11package autoregenerate_after_expiry
22
3- import (
4- "encoding/json"
5- "fmt"
3+ import "github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
64
7- "github.com/ openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces "
5+ const annotationName string = "certificates. openshift.io/auto-regenerate-after-offline-expiry "
86
9- "github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
10- "k8s.io/apimachinery/pkg/util/sets"
11- )
12-
13- // TODO move to openshift/api
14- const AutoRegenerateAfterOfflineExpiryAnnotation = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
15-
16- type AutoRegenerateAfterOfflineExpiryRequirement struct {
17- name string
18- }
7+ type AutoRegenerateAfterOfflineExpiryRequirement struct {}
198
209func NewAutoRegenerateAfterOfflineExpiryRequirement () tlsmetadatainterfaces.Requirement {
21- return AutoRegenerateAfterOfflineExpiryRequirement {
22- name : "autoregenerate-after-expiry" ,
23- }
24- }
25-
26- func (o AutoRegenerateAfterOfflineExpiryRequirement ) InspectRequirement (rawData []* certgraphapi.PKIList ) (tlsmetadatainterfaces.RequirementResult , error ) {
27- pkiInfo , err := tlsmetadatainterfaces .ProcessByLocation (rawData )
28- if err != nil {
29- return nil , fmt .Errorf ("transforming raw data %v: %w" , o .GetName (), err )
30- }
31-
32- ownershipJSONBytes , err := json .MarshalIndent (pkiInfo , "" , " " )
33- if err != nil {
34- return nil , fmt .Errorf ("failure marshalling %v.json: %w" , o .GetName (), err )
35- }
36- markdown , err := generateAutoRegenerateAfterOfflineExpiryshipMarkdown (pkiInfo )
37- if err != nil {
38- return nil , fmt .Errorf ("failure marshalling %v.md: %w" , o .GetName (), err )
39- }
40- violations := generateViolationJSON (pkiInfo )
41- violationJSONBytes , err := json .MarshalIndent (violations , "" , " " )
42- if err != nil {
43- return nil , fmt .Errorf ("failure marshalling %v-violations.json: %w" , o .GetName (), err )
44- }
4510
46- return tlsmetadatainterfaces .NewRequirementResult (
47- o .GetName (),
48- ownershipJSONBytes ,
49- markdown ,
50- violationJSONBytes )
51- }
52-
53- func generateViolationJSON (pkiInfo * certgraphapi.PKIRegistryInfo ) * certgraphapi.PKIRegistryInfo {
54- ret := & certgraphapi.PKIRegistryInfo {}
55-
56- for i := range pkiInfo .CertKeyPairs {
57- curr := pkiInfo .CertKeyPairs [i ]
58- regenerates , _ := tlsmetadatainterfaces .AnnotationValue (curr .CertKeyInfo .SelectedCertMetadataAnnotations , AutoRegenerateAfterOfflineExpiryAnnotation )
59- if len (regenerates ) == 0 {
60- ret .CertKeyPairs = append (ret .CertKeyPairs , curr )
61- }
62- }
63- for i := range pkiInfo .CertificateAuthorityBundles {
64- curr := pkiInfo .CertificateAuthorityBundles [i ]
65- regenerates , _ := tlsmetadatainterfaces .AnnotationValue (curr .CABundleInfo .SelectedCertMetadataAnnotations , AutoRegenerateAfterOfflineExpiryAnnotation )
66- if len (regenerates ) == 0 {
67- ret .CertificateAuthorityBundles = append (ret .CertificateAuthorityBundles , curr )
68- }
69- }
70-
71- return ret
72- }
73-
74- func generateAutoRegenerateAfterOfflineExpiryshipMarkdown (pkiInfo * certgraphapi.PKIRegistryInfo ) ([]byte , error ) {
75- compliantCertsByOwner := map [string ][]certgraphapi.PKIRegistryInClusterCertKeyPair {}
76- violatingCertsByOwner := map [string ][]certgraphapi.PKIRegistryInClusterCertKeyPair {}
77- compliantCABundlesByOwner := map [string ][]certgraphapi.PKIRegistryInClusterCABundle {}
78- violatingCABundlesByOwner := map [string ][]certgraphapi.PKIRegistryInClusterCABundle {}
79-
80- for i := range pkiInfo .CertKeyPairs {
81- curr := pkiInfo .CertKeyPairs [i ]
82- owner := curr .CertKeyInfo .OwningJiraComponent
83- regenerates , _ := tlsmetadatainterfaces .AnnotationValue (curr .CertKeyInfo .SelectedCertMetadataAnnotations , AutoRegenerateAfterOfflineExpiryAnnotation )
84- if len (regenerates ) == 0 {
85- violatingCertsByOwner [owner ] = append (violatingCertsByOwner [owner ], curr )
86- continue
87- }
88-
89- compliantCertsByOwner [owner ] = append (compliantCertsByOwner [owner ], curr )
90- }
91- for i := range pkiInfo .CertificateAuthorityBundles {
92- curr := pkiInfo .CertificateAuthorityBundles [i ]
93- owner := curr .CABundleInfo .OwningJiraComponent
94- regenerates , _ := tlsmetadatainterfaces .AnnotationValue (curr .CABundleInfo .SelectedCertMetadataAnnotations , AutoRegenerateAfterOfflineExpiryAnnotation )
95- if len (regenerates ) == 0 {
96- violatingCABundlesByOwner [owner ] = append (violatingCABundlesByOwner [owner ], curr )
97- continue
98- }
99- compliantCABundlesByOwner [owner ] = append (compliantCABundlesByOwner [owner ], curr )
100- }
101-
102- md := tlsmetadatainterfaces .NewMarkdown ("Auto Regenerate After Offline Expiry" )
11+ md := tlsmetadatainterfaces .NewMarkdown ("" )
10312 md .Text ("Acknowledging that a cert/key pair or CA bundle can auto-regenerate after it expires offline means" )
10413 md .Text ("that if the cluster is shut down until the certificate expires, when the machines are restarted" )
10514 md .Text ("the cluster will automatically create new cert/key pairs or update CA bundles as required without human" )
10615 md .Text ("intervention." )
10716 md .Textf ("To assert that a particular cert/key pair or CA bundle can do this, add the %q annotation to the secret or configmap and " ,
108- AutoRegenerateAfterOfflineExpiryAnnotation )
17+ annotationName )
10918 md .Text ("setting the value of the annotation a github link to the PR adding the annotation." )
11019 md .Text ("This assertion also means that you have" )
11120 md .OrderedListStart ()
@@ -117,93 +26,12 @@ func generateAutoRegenerateAfterOfflineExpiryshipMarkdown(pkiInfo *certgraphapi.
11726 md .OrderedListEnd ()
11827 md .Text ("Links should be provided in the PR adding the annotation." )
11928
120- if len (violatingCertsByOwner ) > 0 || len (violatingCABundlesByOwner ) > 0 {
121- numViolators := 0
122- for _ , v := range violatingCertsByOwner {
123- numViolators += len (v )
124- }
125- for _ , v := range violatingCABundlesByOwner {
126- numViolators += len (v )
127- }
128- md .Title (2 , fmt .Sprintf ("Items That Cannot Auto Regenerate After Offline Expiry (%d)" , numViolators ))
129- violatingOwners := sets .StringKeySet (violatingCertsByOwner )
130- violatingOwners .Insert (sets .StringKeySet (violatingCABundlesByOwner ).UnsortedList ()... )
131- for _ , owner := range violatingOwners .List () {
132- md .Title (3 , fmt .Sprintf ("%s (%d)" , owner , len (violatingCertsByOwner [owner ])+ len (violatingCABundlesByOwner [owner ])))
133- certs := violatingCertsByOwner [owner ]
134- if len (certs ) > 0 {
135- md .Title (4 , fmt .Sprintf ("Certificates (%d)" , len (certs )))
136- md .OrderedListStart ()
137- for _ , curr := range certs {
138- md .NewOrderedListItem ()
139- md .Textf ("ns/%v secret/%v\n " , curr .SecretLocation .Namespace , curr .SecretLocation .Name )
140- md .Textf ("**Description:** %v" , curr .CertKeyInfo .Description )
141- md .Text ("\n " )
142- }
143- md .OrderedListEnd ()
144- md .Text ("\n " )
145- }
146-
147- caBundles := violatingCABundlesByOwner [owner ]
148- if len (caBundles ) > 0 {
149- md .Title (4 , fmt .Sprintf ("Certificate Authority Bundles (%d)" , len (caBundles )))
150- md .OrderedListStart ()
151- for _ , curr := range caBundles {
152- md .NewOrderedListItem ()
153- md .Textf ("ns/%v configmap/%v\n " , curr .ConfigMapLocation .Namespace , curr .ConfigMapLocation .Name )
154- md .Textf ("**Description:** %v" , curr .CABundleInfo .Description )
155- md .Text ("\n " )
156- }
157- md .OrderedListEnd ()
158- md .Text ("\n " )
159- }
160- }
161- }
162-
163- numCompliant := 0
164- for _ , v := range compliantCertsByOwner {
165- numCompliant += len (v )
166- }
167- for _ , v := range compliantCABundlesByOwner {
168- numCompliant += len (v )
169- }
170- md .Title (2 , fmt .Sprintf ("Items That Can Auto Regenerate After Offline Expiry (%d)" , numCompliant ))
171- allAutoRegenerateAfterOfflineExpirys := sets .StringKeySet (compliantCertsByOwner )
172- allAutoRegenerateAfterOfflineExpirys .Insert (sets .StringKeySet (compliantCABundlesByOwner ).UnsortedList ()... )
173- for _ , owner := range allAutoRegenerateAfterOfflineExpirys .List () {
174- md .Title (3 , fmt .Sprintf ("%s (%d)" , owner , len (compliantCertsByOwner [owner ])+ len (compliantCABundlesByOwner [owner ])))
175- certs := compliantCertsByOwner [owner ]
176- if len (certs ) > 0 {
177- md .Title (4 , fmt .Sprintf ("Certificates (%d)" , len (certs )))
178- md .OrderedListStart ()
179- for _ , curr := range certs {
180- md .NewOrderedListItem ()
181- md .Textf ("ns/%v secret/%v\n " , curr .SecretLocation .Namespace , curr .SecretLocation .Name )
182- md .Textf ("**Description:** %v" , curr .CertKeyInfo .Description )
183- md .Text ("\n " )
184- }
185- md .OrderedListEnd ()
186- md .Text ("\n " )
187- }
188-
189- caBundles := compliantCABundlesByOwner [owner ]
190- if len (caBundles ) > 0 {
191- md .Title (4 , fmt .Sprintf ("Certificate Authority Bundles (%d)" , len (caBundles )))
192- md .OrderedListStart ()
193- for _ , curr := range caBundles {
194- md .NewOrderedListItem ()
195- md .Textf ("ns/%v configmap/%v\n " , curr .ConfigMapLocation .Namespace , curr .ConfigMapLocation .Name )
196- md .Textf ("**Description:** %v" , curr .CABundleInfo .Description )
197- md .Text ("\n " )
198- }
199- md .OrderedListEnd ()
200- md .Text ("\n " )
201- }
202- }
203-
204- return md .Bytes (), nil
205- }
206-
207- func (o AutoRegenerateAfterOfflineExpiryRequirement ) GetName () string {
208- return o .name
29+ return tlsmetadatainterfaces .NewAnnotationRequirement (
30+ // requirement name
31+ "autoregenerate-after-expiry" ,
32+ // cert or configmap annotation
33+ annotationName ,
34+ "Auto Regenerate After Offline Expiry" ,
35+ string (md .ExactBytes ()),
36+ )
20937}
![openshift-merge-bot[bot]](https://avatars.githubusercontent.com/in/412865?v=4&size=40){kind=avatar}
0 commit comments