OCPBUGS-57049: Update cert annotations

[vrutkovs]

Move testcase name out of auto-regenerate-after-offline-expiry, add
refresh-period.

Follow-up for openshift/origin#29327
Tested in openshift/cluster-kube-apiserver-operator#1768 and openshift/cluster-authentication-operator#742

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-57049, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Move testcase name out of auto-regenerate-after-offline-expiry, add
refresh-period.

Follow-up for openshift/origin#29327

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/hold

This makes

certificates.openshift.io/refresh-period: 70080h0m0s

instead of

certificates.openshift.io/refresh-period: 8y

Also 12h0m0s should be trimmed to 12h

[vrutkovs]

/hold cancel

Tested in openshift/cluster-kube-apiserver-operator#1768

[jsafrane]

/approve

[sjenning]

/lgtm

[p0lyn0mial]

Why is it okay to store an inaccurate duration? Won’t this value be used for debugging purposes?

[p0lyn0mial]

In what format will the date be stored? I think this might be useful for tools that process the raw TLS info.

[vrutkovs]

Its using time.Duration format: 8h or 30d or 10y

[p0lyn0mial]

I think that the duration will be changed by the durationRound function which formats a duration into a human-readable string so machines won't be able to process it (if needed).

[p0lyn0mial]

where will this field be used ?

[vrutkovs]

Its informational only. We don't limit or verify this that it indeed happens at specified time (however we do ensure that this certificate is being rotated at all with ShortCertRotation featuregate)

[p0lyn0mial]

I think it would be better if all dates were in the same format for consistency (NotBefore, NotAfter).

This way, the processing tools (the TLS script or cluster-debug-tools) would know what to expect and could reformat them into a more human-readable form if needed during output.

How hard would it be to move durationToString to the TLS registry script?

[vrutkovs]

This isn't a date, it's a duration. Its not the time when next refresh occurs, it would be notAfter+refreshTime.

We can store them as milliseconds, but it won't be human-friendly - and if there is a need for a tool which reads this annotation we might as well convert "5s" into milliseconds too. The format is no longer lossy anyway

[p0lyn0mial]

or just store duration.String(), at least it would be accepted by https://pkg.go.dev/time#ParseDuration

it would be then possible to convert to a human-readable form on the receiving end, before displaying to end users.

[p0lyn0mial]

whereas 8y is not accepted by the time.PraseDuration - xref: https://go.dev/play/p/6qztJoDUlJJ

[vrutkovs]

ya, that would store 72h00m00s instead of 3d in annotations, this is why we need a custom Durations.ToBetterString()

[p0lyn0mial]

Also atm we store an inaccurate value in that field. Is that OK?

[vrutkovs]

openshift/cluster-kube-apiserver-operator#1768 would set it for cluster-kube-apiserver-operator (see TLS artifacts in openshift/cluster-kube-apiserver-operator#1768):

            {
              "key": "certificates.openshift.io/refresh-period",
              "value": "8y"
            },

It also shows 6h refresh in 4.20 now, as we're using a faster refresh rotation in dev branch

[vrutkovs]

See follow-up in #1981

[p0lyn0mial]

See follow-up in #1981

LGTM

let's rebase this pr and merge it, and then let's merge the follow-up pr

[vrutkovs]

lets

/hold

it for now, as it needs to be tested in CKAO PR first

[p0lyn0mial]

let's open a new pr for refactoring the target. i can do that. just let me know.

[vrutkovs]

Sure, please do. I'll focus on e2e tests

[p0lyn0mial]

ptal #1982

[p0lyn0mial]

let's pass c.Refresh to setSigningCertKeyPairSecretAndTLSAnnotations and then to setTLSAnnotationsOnSigningCertKeyPairSecret so that annotation assignments are in one place for the signer.

[p0lyn0mial]

actually, see #1971 (comment)

[p0lyn0mial]

i would also pass c.Refresh to setTargetCertKeyPairSecretAndTLSAnnotations and then to setTLSAnnotationsOnTargetCertKeyPairSecret so that annotation assignments are in one place for the target.

[p0lyn0mial]

actually, see #1971 (comment)

[p0lyn0mial]

do we need a unit test that checks assignment to the new annotation ?

[vrutkovs]

I don't think we do - some certs are not being refreshed and if it's incorrectly set by the controller we'll see this in TLS registry violations

[p0lyn0mial]

Ok.

[p0lyn0mial]

should this annotation be also set in line 83 ?

if !c.RefreshOnlyWhenExpired {
		needsMetadataUpdate := ensureOwnerRefAndTLSAnnotations(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
		needsTypeChange := ensureSecretTLSTypeSet(signingCertKeyPairSecret)
		updateRequired = needsMetadataUpdate || needsTypeChange
	}

[vrutkovs]

So far, I'd like to set refresh period only when contents are being refreshed. Later on we'll need a new PR which backfills this on existing certificates

[p0lyn0mial]

What is the reason we don’t want to set the refresh annotation for existing certificates? Wouldn’t it be easier to set it now?

[p0lyn0mial]

I think we have at least three options:

1. Update the callers to set the new annotation.
2. Update the annotation at the beginning of the EnsureSigningCertKeyPair method.
3. Modify the controller that calls EnsureSigningCertKeyPair to update the annotation.

[p0lyn0mial]

I think option 2 is the easiest.
Setting the annotation at the beginning of the function ensures it is applied to both new and existing secrets.

[vrutkovs]

I'd prefer a separate PR because this was not tested on existing PRs. If TRT comes and reverts because it breaks upgrades I'd rather have it already applied for new clusters at least.

I agree that 2. seems like the easiest option so far, but I didn't dig deep into this yet

[p0lyn0mial]

ok

[vrutkovs]

/hold cancel

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane, p0lyn0mial, sjenning, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/OWNERS [jsafrane,p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vrutkovs]

/refresh

[openshift-ci-robot]

@vrutkovs: Jira Issue OCPBUGS-57049: Some pull requests linked via external trackers have merged:

• openshift/origin#29327
• openshift/library-go#1971

The following pull requests linked via external trackers have not merged:

• openshift/cluster-kube-apiserver-operator#1873 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-57049 has not been moved to the MODIFIED state.

Details

In response to this:

Move testcase name out of auto-regenerate-after-offline-expiry, add
refresh-period.

Follow-up for openshift/origin#29327
Tested in openshift/cluster-kube-apiserver-operator#1768 and openshift/cluster-authentication-operator#742

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.