certificate_manager: Check that template differs from current cert before rotation

[agunnerson-ibm]

What type of PR is this?

/kind bug

What this PR does / why we need it:

With the current behavior, when kubelet starts, a templateChanged
event is always fired off because it only checks if getLastRequest
matches getTemplate. The last request only exists in memory and thus
is initially nil and can't ever match the current template during
startup.

This causes kubelet to request the signing of a new CSR every time it's
restarted. This commit changes the behavior so that templateChanged is
only fired off if the currently template doesn't match both the current
certificate and the last template.

Which issue(s) this PR fixes:

Fixes #69471

Release note:

When `--rotate-server-certificates` is enabled, kubelet will no longer request a new certificate on startup if the current certificate on disk is satisfactory.

[fedebongio]

/cc @caesarxuchao

[liggitt]

/ok-to-test

[liggitt]

there's a gofmt error that needs fixing to make the bot happy:

-func (m* manager) certSatisfiesTemplate() bool {
+func (m *manager) certSatisfiesTemplate() bool {
 	m.certAccessLock.RLock()
 	defer m.certAccessLock.RUnlock()
 	if m.cert == nil {

Run ./hack/update-gofmt.sh

[liggitt]

also check sets.NewString(m.cert.Leaf.Subject.Organizations...).HasAll(template.Subject.Organizations...)

[liggitt]

/test pull-kubernetes-e2e-gke

[liggitt]

thanks for the PR, just a couple comments. exercising the logic in a unit test would be good as well

[awly]

certSatisfiesTemplate already locks the mutex, this will deadlock.
Recommend splitting certSatisfiesTemplate into two functions: unlocked one and a locking wrapper. Call the unlocked one here and the locked one in manager.Start

[agunnerson-ibm]

Thanks everyone for the comments! I've updated this PR to address them.

Changes:

• Fixed all gofmt errors
• Added check to ensure that the organizations in the x509 subject of the cert match the template
• Split certSatisfiesTemplate into certSatisfiesTemplate and certSatisfiesTemplateLocked and use the latter if certAccessLock is already locked
• Added unit tests for certSatisfiesTemplate

[agunnerson-ibm]

Fixed the lint issue reported by pull-kubernetes-verify.

[awly]

Two small nits, LGTM otherwise

[awly]

Don't wrap errors, store certSatisfiesTemplate result in a var and do a simpler error print:

t.Errorf("cert: %+v, template: %+v, certSatisfiesTemplate returned %v, want %v", m.cert, tc.template, got, tc.shouldSatisfy)

[agunnerson-ibm]

Thanks, I'll fix that.

[awly]

Is this needed?

[agunnerson-ibm]

Nope, I'll remove it.

[agunnerson-ibm]

The latest commit should address @awly's comments above.

[awly]

/lgtm

[liggitt]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agunnerson-ibm, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/client-go/util/certificate/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

thanks for putting this together

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.