Skip to content

Commit 7f67499

Browse files
Vadim Rutkovskyvrutkovs
Vadim Rutkovsky
authored and
vrutkovs
committed
nodekubeconfig: set not-before/not-after annotations
Copy not-before and not-after annotations from the system:admin secret
1 parent 52131d4 commit 7f67499

File tree

2 files changed

+63
-19
lines changed

2 files changed

+63
-19
lines changed

pkg/operator/nodekubeconfigcontroller/nodekubeconfigcontroller.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414
"github.com/openshift/cluster-kube-apiserver-operator/bindata"
1515
"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
1616
"github.com/openshift/library-go/pkg/controller/factory"
17+
"github.com/openshift/library-go/pkg/operator/certrotation"
1718
"github.com/openshift/library-go/pkg/operator/events"
1819
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
1920
"github.com/openshift/library-go/pkg/operator/resource/resourceread"
@@ -152,6 +153,13 @@ func ensureNodeKubeconfigs(ctx context.Context, client coreclientv1.CoreV1Interf
152153
requiredSecret.Annotations = map[string]string{}
153154
}
154155
requiredSecret.Annotations[annotations.OpenShiftComponent] = "kube-apiserver"
156+
// Copy not-before/not-after annotations from systemAdminClientCert
157+
if len(systemAdminCredsSecret.Annotations[certrotation.CertificateNotBeforeAnnotation]) > 0 {
158+
requiredSecret.Annotations[certrotation.CertificateNotBeforeAnnotation] = systemAdminCredsSecret.Annotations[certrotation.CertificateNotBeforeAnnotation]
159+
}
160+
if len(systemAdminCredsSecret.Annotations[certrotation.CertificateNotAfterAnnotation]) > 0 {
161+
requiredSecret.Annotations[certrotation.CertificateNotAfterAnnotation] = systemAdminCredsSecret.Annotations[certrotation.CertificateNotAfterAnnotation]
162+
}
155163

156164
_, _, err = resourceapply.ApplySecret(ctx, client, recorder, requiredSecret)
157165
if err != nil {

pkg/operator/nodekubeconfigcontroller/nodekubeconfigcontroller_test.go

Lines changed: 55 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,15 @@ package nodekubeconfigcontroller
22

33
import (
44
"context"
5+
"encoding/base64"
6+
"fmt"
57
"testing"
68

79
"github.com/google/go-cmp/cmp"
810
"github.com/openshift/api/annotations"
911
configv1 "github.com/openshift/api/config/v1"
1012
configlistersv1 "github.com/openshift/client-go/config/listers/config/v1"
13+
"github.com/openshift/library-go/pkg/operator/certrotation"
1114
"github.com/openshift/library-go/pkg/operator/events"
1215
corev1 "k8s.io/api/core/v1"
1316
apiequality "k8s.io/apimachinery/pkg/api/equality"
@@ -85,7 +88,34 @@ func (l *secretLister) Get(name string) (*corev1.Secret, error) {
8588
return l.client.CoreV1().Secrets(l.namespace).Get(context.Background(), name, metav1.GetOptions{})
8689
}
8790

91+
const privateKey = `
92+
-----BEGIN PRIVATE KEY-----
93+
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEArvkpSCWaStPfbYr4
94+
cCJyv8pXWnJ4K22emSrYDNcp7Dm6qjtN/lsVNuGDyWyR4cUaJYXkaD2OrZiXDzzk
95+
BZlS3QIDAQABAkA9BZhoGPUec5XQVk8ejGUIjkC4woM2YhyVvmNq1v8/6q6V+uPw
96+
yDEfBMapuLVY+QhyVELXFOCHA5iKxrlFHZThAiEA1XA5mlbHtrJqEZ7yI5m6+Szj
97+
7YVzSkdSgfDZ//heAh8CIQDR3VbN9QmJRIM1yhIkP9BoWSxvXdH6QMXdC2X7Tkwj
98+
gwIgcpbSxjLK/CIjYhx0oXpacIaSRCX+dKV//XVChPNh/T8CIQCSFscXZez2fhfs
99+
eLb6PuXfzbuN5ryFvVM/VXDvaIi96wIgcHjUpONghaoA51XejMAxWanDiwAgRV5H
100+
XNdFkBi4q7o=
101+
-----END PRIVATE KEY-----` // notsecret
102+
const publicKey = `-----BEGIN CERTIFICATE-----
103+
MIIBfzCCASmgAwIBAgIUEEUHu1PzqJCGQ63vxVokwBxGPYwwDQYJKoZIhvcNAQEL
104+
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MTEyNjA4NTA0NloXDTM0MTEy
105+
NDA4NTA0NlowFDESMBAGA1UEAwwJbG9jYWxob3N0MFwwDQYJKoZIhvcNAQEBBQAD
106+
SwAwSAJBAK75KUglmkrT322K+HAicr/KV1pyeCttnpkq2AzXKew5uqo7Tf5bFTbh
107+
g8lskeHFGiWF5Gg9jq2Ylw885AWZUt0CAwEAAaNTMFEwHQYDVR0OBBYEFJna5Io+
108+
idLKO73zypGl2itp92JUMB8GA1UdIwQYMBaAFJna5Io+idLKO73zypGl2itp92JU
109+
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADQQB71tlkWNFDvMRxtz+a
110+
NYMU1thAVfVFciNXPS07tUduFSwVvYORUxx2w+5JfUdKu69hLpBFVPqvHQjPoQgc
111+
vUBI
112+
-----END CERTIFICATE-----`
113+
const certNotBefore = "2024-11-26T08:50:46Z"
114+
const certNotAfter = "2034-11-24T08:50:46Z"
115+
88116
func TestEnsureNodeKubeconfigs(t *testing.T) {
117+
publicKeyBase64 := base64.StdEncoding.EncodeToString([]byte(publicKey))
118+
privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(privateKey))
89119
tt := []struct {
90120
name string
91121
existingObjects []runtime.Object
@@ -109,10 +139,14 @@ func TestEnsureNodeKubeconfigs(t *testing.T) {
109139
ObjectMeta: metav1.ObjectMeta{
110140
Namespace: "openshift-kube-apiserver-operator",
111141
Name: "node-system-admin-client",
142+
Annotations: map[string]string{
143+
certrotation.CertificateNotBeforeAnnotation: certNotBefore,
144+
certrotation.CertificateNotAfterAnnotation: certNotAfter,
145+
},
112146
},
113147
Data: map[string][]byte{
114-
"tls.crt": []byte("system:admin certificate"),
115-
"tls.key": []byte("system:admin key"),
148+
"tls.crt": []byte(publicKey),
149+
"tls.key": []byte(privateKey),
116150
},
117151
},
118152
},
@@ -143,11 +177,13 @@ func TestEnsureNodeKubeconfigs(t *testing.T) {
143177
Namespace: "openshift-kube-apiserver",
144178
Name: "node-kubeconfigs",
145179
Annotations: map[string]string{
146-
annotations.OpenShiftComponent: "kube-apiserver",
180+
annotations.OpenShiftComponent: "kube-apiserver",
181+
certrotation.CertificateNotBeforeAnnotation: certNotBefore,
182+
certrotation.CertificateNotAfterAnnotation: certNotAfter,
147183
},
148184
},
149185
Data: map[string][]byte{
150-
"localhost.kubeconfig": []byte(`apiVersion: v1
186+
"localhost.kubeconfig": []byte(fmt.Sprintf(`apiVersion: v1
151187
kind: Config
152188
clusters:
153189
- cluster:
@@ -163,10 +199,10 @@ current-context: system:admin
163199
users:
164200
- name: system:admin
165201
user:
166-
client-certificate-data: c3lzdGVtOmFkbWluIGNlcnRpZmljYXRl
167-
client-key-data: c3lzdGVtOmFkbWluIGtleQ==
168-
`),
169-
"localhost-recovery.kubeconfig": []byte(`apiVersion: v1
202+
client-certificate-data: %s
203+
client-key-data: %s
204+
`, publicKeyBase64, privateKeyBase64)),
205+
"localhost-recovery.kubeconfig": []byte(fmt.Sprintf(`apiVersion: v1
170206
kind: Config
171207
clusters:
172208
- cluster:
@@ -183,10 +219,10 @@ current-context: system:admin
183219
users:
184220
- name: system:admin
185221
user:
186-
client-certificate-data: c3lzdGVtOmFkbWluIGNlcnRpZmljYXRl
187-
client-key-data: c3lzdGVtOmFkbWluIGtleQ==
188-
`),
189-
"lb-ext.kubeconfig": []byte(`apiVersion: v1
222+
client-certificate-data: %s
223+
client-key-data: %s
224+
`, publicKeyBase64, privateKeyBase64)),
225+
"lb-ext.kubeconfig": []byte(fmt.Sprintf(`apiVersion: v1
190226
kind: Config
191227
clusters:
192228
- cluster:
@@ -202,10 +238,10 @@ current-context: system:admin
202238
users:
203239
- name: system:admin
204240
user:
205-
client-certificate-data: c3lzdGVtOmFkbWluIGNlcnRpZmljYXRl
206-
client-key-data: c3lzdGVtOmFkbWluIGtleQ==
207-
`),
208-
"lb-int.kubeconfig": []byte(`apiVersion: v1
241+
client-certificate-data: %s
242+
client-key-data: %s
243+
`, publicKeyBase64, privateKeyBase64)),
244+
"lb-int.kubeconfig": []byte(fmt.Sprintf(`apiVersion: v1
209245
kind: Config
210246
clusters:
211247
- cluster:
@@ -221,9 +257,9 @@ current-context: system:admin
221257
users:
222258
- name: system:admin
223259
user:
224-
client-certificate-data: c3lzdGVtOmFkbWluIGNlcnRpZmljYXRl
225-
client-key-data: c3lzdGVtOmFkbWluIGtleQ==
226-
`),
260+
client-certificate-data: %s
261+
client-key-data: %s
262+
`, publicKeyBase64, privateKeyBase64)),
227263
},
228264
},
229265
},

0 commit comments

Comments
 (0)