Skip to content

OCPBUGS-44842: certrotation: set not-before/not-after annotations #1889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

OCPBUGS-44842: certrotation: set not-before/not-after annotations #1889

wants to merge 2 commits into from

Conversation

vrutkovs
Copy link
Member

@vrutkovs vrutkovs commented Nov 21, 2024
edited
Loading

This ensures every secret managed by this controller has valid
not-before/not-after annotation set.
Instead of analyzing potentially sensitive secret
on customer cluster we should be able to tell if the certificate
rotation didn't happen and certificate expired by looking into
annotations.

Tested in openshift/cluster-kube-apiserver-operator#1768 and openshift/cluster-authentication-operator#742

@vrutkovs
certrotation: set not-before/not-after annotations
7c782c7 
This ensures every secret managed by this controller has valid
annotation set. Instead of analyzing potentially sensitive secret
on customer cluster we should be able to tell if the certificate
rotation didn't happen and certificate expired by looking into
annotations
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 21, 2024
@openshift-ci-robot
Copy link

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is invalid:

  • expected the bug to target either version "4.18." or "openshift-4.18.", but it targets "4.19.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This ensures every secret managed by this controller has valid
annotation set. Instead of analyzing potentially sensitive secret
on customer cluster we should be able to tell if the certificate
rotation didn't happen and certificate expired by looking into
annotations

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Nov 21, 2024
@openshift-ci openshift-ci bot requested review from deads2k and jsafrane November 21, 2024 13:28
@vrutkovs vrutkovs force-pushed the cert-annotations-not-before-not-after branch 2 times, most recently from 4d0a3e9 to ff84afa Compare November 22, 2024 12:01
@vrutkovs vrutkovs force-pushed the cert-annotations-not-before-not-after branch from ff84afa to 91216c7 Compare November 25, 2024 14:44
@vrutkovs
Copy link
Member Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 25, 2024
@openshift-ci-robot
Copy link

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from wangke19 November 25, 2024 18:31
@vrutkovs
Copy link
Member Author

/retest

1 similar comment
@vrutkovs
Copy link
Member Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 26, 2024

@vrutkovs: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

This ensures every secret managed by this controller has valid
not-before/not-after annotation set.
Instead of analyzing potentially sensitive secret
on customer cluster we should be able to tell if the certificate
rotation didn't happen and certificate expired by looking into
annotations.

Tested in openshift/cluster-kube-apiserver-operator#1768 and openshift/cluster-authentication-operator#742

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@vrutkovs
Copy link
Member Author

/cherrypick release-4.18

@openshift-cherrypick-robot
Copy link

@vrutkovs: once the present PR merges, I will cherry-pick it on top of release-4.18 in a new PR and assign it to you.

In response to this:

/cherrypick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

ibihim
ibihim reviewed Jan 3, 2025
View reviewed changes
Copy link
Contributor

@ibihim ibihim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically, the wiring is fine, it makes sense to add NotBefore and NotAfter to EnsureTLSMetadataUpdate.

But the consequence is,

  • that we need to invoke it twice and
  • usually set the AdditionalAnnotations hand it down and execute it, while we could easily just set it in the given Secret.

To leverage EnsureTLSMetadataUpdate, we would need to split cert creation from injecting it into the Secret or create a more general EnsureSecretUpdate function that expects a TLS cert and then updates the metadata at once.

@vrutkovs
Copy link
Member Author

vrutkovs commented Jan 6, 2025

that we need to invoke it twice

Yes, its unfortunate but see below

we could easily just set it in the given Secret.

It would require us to copy paste the code which does:

  • make sure that annotations map is initialized (for newly created secrets)
  • track annotation name (it may change in the future)
  • this code can be reused in other components (e.g. ckoa PR uses AdditionalAnnotations to set not-before/not-after here as ApplySecret later already runs EnsureTLSMetadata)

@Elbehery
Copy link
Contributor

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 13, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 13, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Elbehery, vrutkovs
Once this PR has been reviewed and has the lgtm label, please assign jsafrane for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 15, 2025
@vrutkovs
Copy link
Member Author

/remove-lifecycle stale

@openshift-ci openshift-ci bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ibihim ibihim ibihim left review comments

@deads2k deads2k Awaiting requested review from deads2k

@jsafrane jsafrane Awaiting requested review from jsafrane

@wangke19 wangke19 Awaiting requested review from wangke19

Assignees

@Elbehery Elbehery

Labels
jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vrutkovs @openshift-ci-robot @openshift-cherrypick-robot @Elbehery @openshift-bot @ibihim