Merge pull request #29629 from vrutkovs/short-cert-rotation-cert-duration

CNTRLPLANE-353: Add test which verifes that only short duration tests are present

Author: openshift-merge-bot[bot]

test/extended/operators/certs.go

@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	promtime "github.com/prometheus/common/model"
+
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatadefaults"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 	"github.com/openshift/origin/pkg/monitortests/network/disruptionpodnetwork"
@@ -283,6 +285,40 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g
 		}
 	})
 
+	g.It("[OCPFeatureGate:ShortCertRotation] all certificates should expire in no more than 8 hours", func() {
+		var errs []error
+		// Skip router certificates (both certificate and signer)
+		// These are not being rotated automatically
+		// OLM: bug https://issues.redhat.com/browse/CNTRLPLANE-379
+		shortCertRotationIgnoredNamespaces := []string{"openshift-operator-lifecycle-manager", "openshift-ingress-operator"}
+
+		for _, certKeyPair := range actualPKIContent.CertKeyPairs.Items {
+			if certKeyPair.Spec.CertMetadata.ValidityDuration == "" {
+				// Skip certificates with no duration set (proxy ca, key without certificate etc.)
+				continue
+			}
+			if certKeyPair.Spec.CertMetadata.ValidityDuration == "10y" {
+				// Skip "forever" certificates
+				continue
+			}
+			if isCertKeyPairFromIgnoredNamespace(certKeyPair, shortCertRotationIgnoredNamespaces) {
+				continue
+			}
+			// Use ParseDuration from prometheus as it can handle days/month/years durations
+			duration, err := promtime.ParseDuration(certKeyPair.Spec.CertMetadata.ValidityDuration)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("failed to parse validity duration for certificate %q: %v", certKeyPair.Name, err))
+				continue
+			}
+			if time.Duration(duration) > time.Hour*8 {
+				errs = append(errs, fmt.Errorf("certificate %q expires too soon: expected duration to be up to 8h, but was %s", certKeyPair.Name, duration))
+			}
+		}
+		if len(errs) > 0 {
+			testresult.Flakef("Errors found: %s", utilerrors.NewAggregate(errs).Error())
+		}
+	})
+
 })
 
 func fetchOnDiskCertificates(ctx context.Context, kubeClient kubernetes.Interface, podRESTConfig *rest.Config, nodeList []*corev1.Node, testPullSpec string) (*certgraphapi.PKIList, error) {
@@ -428,3 +464,14 @@ func fetchNodePKIList(_ context.Context, kubeClient kubernetes.Interface, podRES
 
 	return pkiList, nil
 }
+
+func isCertKeyPairFromIgnoredNamespace(cert certgraphapi.CertKeyPair, ignoredNamespaces []string) bool {
+	for _, location := range cert.Spec.SecretLocations {
+		for _, namespace := range ignoredNamespaces {
+			if location.Namespace == namespace {
+				return true
+			}
+		}
+	}
+	return false
+}

test/extended/util/annotate/generated/zz_generated.annotations.go

@@ -784,6 +784,10 @@ spec:
         [LinuxOnly] [Feature:SELinux] [Serial] warning is not bumped on two Pods with
         the same context on RWO volume [FeatureGate:SELinuxMountReadWriteOncePod]
         [Beta] [Feature:SELinuxMountReadWriteOncePodOnly]'
+  - featureGate: ShortCertRotation
+    tests:
+    - testName: '[sig-arch][Late][Jira:"kube-apiserver"] [OCPFeatureGate:ShortCertRotation]
+        all certificates should expire in no more than 8 hours'
   - featureGate: SigstoreImageVerification
     tests:
     - testName: '[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][Serial]