Merge pull request #28336 from deads2k/certs-03-prune-proxy-ca

prune the system CAs from proxy-ca in rawTLSInfo json

Author: openshift-ci[bot]

test/extended/operators/certs.go

@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
+
 	g "github.com/onsi/ginkgo/v2"
 	o "github.com/onsi/gomega"
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphanalysis"
@@ -33,6 +35,10 @@ var _ = g.Describe("[sig-arch][Late]", func() {
 		currentPKIContent, err := certgraphanalysis.GatherCertsFromPlatformNamespaces(ctx, kubeClient)
 		o.Expect(err).NotTo(o.HaveOccurred())
 
+		// the content here is good, but proxy-ca contains a lot of entries for system-trust that doesn't help
+		// us visualize the OCP certs, so if we detect that condition snip it
+		pruneSystemTrust(currentPKIContent)
+
 		jsonBytes, err := json.MarshalIndent(currentPKIContent, "", "  ")
 		o.Expect(err).NotTo(o.HaveOccurred())
 
@@ -44,3 +50,28 @@ var _ = g.Describe("[sig-arch][Late]", func() {
 	})
 
 })
+
+// pruneSystemTrust removes certificate metadata for proxy-ca for easier visualization
+func pruneSystemTrust(pkiList *certgraphapi.PKIList) {
+	for i := range pkiList.CertificateAuthorityBundles.Items {
+		curr := pkiList.CertificateAuthorityBundles.Items[i]
+		if curr.LogicalName != "proxy-ca" {
+			continue
+		}
+
+		if len(curr.Spec.CertificateMetadata) > 10 {
+			pkiList.CertificateAuthorityBundles.Items[i].Name = "proxy-ca"
+			pkiList.CertificateAuthorityBundles.Items[i].Spec.CertificateMetadata = []certgraphapi.CertKeyMetadata{
+				{
+					CertIdentifier: certgraphapi.CertIdentifier{
+						CommonName:   "synthetic-proxy-ca",
+						SerialNumber: "0",
+						Issuer:       nil,
+					},
+				},
+			}
+			return
+		}
+	}
+
+}