certrotation: set not-before/not-after annotations

Vadim Rutkovsky · Vadim Rutkovsky · commit 7c782c71eb51 · 2024-11-21T13:01:26.000+01:00
This ensures every secret managed by this controller has valid
annotation set. Instead of analyzing potentially sensitive secret
on customer cluster we should be able to tell if the certificate
rotation didn't happen and certificate expired by looking into
annotations
diff --git a/pkg/operator/certrotation/annotations.go b/pkg/operator/certrotation/annotations.go
@@ -6,6 +6,16 @@ import (
 )
 
 const (
+	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
+	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
+	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
+	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
+	// CertificateIssuer contains the common name of the certificate that signed another certificate.
+	CertificateIssuer = "auth.openshift.io/certificate-issuer"
+	// CertificateHostnames contains the hostnames used by a signer.
+	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
+	// AutoRegenerateAfterOfflineExpiryAnnotation contains a link to PR and an e2e test name which verifies
+	// that TLS artifact is correctly regenerated after it has expired
 	AutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
 )
 
@@ -17,6 +27,10 @@ type AdditionalAnnotations struct {
 	// AutoRegenerateAfterOfflineExpiry contains a link to PR and an e2e test name which verifies
 	// that TLS artifact is correctly regenerated after it has expired
 	AutoRegenerateAfterOfflineExpiry string
+	// NotBefore contains certificate the certificate creation date in RFC3339 format.
+	NotBefore string
+	// NotAfter contains certificate the certificate validity date in RFC3339 format.
+	NotAfter string
 }
 
 func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool {
@@ -36,6 +50,14 @@ func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta)
 		meta.Annotations[AutoRegenerateAfterOfflineExpiryAnnotation] = a.AutoRegenerateAfterOfflineExpiry
 		modified = true
 	}
+	if len(a.NotBefore) > 0 && meta.Annotations[CertificateNotBeforeAnnotation] != a.NotBefore {
+		meta.Annotations[CertificateNotBeforeAnnotation] = a.NotBefore
+		modified = true
+	}
+	if len(a.NotAfter) > 0 && meta.Annotations[CertificateNotAfterAnnotation] != a.NotAfter {
+		meta.Annotations[CertificateNotAfterAnnotation] = a.NotAfter
+		modified = true
+	}
 	return modified
 }
 
diff --git a/pkg/operator/certrotation/client_cert_rotation_controller.go b/pkg/operator/certrotation/client_cert_rotation_controller.go
@@ -15,14 +15,6 @@ import (
 )
 
 const (
-	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
-	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
-	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
-	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
-	// CertificateIssuer contains the common name of the certificate that signed another certificate.
-	CertificateIssuer = "auth.openshift.io/certificate-issuer"
-	// CertificateHostnames contains the hostnames used by a signer.
-	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
 	// RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error.
 	RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once"
 )
diff --git a/pkg/operator/certrotation/signer.go b/pkg/operator/certrotation/signer.go
@@ -90,7 +90,7 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 			reason = "secret doesn't exist"
 		}
 		c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason)
-		if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity); err != nil {
+		if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity, c.AdditionalAnnotations); err != nil {
 			return nil, false, err
 		}
 
@@ -194,7 +194,7 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T
 }
 
 // setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret
-func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration) error {
+func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration, annotations AdditionalAnnotations) error {
 	signerName := fmt.Sprintf("%s_%s@%d", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name, time.Now().Unix())
 	ca, err := crypto.MakeSelfSignedCAConfigForDuration(signerName, validity)
 	if err != nil {
@@ -215,9 +215,11 @@ func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validi
 	}
 	signingCertKeyPairSecret.Data["tls.crt"] = certBytes.Bytes()
 	signingCertKeyPairSecret.Data["tls.key"] = keyBytes.Bytes()
-	signingCertKeyPairSecret.Annotations[CertificateNotAfterAnnotation] = ca.Certs[0].NotAfter.Format(time.RFC3339)
-	signingCertKeyPairSecret.Annotations[CertificateNotBeforeAnnotation] = ca.Certs[0].NotBefore.Format(time.RFC3339)
+	annotations.NotBefore = ca.Certs[0].NotBefore.Format(time.RFC3339)
+	annotations.NotAfter = ca.Certs[0].NotAfter.Format(time.RFC3339)
 	signingCertKeyPairSecret.Annotations[CertificateIssuer] = ca.Certs[0].Issuer.CommonName
 
+	_ = annotations.EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta)
+
 	return nil
 }
diff --git a/pkg/operator/certrotation/target.go b/pkg/operator/certrotation/target.go
@@ -251,8 +251,8 @@ func setTargetCertKeyPairSecret(targetCertKeyPairSecret *corev1.Secret, validity
 	if err != nil {
 		return err
 	}
-	targetCertKeyPairSecret.Annotations[CertificateNotAfterAnnotation] = certKeyPair.Certs[0].NotAfter.Format(time.RFC3339)
-	targetCertKeyPairSecret.Annotations[CertificateNotBeforeAnnotation] = certKeyPair.Certs[0].NotBefore.Format(time.RFC3339)
+	annotations.NotBefore = certKeyPair.Certs[0].NotBefore.Format(time.RFC3339)
+	annotations.NotAfter = certKeyPair.Certs[0].NotAfter.Format(time.RFC3339)
 	targetCertKeyPairSecret.Annotations[CertificateIssuer] = certKeyPair.Certs[0].Issuer.CommonName
 
 	_ = annotations.EnsureTLSMetadataUpdate(&targetCertKeyPairSecret.ObjectMeta)

Original file line number	Diff line number	Diff line change
`@@ -15,14 +15,6 @@ import (`
`15`	`15`	`)`
`16`	`16`
`17`	`17`	`const (`
`18`		`- // CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.`
`19`		`- CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"`
`20`		`- // CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.`
`21`		`- CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"`
`22`		`- // CertificateIssuer contains the common name of the certificate that signed another certificate.`
`23`		`- CertificateIssuer = "auth.openshift.io/certificate-issuer"`
`24`		`- // CertificateHostnames contains the hostnames used by a signer.`
`25`		`- CertificateHostnames = "auth.openshift.io/certificate-hostnames"`
`26`	`18`	`// RunOnceContextKey is a context value key that can be used to call the controller Sync() and make it only run the syncWorker once and report error.`
`27`	`19`	`RunOnceContextKey = "cert-rotation-controller.openshift.io/run-once"`
`28`	`20`	`)`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*`
`90`	`90`	`reason = "secret doesn't exist"`
`91`	`91`	`}`
`92`	`92`	`c.EventRecorder.Eventf("SignerUpdateRequired", "%q in %q requires a new signing cert/key pair: %v", c.Name, c.Namespace, reason)`
`93`		`- if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity); err != nil {`
	`93`	`+ if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, c.Validity, c.AdditionalAnnotations); err != nil {`
`94`	`94`	`return nil, false, err`
`95`	`95`	`}`
`96`	`96`
`@@ -194,7 +194,7 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T`
`194`	`194`	`}`
`195`	`195`
`196`	`196`	`// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret`
`197`		`-func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration) error {`
	`197`	`+func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validity time.Duration, annotations AdditionalAnnotations) error {`
`198`	`198`	`signerName := fmt.Sprintf("%s_%s@%d", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name, time.Now().Unix())`
`199`	`199`	`ca, err := crypto.MakeSelfSignedCAConfigForDuration(signerName, validity)`
`200`	`200`	`if err != nil {`
`@@ -215,9 +215,11 @@ func setSigningCertKeyPairSecret(signingCertKeyPairSecret *corev1.Secret, validi`
`215`	`215`	`}`
`216`	`216`	`signingCertKeyPairSecret.Data["tls.crt"] = certBytes.Bytes()`
`217`	`217`	`signingCertKeyPairSecret.Data["tls.key"] = keyBytes.Bytes()`
`218`		`- signingCertKeyPairSecret.Annotations[CertificateNotAfterAnnotation] = ca.Certs[0].NotAfter.Format(time.RFC3339)`
`219`		`- signingCertKeyPairSecret.Annotations[CertificateNotBeforeAnnotation] = ca.Certs[0].NotBefore.Format(time.RFC3339)`
	`218`	`+ annotations.NotBefore = ca.Certs[0].NotBefore.Format(time.RFC3339)`
	`219`	`+ annotations.NotAfter = ca.Certs[0].NotAfter.Format(time.RFC3339)`
`220`	`220`	`signingCertKeyPairSecret.Annotations[CertificateIssuer] = ca.Certs[0].Issuer.CommonName`
`221`	`221`
	`222`	`+ _ = annotations.EnsureTLSMetadataUpdate(&signingCertKeyPairSecret.ObjectMeta)`
	`223`	`+`
`222`	`224`	`return nil`
`223`	`225`	`}`