certrotation: Fix using a wrong annotation value

tchap · tchap · commit 84b8a5b18079 · 2025-11-27T14:28:58.000+01:00
This is actually not affecting the logic, but a wrong error is returned.

Improved the unit test to check events and annotation keys.
diff --git a/pkg/operator/certrotation/signer.go b/pkg/operator/certrotation/signer.go
@@ -188,7 +188,7 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T
 		return notBefore, notAfter, fmt.Sprintf("bad expiry: %q", notAfterString)
 	}
 	notBeforeString := annotations[CertificateNotBeforeAnnotation]
-	if len(notAfterString) == 0 {
+	if len(notBeforeString) == 0 {
 		return notBefore, notAfter, "missing notBefore"
 	}
 	notBefore, err = time.Parse(time.RFC3339, notBeforeString)
diff --git a/pkg/operator/certrotation/signer_test.go b/pkg/operator/certrotation/signer_test.go
@@ -2,11 +2,14 @@ package certrotation
 
 import (
 	"context"
-	clocktesting "k8s.io/utils/clock/testing"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
+	"k8s.io/apimachinery/pkg/util/sets"
+	clocktesting "k8s.io/utils/clock/testing"
+
 	"github.com/davecgh/go-spew/spew"
 
 	corev1 "k8s.io/api/core/v1"
@@ -21,56 +24,96 @@ import (
 )
 
 func TestEnsureSigningCertKeyPair(t *testing.T) {
+	verifyActionFunc := func(check func(t *testing.T, action clienttesting.Action)) func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
+		return func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
+			t.Helper()
+			actions := client.Actions()
+			if len(actions) != 1 {
+				t.Fatal(spew.Sdump(actions))
+			}
+
+			if !controllerUpdatedSecret {
+				t.Errorf("expected controller to update secret")
+			}
+
+			if check != nil {
+				check(t, actions[0])
+			}
+
+			actual := actions[0].(clienttesting.CreateAction).GetObject().(*corev1.Secret)
+			if certType, _ := CertificateTypeFromObject(actual); certType != CertificateTypeSigner {
+				t.Errorf("expected certificate type 'signer', got: %v", certType)
+			}
+			if len(actual.Data["tls.crt"]) == 0 || len(actual.Data["tls.key"]) == 0 {
+				t.Error(actual.Data)
+			}
+
+			expectedAnnotationKeys := sets.New[string](
+				"auth.openshift.io/certificate-not-after",
+				"auth.openshift.io/certificate-not-before",
+				"auth.openshift.io/certificate-issuer",
+				"certificates.openshift.io/refresh-period",
+				"openshift.io/owning-component",
+			)
+			if keys := sets.KeySet(actual.Annotations); !keys.Equal(expectedAnnotationKeys) {
+				t.Errorf("Annotation keys don't match:\n%s", cmp.Diff(expectedAnnotationKeys, keys))
+			}
+
+			ownershipValue, found := actual.Annotations[annotations.OpenShiftComponent]
+			if !found {
+				t.Errorf("expected secret to have ownership annotations, got: %v", actual.Annotations)
+			}
+			if ownershipValue != "test" {
+				t.Errorf("expected ownership annotation to be 'test', got: %v", ownershipValue)
+			}
+			if len(actual.OwnerReferences) != 1 {
+				t.Errorf("expected to have exactly one owner reference")
+			}
+			if actual.OwnerReferences[0].Name != "operator" {
+				t.Errorf("expected owner reference to be 'operator', got %v", actual.OwnerReferences[0].Name)
+			}
+		}
+	}
+
+	verifyActionsOnCreated := verifyActionFunc(func(t *testing.T, action clienttesting.Action) {
+		t.Helper()
+		if !action.Matches("create", "secrets") {
+			t.Error(action)
+		}
+	})
+
+	verifyActionsOnUpdated := verifyActionFunc(func(t *testing.T, action clienttesting.Action) {
+		t.Helper()
+		if !action.Matches("update", "secrets") {
+			t.Error(action)
+		}
+	})
+
+	verifyActionsEmpty := func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
+		t.Helper()
+		actions := client.Actions()
+		if len(actions) != 0 {
+			t.Fatal(spew.Sdump(actions))
+		}
+	}
+
 	tests := []struct {
 		name string
 
 		initialSecret          *corev1.Secret
 		RefreshOnlyWhenExpired bool
 
-		verifyActions func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool)
-		expectedError string
+		verifyActions  func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool)
+		expectedError  string
+		expectedEvents []*corev1.Event
 	}{
 		{
 			name:                   "initial create",
 			RefreshOnlyWhenExpired: false,
-			verifyActions: func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
-				t.Helper()
-				actions := client.Actions()
-				if len(actions) != 1 {
-					t.Fatal(spew.Sdump(actions))
-				}
-
-				if !controllerUpdatedSecret {
-					t.Errorf("expected controller to update secret")
-				}
-
-				if !actions[0].Matches("create", "secrets") {
-					t.Error(actions[0])
-				}
-
-				actual := actions[0].(clienttesting.CreateAction).GetObject().(*corev1.Secret)
-				if certType, _ := CertificateTypeFromObject(actual); certType != CertificateTypeSigner {
-					t.Errorf("expected certificate type 'signer', got: %v", certType)
-				}
-				if len(actual.Data["tls.crt"]) == 0 || len(actual.Data["tls.key"]) == 0 {
-					t.Error(actual.Data)
-				}
-				if len(actual.Annotations) == 0 {
-					t.Errorf("expected certificates to be annotated")
-				}
-				ownershipValue, found := actual.Annotations[annotations.OpenShiftComponent]
-				if !found {
-					t.Errorf("expected secret to have ownership annotations, got: %v", actual.Annotations)
-				}
-				if ownershipValue != "test" {
-					t.Errorf("expected ownership annotation to be 'test', got: %v", ownershipValue)
-				}
-				if len(actual.OwnerReferences) != 1 {
-					t.Errorf("expected to have exactly one owner reference")
-				}
-				if actual.OwnerReferences[0].Name != "operator" {
-					t.Errorf("expected owner reference to be 'operator', got %v", actual.OwnerReferences[0].Name)
-				}
+			verifyActions:          verifyActionsOnCreated,
+			expectedEvents: []*corev1.Event{
+				{Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: secret doesn't exist`},
+				{Reason: "SecretCreated", Message: `Created Secret/signer -n ns because it was missing`},
 			},
 		},
 		{
@@ -81,40 +124,48 @@ func TestEnsureSigningCertKeyPair(t *testing.T) {
 				Data:       map[string][]byte{"tls.crt": {}, "tls.key": {}},
 			},
 			RefreshOnlyWhenExpired: false,
-			verifyActions: func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
-				t.Helper()
-				actions := client.Actions()
-				if len(actions) != 1 {
-					t.Fatal(spew.Sdump(actions))
-				}
-
-				if !actions[0].Matches("update", "secrets") {
-					t.Error(actions[0])
-				}
-				if !controllerUpdatedSecret {
-					t.Errorf("expected controller to update secret")
-				}
-
-				actual := actions[0].(clienttesting.UpdateAction).GetObject().(*corev1.Secret)
-				if certType, _ := CertificateTypeFromObject(actual); certType != CertificateTypeSigner {
-					t.Errorf("expected certificate type 'signer', got: %v", certType)
-				}
-				if len(actual.Data["tls.crt"]) == 0 || len(actual.Data["tls.key"]) == 0 {
-					t.Error(actual.Data)
-				}
-				ownershipValue, found := actual.Annotations[annotations.OpenShiftComponent]
-				if !found {
-					t.Errorf("expected secret to have ownership annotations, got: %v", actual.Annotations)
-				}
-				if ownershipValue != "test" {
-					t.Errorf("expected ownership annotation to be 'test', got: %v", ownershipValue)
-				}
-				if len(actual.OwnerReferences) != 1 {
-					t.Errorf("expected to have exactly one owner reference")
-				}
-				if actual.OwnerReferences[0].Name != "operator" {
-					t.Errorf("expected owner reference to be 'operator', got %v", actual.OwnerReferences[0].Name)
-				}
+			verifyActions:          verifyActionsOnUpdated,
+			expectedEvents: []*corev1.Event{
+				{Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: missing notAfter`},
+				{Reason: "SecretUpdated", Message: `Updated Secret/signer -n ns because it changed`},
+			},
+		},
+		{
+			name: "update on missing notAfter annotation",
+			initialSecret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "signer", ResourceVersion: "10",
+					Annotations: map[string]string{
+						"auth.openshift.io/certificate-not-before": "2108-09-08T20:47:31-07:00",
+						annotations.OpenShiftComponent:             "test",
+					},
+				},
+				Type: corev1.SecretTypeTLS,
+				Data: map[string][]byte{"tls.crt": {}, "tls.key": {}},
+			},
+			RefreshOnlyWhenExpired: false,
+			verifyActions:          verifyActionsOnUpdated,
+			expectedEvents: []*corev1.Event{
+				{Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: missing notAfter`},
+				{Reason: "SecretUpdated", Message: `Updated Secret/signer -n ns because it changed`},
+			},
+		},
+		{
+			name: "update on missing notBefore annotation",
+			initialSecret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns", Name: "signer", ResourceVersion: "10",
+					Annotations: map[string]string{
+						"auth.openshift.io/certificate-not-after": "2108-09-08T22:47:31-07:00",
+						annotations.OpenShiftComponent:            "test",
+					},
+				},
+				Type: corev1.SecretTypeTLS,
+				Data: map[string][]byte{"tls.crt": {}, "tls.key": {}},
+			},
+			RefreshOnlyWhenExpired: false,
+			verifyActions:          verifyActionsOnUpdated,
+			expectedEvents: []*corev1.Event{
+				{Reason: "SignerUpdateRequired", Message: `"signer" in "ns" requires a new signing cert/key pair: missing notBefore`},
+				{Reason: "SecretUpdated", Message: `Updated Secret/signer -n ns because it changed`},
 			},
 		},
 		{
@@ -135,14 +186,8 @@ func TestEnsureSigningCertKeyPair(t *testing.T) {
 				Data: map[string][]byte{"tls.crt": {}, "tls.key": {}},
 			},
 			RefreshOnlyWhenExpired: false,
-			verifyActions: func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
-				t.Helper()
-				actions := client.Actions()
-				if len(actions) != 0 {
-					t.Fatal(spew.Sdump(actions))
-				}
-			},
-			expectedError: "certFile missing", // this means we tried to read the cert from the existing secret.  If we created one, we fail in the client check
+			verifyActions:          verifyActionsEmpty,
+			expectedError:          "certFile missing", // this means we tried to read the cert from the existing secret.  If we created one, we fail in the client check
 		},
 		{
 			name: "update with RefreshOnlyWhenExpired set",
@@ -160,14 +205,8 @@ func TestEnsureSigningCertKeyPair(t *testing.T) {
 				Data: map[string][]byte{"tls.crt": {}, "tls.key": {}},
 			},
 			RefreshOnlyWhenExpired: true,
-			verifyActions: func(t *testing.T, client *kubefake.Clientset, controllerUpdatedSecret bool) {
-				t.Helper()
-				actions := client.Actions()
-				if len(actions) != 0 {
-					t.Fatal(spew.Sdump(actions))
-				}
-			},
-			expectedError: "certFile missing", // this means we tried to read the cert from the existing secret.  If we created one, we fail in the client check
+			verifyActions:          verifyActionsEmpty,
+			expectedError:          "certFile missing", // this means we tried to read the cert from the existing secret.  If we created one, we fail in the client check
 		},
 	}
 
@@ -181,14 +220,16 @@ func TestEnsureSigningCertKeyPair(t *testing.T) {
 				client = kubefake.NewSimpleClientset(test.initialSecret)
 			}
 
+			recorder := events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now()))
+
 			c := &RotatedSigningCASecret{
 				Namespace:     "ns",
 				Name:          "signer",
 				Validity:      24 * time.Hour,
 				Refresh:       12 * time.Hour,
 				Client:        client.CoreV1(),
 				Lister:        corev1listers.NewSecretLister(indexer),
-				EventRecorder: events.NewInMemoryRecorder("test", clocktesting.NewFakePassiveClock(time.Now())),
+				EventRecorder: recorder,
 				AdditionalAnnotations: AdditionalAnnotations{
 					JiraComponent: "test",
 				},
@@ -209,6 +250,25 @@ func TestEnsureSigningCertKeyPair(t *testing.T) {
 			}
 
 			test.verifyActions(t, client, updated)
+
+			if events := pruneEventFieldsForComparison(recorder.Events()); !cmp.Equal(events, test.expectedEvents) {
+				t.Errorf("Events mismatch (-want +got):\n%s", cmp.Diff(test.expectedEvents, events))
+			}
 		})
 	}
 }
+
+func pruneEventFieldsForComparison(events []*corev1.Event) []*corev1.Event {
+	if len(events) == 0 {
+		return nil
+	}
+
+	out := make([]*corev1.Event, len(events))
+	for i, event := range events {
+		out[i] = &corev1.Event{
+			Reason:  event.Reason,
+			Message: event.Message,
+		}
+	}
+	return out
+}

Original file line number	Diff line number	Diff line change
`@@ -188,7 +188,7 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T`
`188`	`188`	`return notBefore, notAfter, fmt.Sprintf("bad expiry: %q", notAfterString)`
`189`	`189`	`}`
`190`	`190`	`notBeforeString := annotations[CertificateNotBeforeAnnotation]`
`191`		`- if len(notAfterString) == 0 {`
	`191`	`+ if len(notBeforeString) == 0 {`
`192`	`192`	`return notBefore, notAfter, "missing notBefore"`
`193`	`193`	`}`
`194`	`194`	`notBefore, err = time.Parse(time.RFC3339, notBeforeString)`