TLS registry: add description

Vadim Rutkovsky · Vadim Rutkovsky · commit 26ece1c516c6 · 2024-11-04T10:14:45.000+01:00
This adds description to certificates managed by cluster-kube-apiserver-operator
diff --git a/bindata/assets/kube-apiserver/trusted-ca-cm.yaml b/bindata/assets/kube-apiserver/trusted-ca-cm.yaml
@@ -5,5 +5,6 @@ metadata:
   name: trusted-ca-bundle
   annotations:
     "openshift.io/owning-component": "Networking / cluster-network-operator"
+    "openshift.io/description": "CA used to recognize proxy servers.  By default this will contain standard root CAs on the cluster-network-operator pod."
   labels:
     config.openshift.io/inject-trusted-cabundle: "true"
diff --git a/bindata/bootkube/manifests/configmap-admin-kubeconfig-client-ca.yaml b/bindata/bootkube/manifests/configmap-admin-kubeconfig-client-ca.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: openshift-config
   annotations:
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "CA for kube-apiserver to recognize the system:master created by the installer."
 data:
   ca-bundle.crt: |
     {{ .Assets | load "admin-kubeconfig-ca-bundle.crt" | indent 4 }}
-
diff --git a/bindata/bootkube/manifests/configmap-csr-controller-ca.yaml b/bindata/bootkube/manifests/configmap-csr-controller-ca.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: openshift-config-managed
   annotations:
     "openshift.io/owning-component": "kube-controller-manager"
+    "openshift.io/description": "CA to recognize the CSRs (both serving and client) signed by the kube-controller-manager."
 data:
   ca-bundle.crt: |
     {{ .Assets | load "kubelet-client-ca-bundle.crt" | indent 4 }}
-
diff --git a/bindata/bootkube/manifests/secret-aggregator-client-signer.yaml b/bindata/bootkube/manifests/secret-aggregator-client-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "aggregator-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "aggregator-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer for the kube-apiserver to create client certificates for aggregated apiservers to recognize as a front-proxy."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "aggregator-signer.crt" | base64 }}
diff --git a/bindata/bootkube/manifests/secret-control-plane-client-signer.yaml b/bindata/bootkube/manifests/secret-control-plane-client-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-control-plane-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-control-plane-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer for kube-controller-manager and kube-scheduler client certificates."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "kube-control-plane-signer.crt" | base64 }}
diff --git a/bindata/bootkube/manifests/secret-kube-apiserver-to-kubelet-signer.yaml b/bindata/bootkube/manifests/secret-kube-apiserver-to-kubelet-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer for the kube-apiserver-to-kubelet-client so kubelets can recognize the kube-apiserver."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "kube-apiserver-to-kubelet-signer.crt" | base64 }}
diff --git a/bindata/bootkube/manifests/secret-loadbalancer-serving-signer.yaml b/bindata/bootkube/manifests/secret-loadbalancer-serving-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-lb-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-lb-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer used by the kube-apiserver operator to create serving certificates for the kube-apiserver via internal and external load balancers."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "kube-apiserver-lb-signer.crt" | base64 }}
diff --git a/bindata/bootkube/manifests/secret-localhost-serving-signer.yaml b/bindata/bootkube/manifests/secret-localhost-serving-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-localhost-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-localhost-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer used by the kube-apiserver to create serving certificates for the kube-apiserver via localhost."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "kube-apiserver-localhost-signer.crt" | base64 }}
diff --git a/bindata/bootkube/manifests/secret-service-network-serving-signer.yaml b/bindata/bootkube/manifests/secret-service-network-serving-signer.yaml
@@ -8,6 +8,7 @@ metadata:
     "auth.openshift.io/certificate-not-after": {{ .Assets | load "kube-apiserver-service-network-signer.crt" | notAfter }}
     "auth.openshift.io/certificate-issuer": {{ .Assets | load "kube-apiserver-service-network-signer.crt" | issuer }}
     "openshift.io/owning-component": "kube-apiserver"
+    "openshift.io/description": "Signer used by the kube-apiserver to create serving certificates for the kube-apiserver via the service network."
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .Assets | load "kube-apiserver-service-network-signer.crt" | base64 }}
diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go
