Merge pull request #28433 from deads2k/cert-16-push-to-simple

OCPBUGS-24583: push violation regression check into the default requirement result

Author: openshift-merge-bot[bot]

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/autoregenerate_after_expiry/requirement.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
@@ -44,7 +43,7 @@ func (o AutoRegenerateAfterOfflineExpiryRequirement) InspectRequirement(rawData
 		return nil, fmt.Errorf("failure marshalling %v-violations.json: %w", o.GetName(), err)
 	}
 
-	return tlsmetadata.NewRequirementResult(
+	return tlsmetadatainterfaces.NewRequirementResult(
 		o.GetName(),
 		ownershipJSONBytes,
 		markdown,
@@ -56,14 +55,14 @@ func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.
 
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
-		regenerates, _ := tlsmetadata.AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
+		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
 		if len(regenerates) == 0 {
 			ret.CertKeyPairs = append(ret.CertKeyPairs, curr)
 		}
 	}
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
-		regenerates, _ := tlsmetadata.AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
+		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
 		if len(regenerates) == 0 {
 			ret.CertificateAuthorityBundles = append(ret.CertificateAuthorityBundles, curr)
 		}
@@ -81,7 +80,7 @@ func generateAutoRegenerateAfterOfflineExpiryshipMarkdown(pkiInfo *certgraphapi.
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
 		owner := curr.CertKeyInfo.OwningJiraComponent
-		regenerates, _ := tlsmetadata.AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
+		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CertKeyInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
 		if len(regenerates) == 0 {
 			violatingCertsByOwner[owner] = append(violatingCertsByOwner[owner], curr)
 			continue
@@ -92,7 +91,7 @@ func generateAutoRegenerateAfterOfflineExpiryshipMarkdown(pkiInfo *certgraphapi.
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
 		owner := curr.CABundleInfo.OwningJiraComponent
-		regenerates, _ := tlsmetadata.AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
+		regenerates, _ := tlsmetadatainterfaces.AnnotationValue(curr.CABundleInfo.SelectedCertMetadataAnnotations, AutoRegenerateAfterOfflineExpiryAnnotation)
 		if len(regenerates) == 0 {
 			violatingCABundlesByOwner[owner] = append(violatingCABundlesByOwner[owner], curr)
 			continue

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/helpers.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 
-	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
@@ -41,7 +40,7 @@ func (o OwnerRequirement) InspectRequirement(rawData []*certgraphapi.PKIList) (t
 		return nil, fmt.Errorf("failure marshalling %v-violations.json: %w", o.GetName(), err)
 	}
 
-	return tlsmetadata.NewRequirementResult(
+	return tlsmetadatainterfaces.NewRequirementResult(
 		o.GetName(),
 		ownershipJSONBytes,
 		markdown,
@@ -54,14 +53,14 @@ func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
 		owner := curr.CertKeyInfo.OwningJiraComponent
-		if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
+		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			ret.CertKeyPairs = append(ret.CertKeyPairs, curr)
 		}
 	}
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
 		owner := curr.CABundleInfo.OwningJiraComponent
-		if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
+		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			ret.CertificateAuthorityBundles = append(ret.CertificateAuthorityBundles, curr)
 		}
 	}
@@ -70,7 +69,6 @@ func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.
 }
 
 func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, error) {
-	const unknownOwner = "Unknown"
 	certsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
 	certsWithoutOwners := []certgraphapi.PKIRegistryInClusterCertKeyPair{}
 	caBundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
@@ -79,7 +77,7 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
 		owner := curr.CertKeyInfo.OwningJiraComponent
-		if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
+		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			certsWithoutOwners = append(certsWithoutOwners, curr)
 			continue
 		}
@@ -88,7 +86,7 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
 		owner := curr.CABundleInfo.OwningJiraComponent
-		if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
+		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			caBundlesWithoutOwners = append(caBundlesWithoutOwners, curr)
 			continue
 		}

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/ownership/requirement.go

@@ -9,6 +9,18 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
+const UnknownOwner = "Unknown"
+
+func AnnotationValue(whitelistedAnnotations []certgraphapi.AnnotationValue, key string) (string, bool) {
+	for _, curr := range whitelistedAnnotations {
+		if curr.Key == key {
+			return curr.Value, true
+		}
+	}
+
+	return "", false
+}
+
 func ProcessByLocation(rawData []*certgraphapi.PKIList) (*certgraphapi.PKIRegistryInfo, error) {
 	errs := []error{}
 	certKeyPairs := certs.SecretInfoByNamespaceName{}

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces/helpers.go

@@ -1,10 +1,15 @@
 package tlsmetadatainterfaces
 
 import (
+	"embed"
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 
+	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
+	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphutils"
+
 	"github.com/google/go-cmp/cmp"
 )
 
@@ -16,7 +21,7 @@ type SimpleRequirementsResult struct {
 	violationJSON  []byte
 }
 
-func NewRequirementResult(name string, statusJSON, statusMarkdown, violationJSON []byte) (*SimpleRequirementsResult, error) {
+func NewRequirementResult(name string, statusJSON, statusMarkdown, violationJSON []byte) (RequirementResult, error) {
 	if len(name) == 0 {
 		return nil, fmt.Errorf("missing name for result")
 	}
@@ -87,6 +92,50 @@ func (s SimpleRequirementsResult) DiffExistingContent(tlsDir string) (string, bo
 	return "", true, nil
 }
 
+func (s SimpleRequirementsResult) HaveViolationsRegressed(allViolationsFS embed.FS) ([]string, bool, error) {
+	resultingViolations := &certgraphapi.PKIRegistryInfo{}
+	if err := json.Unmarshal(s.violationJSON, resultingViolations); err != nil {
+		return nil, false, fmt.Errorf("error decoding violation content for %v: %w", s.GetName(), err)
+	}
+
+	existingViolationJSONBytes, err := allViolationsFS.ReadFile(s.violationsFilename(""))
+	if err != nil {
+		return nil, false, fmt.Errorf("error reading existing content for %v: %w", s.GetName(), err)
+	}
+	existingViolations := &certgraphapi.PKIRegistryInfo{}
+	if err := json.Unmarshal(existingViolationJSONBytes, existingViolations); err != nil {
+		return nil, false, fmt.Errorf("error decoding existing content for %v: %w", s.GetName(), err)
+	}
+
+	regressions := []string{}
+	for _, currCertKeyPair := range resultingViolations.CertKeyPairs {
+		currLocation := currCertKeyPair.SecretLocation
+		_, err := certgraphutils.LocateCertKeyPair(currLocation, existingViolations.CertKeyPairs)
+		if err != nil {
+			// this means it wasn't found
+			regressions = append(regressions,
+				fmt.Sprintf("requirment/%v: --namespace=%v secret/%v regressed and does not have an owner", s.GetName(), currLocation.Namespace, currLocation.Name),
+			)
+		}
+	}
+
+	for _, currCABundle := range resultingViolations.CertificateAuthorityBundles {
+		currLocation := currCABundle.ConfigMapLocation
+		_, err := certgraphutils.LocateCertificateAuthorityBundle(currLocation, existingViolations.CertificateAuthorityBundles)
+		if err != nil {
+			// this means it wasn't found
+			regressions = append(regressions,
+				fmt.Sprintf("requirment/%v: --namespace=%v configmap/%v regressed and does not have an owner", s.GetName(), currLocation.Namespace, currLocation.Name),
+			)
+		}
+	}
+
+	if len(regressions) > 0 {
+		return regressions, true, nil
+	}
+	return nil, false, nil
+}
+
 func (s SimpleRequirementsResult) jsonFilename(tlsDir string) string {
 	return filepath.Join(tlsDir, s.GetName(), fmt.Sprintf("%s.json", s.GetName()))
 }