastic/cloud-on-k8s/pkg/utils/k8s"
+	"go.elastic.co/apm"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 const (
@@ -185,6 +185,13 @@ func (r *ReconcileEnterpriseSearch) onDelete(obj types.NamespacedName) {
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(common.ConfigRefWatchName(obj))
 	// Clean up watches set on custom http tls certificates
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(certificates.CertificateWatchKey(entName.EntNamer, obj.Name))
+
+	if err := reconciler.GarbageCollectSoftOwnedSecrets(r.Client, obj); err != nil {
+		// this is best-effort only, some secrets may remain orphan in case of error here,
+		// or if the operator was down during the owner deletion
+		log.Error(err, "namespace", obj.Namespace, "ent_name", obj.Name,
+			"Failed to garbage collect secrets, they should be removed manually")
+	}
 }
 
 func (r *ReconcileEnterpriseSearch) isCompatible(ctx context.Context, ent *entv1beta1.EnterpriseSearch) (bool, error) {

pkg/controller/kibana/controller.go

@@ -9,19 +9,6 @@ import (
 	"reflect"
 	"sync/atomic"
 
-	"go.elastic.co/apm"
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/manager"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"sigs.k8s.io/controller-runtime/pkg/source"
-
 	kbv1 "github.com/elastic/cloud-on-k8s/pkg/apis/kibana/v1"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/association"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common"
@@ -31,9 +18,22 @@ import (
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/finalizer"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/keystore"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/operator"
+	"github.com/elastic/cloud-on-k8s/pkg/controller/common/reconciler"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/tracing"
 	"github.com/elastic/cloud-on-k8s/pkg/controller/common/watches"
 	"github.com/elastic/cloud-on-k8s/pkg/utils/k8s"
+	"go.elastic.co/apm"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
 const (
@@ -249,6 +249,12 @@ func (r *ReconcileKibana) onDelete(obj types.NamespacedName) {
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(keystore.SecureSettingsWatchName(obj))
 	// Clean up watches set on custom http tls certificates
 	r.dynamicWatches.Secrets.RemoveHandlerForKey(certificates.CertificateWatchKey(Namer, obj.Name))
+	if err := reconciler.GarbageCollectSoftOwnedSecrets(r.Client, obj); err != nil {
+		// this is best-effort only, some secrets may remain orphan in case of error here,
+		// or if the operator was down during the owner deletion
+		log.Error(err, "namespace", obj.Namespace, "kb_name", obj.Name,
+			"Failed to garbage collect secrets, they should be removed manually")
+	}
 }
 
 // State holds the accumulated state during the reconcile loop including the response and a pointer to a Kibana