refactor to simplify annotation requirement callers

Author: deads2k

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/autoregenerate_after_expiry/requirement.go

@@ -1,58 +1,14 @@
 package autoregenerate_after_expiry
 
-import (
-	"fmt"
-
-	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
-
-	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
-	"k8s.io/apimachinery/pkg/util/sets"
-)
+import "github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 
 const annotationName string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
 
 type AutoRegenerateAfterOfflineExpiryRequirement struct{}
 
 func NewAutoRegenerateAfterOfflineExpiryRequirement() tlsmetadatainterfaces.Requirement {
-	return tlsmetadatainterfaces.NewAnnotationRequirement(
-		// requirement name
-		"autoregenerate-after-expiry",
-		// cert or configmap annotation
-		annotationName,
-		// function which generates markdown report
-		generateAutoRegenerateAfterOfflineExpiryMarkdownFn,
-	)
-}
-
-func generateAutoRegenerateAfterOfflineExpiryMarkdownFn(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, error) {
-	compliantCertsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
-	violatingCertsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
-	compliantCABundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
-	violatingCABundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
-
-	for i := range pkiInfo.CertKeyPairs {
-		curr := pkiInfo.CertKeyPairs[i]
-		owner := curr.CertKeyInfo.OwningJiraComponent
-		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, annotationName)
-		if len(regenerates) == 0 {
-			violatingCertsByOwner[owner] = append(violatingCertsByOwner[owner], curr)
-			continue
-		}
 
-		compliantCertsByOwner[owner] = append(compliantCertsByOwner[owner], curr)
-	}
-	for i := range pkiInfo.CertificateAuthorityBundles {
-		curr := pkiInfo.CertificateAuthorityBundles[i]
-		owner := curr.CABundleInfo.OwningJiraComponent
-		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, annotationName)
-		if len(regenerates) == 0 {
-			violatingCABundlesByOwner[owner] = append(violatingCABundlesByOwner[owner], curr)
-			continue
-		}
-		compliantCABundlesByOwner[owner] = append(compliantCABundlesByOwner[owner], curr)
-	}
-
-	md := tlsmetadatainterfaces.NewMarkdown("Auto Regenerate After Offline Expiry")
+	md := tlsmetadatainterfaces.NewMarkdown("")
 	md.Text("Acknowledging that a cert/key pair or CA bundle can auto-regenerate after it expires offline means")
 	md.Text("that if the cluster is shut down until the certificate expires, when the machines are restarted")
 	md.Text("the cluster will automatically create new cert/key pairs or update CA bundles as required without human")
@@ -70,89 +26,12 @@ func generateAutoRegenerateAfterOfflineExpiryMarkdownFn(pkiInfo *certgraphapi.PK
 	md.OrderedListEnd()
 	md.Text("Links should be provided in the PR adding the annotation.")
 
-	if len(violatingCertsByOwner) > 0 || len(violatingCABundlesByOwner) > 0 {
-		numViolators := 0
-		for _, v := range violatingCertsByOwner {
-			numViolators += len(v)
-		}
-		for _, v := range violatingCABundlesByOwner {
-			numViolators += len(v)
-		}
-		md.Title(2, fmt.Sprintf("Items That Cannot Auto Regenerate After Offline Expiry (%d)", numViolators))
-		violatingOwners := sets.StringKeySet(violatingCertsByOwner)
-		violatingOwners.Insert(sets.StringKeySet(violatingCABundlesByOwner).UnsortedList()...)
-		for _, owner := range violatingOwners.List() {
-			md.Title(3, fmt.Sprintf("%s (%d)", owner, len(violatingCertsByOwner[owner])+len(violatingCABundlesByOwner[owner])))
-			certs := violatingCertsByOwner[owner]
-			if len(certs) > 0 {
-				md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
-				md.OrderedListStart()
-				for _, curr := range certs {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
-					md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
-					md.Text("\n")
-				}
-				md.OrderedListEnd()
-				md.Text("\n")
-			}
-
-			caBundles := violatingCABundlesByOwner[owner]
-			if len(caBundles) > 0 {
-				md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
-				md.OrderedListStart()
-				for _, curr := range caBundles {
-					md.NewOrderedListItem()
-					md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
-					md.Textf("**Description:** %v", curr.CABundleInfo.Description)
-					md.Text("\n")
-				}
-				md.OrderedListEnd()
-				md.Text("\n")
-			}
-		}
-	}
-
-	numCompliant := 0
-	for _, v := range compliantCertsByOwner {
-		numCompliant += len(v)
-	}
-	for _, v := range compliantCABundlesByOwner {
-		numCompliant += len(v)
-	}
-	md.Title(2, fmt.Sprintf("Items That Can Auto Regenerate After Offline Expiry (%d)", numCompliant))
-	allAutoRegenerateAfterOfflineExpirys := sets.StringKeySet(compliantCertsByOwner)
-	allAutoRegenerateAfterOfflineExpirys.Insert(sets.StringKeySet(compliantCABundlesByOwner).UnsortedList()...)
-	for _, owner := range allAutoRegenerateAfterOfflineExpirys.List() {
-		md.Title(3, fmt.Sprintf("%s (%d)", owner, len(compliantCertsByOwner[owner])+len(compliantCABundlesByOwner[owner])))
-		certs := compliantCertsByOwner[owner]
-		if len(certs) > 0 {
-			md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
-			md.OrderedListStart()
-			for _, curr := range certs {
-				md.NewOrderedListItem()
-				md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
-				md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
-				md.Text("\n")
-			}
-			md.OrderedListEnd()
-			md.Text("\n")
-		}
-
-		caBundles := compliantCABundlesByOwner[owner]
-		if len(caBundles) > 0 {
-			md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
-			md.OrderedListStart()
-			for _, curr := range caBundles {
-				md.NewOrderedListItem()
-				md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
-				md.Textf("**Description:** %v", curr.CABundleInfo.Description)
-				md.Text("\n")
-			}
-			md.OrderedListEnd()
-			md.Text("\n")
-		}
-	}
-
-	return md.Bytes(), nil
+	return tlsmetadatainterfaces.NewAnnotationRequirement(
+		// requirement name
+		"autoregenerate-after-expiry",
+		// cert or configmap annotation
+		annotationName,
+		"Auto Regenerate After Offline Expiry",
+		string(md.ExactBytes()),
+	)
 }

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces/annotation_requirement.go

@@ -5,24 +5,26 @@ import (
 	"fmt"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-type generateMarkdownFn func(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, error)
-
 type annotationRequirement struct {
 	// requirementName is a unique name for metadata requirement
 	requirementName string
 	// annotationName is the annotation looked up in cert metadata
 	annotationName string
-	// markdownFn is a function which build markdown report from pkiInfo
-	markdownFn generateMarkdownFn
+	// title for the markdown
+	title string
+	// explanationMD is exactly the markdown to include that explains the purposes of the check
+	explanationMD string
 }
 
-func NewAnnotationRequirement(requirementName, annotationName string, generateMarkdownFn generateMarkdownFn) AnnotationRequirement {
+func NewAnnotationRequirement(requirementName, annotationName, title, explanationMD string) AnnotationRequirement {
 	return annotationRequirement{
 		requirementName: requirementName,
 		annotationName:  annotationName,
-		markdownFn:      generateMarkdownFn,
+		title:           title,
+		explanationMD:   explanationMD,
 	}
 }
 
@@ -44,7 +46,7 @@ func (o annotationRequirement) InspectRequirement(rawData []*certgraphapi.PKILis
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.json: %w", o.GetName(), err)
 	}
-	markdown, err := o.markdownFn(pkiInfo)
+	markdown, err := o.generateInspectionMarkdown(pkiInfo)
 	if err != nil {
 		return nil, fmt.Errorf("failure marshalling %v.md: %w", o.GetName(), err)
 	}
@@ -61,6 +63,124 @@ func (o annotationRequirement) InspectRequirement(rawData []*certgraphapi.PKILis
 		violationJSONBytes)
 }
 
+func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, error) {
+	compliantCertsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
+	violatingCertsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
+	compliantCABundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
+	violatingCABundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
+
+	for i := range pkiInfo.CertKeyPairs {
+		curr := pkiInfo.CertKeyPairs[i]
+		owner := curr.CertKeyInfo.OwningJiraComponent
+		regenerates, _ := AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, o.GetAnnotationName())
+		if len(regenerates) == 0 {
+			violatingCertsByOwner[owner] = append(violatingCertsByOwner[owner], curr)
+			continue
+		}
+
+		compliantCertsByOwner[owner] = append(compliantCertsByOwner[owner], curr)
+	}
+	for i := range pkiInfo.CertificateAuthorityBundles {
+		curr := pkiInfo.CertificateAuthorityBundles[i]
+		owner := curr.CABundleInfo.OwningJiraComponent
+		regenerates, _ := AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, o.GetAnnotationName())
+		if len(regenerates) == 0 {
+			violatingCABundlesByOwner[owner] = append(violatingCABundlesByOwner[owner], curr)
+			continue
+		}
+		compliantCABundlesByOwner[owner] = append(compliantCABundlesByOwner[owner], curr)
+	}
+
+	md := NewMarkdown(o.title)
+	md.ExactText(o.explanationMD)
+
+	if len(violatingCertsByOwner) > 0 || len(violatingCABundlesByOwner) > 0 {
+		numViolators := 0
+		for _, v := range violatingCertsByOwner {
+			numViolators += len(v)
+		}
+		for _, v := range violatingCABundlesByOwner {
+			numViolators += len(v)
+		}
+		md.Title(2, fmt.Sprintf("Items Do NOT Meet the Requirement (%d)", numViolators))
+		violatingOwners := sets.StringKeySet(violatingCertsByOwner)
+		violatingOwners.Insert(sets.StringKeySet(violatingCABundlesByOwner).UnsortedList()...)
+		for _, owner := range violatingOwners.List() {
+			md.Title(3, fmt.Sprintf("%s (%d)", owner, len(violatingCertsByOwner[owner])+len(violatingCABundlesByOwner[owner])))
+			certs := violatingCertsByOwner[owner]
+			if len(certs) > 0 {
+				md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
+				md.OrderedListStart()
+				for _, curr := range certs {
+					md.NewOrderedListItem()
+					md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
+					md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
+					md.Text("\n")
+				}
+				md.OrderedListEnd()
+				md.Text("\n")
+			}
+
+			caBundles := violatingCABundlesByOwner[owner]
+			if len(caBundles) > 0 {
+				md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
+				md.OrderedListStart()
+				for _, curr := range caBundles {
+					md.NewOrderedListItem()
+					md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
+					md.Textf("**Description:** %v", curr.CABundleInfo.Description)
+					md.Text("\n")
+				}
+				md.OrderedListEnd()
+				md.Text("\n")
+			}
+		}
+	}
+
+	numCompliant := 0
+	for _, v := range compliantCertsByOwner {
+		numCompliant += len(v)
+	}
+	for _, v := range compliantCABundlesByOwner {
+		numCompliant += len(v)
+	}
+	md.Title(2, fmt.Sprintf("Items That DO Meet the Requirement (%d)", numCompliant))
+	allAutoRegenerateAfterOfflineExpirys := sets.StringKeySet(compliantCertsByOwner)
+	allAutoRegenerateAfterOfflineExpirys.Insert(sets.StringKeySet(compliantCABundlesByOwner).UnsortedList()...)
+	for _, owner := range allAutoRegenerateAfterOfflineExpirys.List() {
+		md.Title(3, fmt.Sprintf("%s (%d)", owner, len(compliantCertsByOwner[owner])+len(compliantCABundlesByOwner[owner])))
+		certs := compliantCertsByOwner[owner]
+		if len(certs) > 0 {
+			md.Title(4, fmt.Sprintf("Certificates (%d)", len(certs)))
+			md.OrderedListStart()
+			for _, curr := range certs {
+				md.NewOrderedListItem()
+				md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
+				md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
+				md.Text("\n")
+			}
+			md.OrderedListEnd()
+			md.Text("\n")
+		}
+
+		caBundles := compliantCABundlesByOwner[owner]
+		if len(caBundles) > 0 {
+			md.Title(4, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
+			md.OrderedListStart()
+			for _, curr := range caBundles {
+				md.NewOrderedListItem()
+				md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
+				md.Textf("**Description:** %v", curr.CABundleInfo.Description)
+				md.Text("\n")
+			}
+			md.OrderedListEnd()
+			md.Text("\n")
+		}
+	}
+
+	return md.Bytes(), nil
+}
+
 func generateViolationJSONForAnnotationRequirement(annotationName string, pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.PKIRegistryInfo {
 	ret := &certgraphapi.PKIRegistryInfo{}
 

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces/markdown.go

@@ -36,6 +36,13 @@ func (m *Markdown) Bytes() []byte {
 	return ret.Bytes()
 }
 
+// ExactBytes returns markdown with table of contents or title.  Useful for embedding.
+func (m *Markdown) ExactBytes() []byte {
+	ret := &bytes.Buffer{}
+	fmt.Fprintf(ret, m.body.String())
+	return ret.Bytes()
+}
+
 func (m *Markdown) UnlistedTitle(level int, text string) {
 	titlePrefix := strings.Repeat("#", level)
 	fmt.Fprintf(m.body, "%s %s\n", titlePrefix, text)
@@ -54,6 +61,7 @@ func (m *Markdown) Title(level int, text string) {
 func (m *Markdown) ExactText(text string) {
 	if m.orderedListDepth == 0 {
 		fmt.Fprintf(m.body, "%s\n", text)
+		return
 	}
 
 	prefix := ""