SKE Credentials Rotation: start-rotation command

docs/stackit_postgresflex_instance_clone.md

@@ -27,7 +27,7 @@ stackit postgresflex instance clone INSTANCE_ID [flags]
 
 ```
   -h, --help                        Help for "stackit postgresflex instance clone"
-      --recovery-timestamp string   Recovery timestamp for the instance, specified in UTC time following the format, e.g. 2024-03-12T09:28:00+00:00 
+      --recovery-timestamp string   Recovery timestamp for the instance, in a date-time with the RFC3339 layout format, e.g. 2024-01-01T00:00:00Z
       --storage-class string        Storage class. If not specified, storage class from the existing instance will be used.
       --storage-size int            Storage size (in GB). If not specified, storage size from the existing instance will be used.
 ```

docs/stackit_ske_credentials.md

@@ -30,4 +30,5 @@ stackit ske credentials [flags]
 * [stackit ske](./stackit_ske.md)	 - Provides functionality for SKE
 * [stackit ske credentials describe](./stackit_ske_credentials_describe.md)	 - Shows details of the credentials associated to a SKE cluster
 * [stackit ske credentials rotate](./stackit_ske_credentials_rotate.md)	 - Rotates credentials associated to a SKE cluster
+* [stackit ske credentials start-rotation](./stackit_ske_credentials_start-rotation.md)	 - Starts the rotation of the credentials associated to a SKE cluster
 

docs/stackit_ske_credentials_start-rotation.md

@@ -0,0 +1,39 @@
+## stackit ske credentials start-rotation
+
+Starts the rotation of the credentials associated to a SKE cluster
+
+### Synopsis
+
+Starts the rotation of the credentials associated to a STACKIT Kubernetes Engine (SKE) cluster. This is step 1 of a two-step process. 
+Complete the rotation using the 'stackit ske credentials complete-rotation' command.
+
+```
+stackit ske credentials start-rotation CLUSTER_NAME [flags]
+```
+
+### Examples
+
+```
+  Start the rotation of the credentials associated to the SKE cluster with name "my-cluster"
+  $ stackit ske credentials start-rotation my-cluster
+```
+
+### Options
+
+```
+  -h, --help   Help for "stackit ske credentials start-rotation"
+```
+
+### Options inherited from parent commands
+
+```
+  -y, --assume-yes             If set, skips all confirmation prompts
+      --async                  If set, runs the command asynchronously
+  -o, --output-format string   Output format, one of ["json" "pretty"]
+  -p, --project-id string      Project ID
+```
+
+### SEE ALSO
+
+* [stackit ske credentials](./stackit_ske_credentials.md)	 - Provides functionality for SKE credentials
+

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/stackitcloud/stackit-sdk-go/services/resourcemanager v0.7.7
 	github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0
 	github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6
-	github.com/stackitcloud/stackit-sdk-go/services/ske v0.10.1
+	github.com/stackitcloud/stackit-sdk-go/services/ske v0.11.0
 	github.com/zalando/go-keyring v0.2.4
 	golang.org/x/mod v0.16.0
 	golang.org/x/oauth2 v0.18.0

go.sum

@@ -103,8 +103,8 @@ github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0 h1:VC7VWad
 github.com/stackitcloud/stackit-sdk-go/services/secretsmanager v0.6.0/go.mod h1:KRoLXZdH8yuO6FBu2Grl5VGqW9arH03qYAC0P6H8h9o=
 github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6 h1:3kkNh2kHi55w9dgh0MC1Zbn8fDpYxcXl3tvYjH8t9xo=
 github.com/stackitcloud/stackit-sdk-go/services/serviceaccount v0.3.6/go.mod h1:OOciROyQxPOYLo8OM/DE5ESH11+DvAyRt6wg7R+HVkg=
-github.com/stackitcloud/stackit-sdk-go/services/ske v0.10.1 h1:MZABtJ8HFOKG3KCCv5duibxBSAU1zTFAO0V9bso3N9M=
-github.com/stackitcloud/stackit-sdk-go/services/ske v0.10.1/go.mod h1:7M7bsVHN0REuwoZRYz5nK2yBwsMJcHTsVFHlG83QP2A=
+github.com/stackitcloud/stackit-sdk-go/services/ske v0.11.0 h1:BJ1Op7f3KJPNROkEXzqAREl55JCqyIAyQJ+Gfu4LYCM=
+github.com/stackitcloud/stackit-sdk-go/services/ske v0.11.0/go.mod h1:yFLjTx58pjHCp0KZTaqHlW9Qk60CY5HpnBWR/zztv8Y=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=

internal/cmd/ske/credentials/credentials.go

@@ -3,6 +3,7 @@ package credentials
 import (
 	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/describe"
 	"github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/rotate"
+	startrotation "github.com/stackitcloud/stackit-cli/internal/cmd/ske/credentials/start-rotation"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 
@@ -24,4 +25,5 @@ func NewCmd() *cobra.Command {
 func addSubcommands(cmd *cobra.Command) {
 	cmd.AddCommand(describe.NewCmd())
 	cmd.AddCommand(rotate.NewCmd())
+	cmd.AddCommand(startrotation.NewCmd())
 }

internal/cmd/ske/credentials/start-rotation/start_rotation.go

@@ -0,0 +1,118 @@
+package startrotation
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/confirm"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/errors"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/spinner"
+
+	"github.com/spf13/cobra"
+	"github.com/stackitcloud/stackit-sdk-go/services/ske"
+	"github.com/stackitcloud/stackit-sdk-go/services/ske/wait"
+)
+
+const (
+	clusterNameArg = "CLUSTER_NAME"
+)
+
+type inputModel struct {
+	*globalflags.GlobalFlagModel
+	ClusterName string
+}
+
+func NewCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   fmt.Sprintf("start-rotation %s", clusterNameArg),
+		Short: "Starts the rotation of the credentials associated to a SKE cluster",
+		Long: fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n\n%s\n%s",
+			"Starts the rotation of the credentials associated to a STACKIT Kubernetes Engine (SKE) cluster.",
+			"This is step 1 of a 2-step process to rotate all SKE cluster credentials. Tasks accomplished in this phase include:",
+			"  - Rolling recreation of all worker nodes",
+			"  - A new Certificate Authority (CA) will be established and incorporated into the existing CA bundle.",
+			"  - A new etcd encryption key is generated and added to the Certificate Authority (CA) bundle.",
+			"  - A new signing key will be generated for the service account and added to the Certificate Authority (CA) bundle.",
+			"  - The kube-apiserver will rewrite all secrets in the cluster, encrypting them with the new encryption key.",
+			"The old CA, encryption key and signing key will be retained until the rotation is completed.",
+			"Complete the rotation by running:",
+			"  $ stackit ske credentials complete-rotation my-cluster"),
+		Args: args.SingleArg(clusterNameArg, nil),
+		Example: examples.Build(
+			examples.NewExample(
+				`Start the rotation of the credentials associated to the SKE cluster with name "my-cluster"`,
+				"$ stackit ske credentials start-rotation my-cluster"),
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := context.Background()
+			model, err := parseInput(cmd, args)
+			if err != nil {
+				return err
+			}
+
+			// Configure API client
+			apiClient, err := client.ConfigureClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			if !model.AssumeYes {
+				prompt := fmt.Sprintf("Are you sure you want to start the rotation of the credentials for SKE cluster %q?", model.ClusterName)
+				err = confirm.PromptForConfirmation(cmd, prompt)
+				if err != nil {
+					return err
+				}
+			}
+
+			// Call API
+			req := buildRequest(ctx, model, apiClient)
+			_, err = req.Execute()
+			if err != nil {
+				return fmt.Errorf("start rotation of SKE credentials: %w", err)
+			}
+
+			// Wait for async operation, if async mode not enabled
+			if !model.Async {
+				s := spinner.New(cmd)
+				s.Start("Starting credentials rotation")
+				_, err = wait.StartCredentialsRotationWaitHandler(ctx, apiClient, model.ProjectId, model.ClusterName).WaitWithContext(ctx)
+				if err != nil {
+					return fmt.Errorf("wait for start SKE credentials rotation %w", err)
+				}
+				s.Stop()
+			}
+
+			operationState := "Rotation of credentials is ready to be completed"
+			if model.Async {
+				operationState = "Triggered start of credentials rotation"
+			}
+			cmd.Printf("%s for cluster %q\n", operationState, model.ClusterName)
+			cmd.Printf("Complete the rotation by running:\n  $ stackit ske credentials complete-rotation %s\n", model.ClusterName)
+			return nil
+		},
+	}
+	return cmd
+}
+
+func parseInput(cmd *cobra.Command, inputArgs []string) (*inputModel, error) {
+	clusterName := inputArgs[0]
+
+	globalFlags := globalflags.Parse(cmd)
+	if globalFlags.ProjectId == "" {
+		return nil, &errors.ProjectIdError{}
+	}
+
+	return &inputModel{
+		GlobalFlagModel: globalFlags,
+		ClusterName:     clusterName,
+	}, nil
+}
+
+func buildRequest(ctx context.Context, model *inputModel, apiClient *ske.APIClient) ske.ApiStartCredentialsRotationRequest {
+	req := apiClient.StartCredentialsRotation(ctx, model.ProjectId, model.ClusterName)
+	return req
+}