ETCD-535: Manual CA rotation should rotate all leaf certs

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
openshift · Feb 27, 2024 · 2920875 · 2920875
1 parent 6af658a
commit 2920875
Show file tree

Hide file tree

Showing 12 changed files with 180 additions and 115 deletions.
diff --git a/go.mod b/go.mod
@@ -139,5 +139,6 @@ require (
 
 replace (
 	github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
+	github.com/openshift/library-go => github.com/tjungblu/library-go v0.0.0-20240209125555-37ea45a1602b
 	vbom.ml/util => github.com/fvbommel/util v0.0.0-20180919145318-efcd4e0f9787
 )
diff --git a/go.sum b/go.sum
@@ -313,8 +313,6 @@ github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d h1:RR
 github.com/openshift/build-machinery-go v0.0.0-20220913142420-e25cf57ea46d/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20231218140158-47f6d749b9d9 h1:kjgW3luAkf9NWu+8u+jqNNbexDG+CY82/INw8hGbG14=
 github.com/openshift/client-go v0.0.0-20231218140158-47f6d749b9d9/go.mod h1:kKmxYRXTMutfF7XzGppFdbLhNGX1brXkRsZx5ID8c7U=
-github.com/openshift/library-go v0.0.0-20240124134907-4dfbf6bc7b11 h1:9alPFotg+mC+HjDM1CgF7jmfpOr4lBgUQK+/5WKYKME=
-github.com/openshift/library-go v0.0.0-20240124134907-4dfbf6bc7b11/go.mod h1:dccfc6I7w8HDcCYFgAzyL8xHyzcDra+n8tuSizvsySQ=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
@@ -408,6 +406,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/tjungblu/library-go v0.0.0-20240209125555-37ea45a1602b h1:wAWV+NEe39iV415HVd7Bc/YVQZ5ksYxG/0qIC3sR+gI=
+github.com/tjungblu/library-go v0.0.0-20240209125555-37ea45a1602b/go.mod h1:ePlaOqUiPplRc++6aYdMe+2FmXb2xTNS9Nz5laG2YmI=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE=

diff --git a/pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go b/pkg/operator/etcdcertsigner/etcdcertsignercontroller_test.go
@@ -291,6 +291,9 @@ func setupControllerWithEtcd(t *testing.T, objects []runtime.Object, etcdMembers
 		nil,
 	)
 
+	nodeSelector, err := labels.Parse("node-role.kubernetes.io/master")
+	require.NoError(t, err)
+
 	fakeEtcdClient, err := etcdcli.NewFakeEtcdClient(etcdMembers)
 	require.NoError(t, err)
 

diff --git a/pkg/tlshelpers/tlshelpers.go b/pkg/tlshelpers/tlshelpers.go
@@ -78,10 +78,13 @@ func CreateSignerCertRotationBundleConfigMap(
 	recorder events.Recorder) certrotation.CABundleConfigMap {
 
 	return certrotation.CABundleConfigMap{
-		Name:          EtcdSignerCaBundleConfigMapName,
-		Namespace:     operatorclient.TargetNamespace,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "bundle for etcd signer certificate authorities",
+		Name:      EtcdSignerCaBundleConfigMapName,
+		Namespace: operatorclient.TargetNamespace,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "bundle for etcd signer certificate authorities",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
 		Informer:      cmInformer,
 		Lister:        cmLister,
 		Client:        cmGetter,
@@ -96,10 +99,13 @@ func CreateMetricsSignerCertRotationBundleConfigMap(
 	recorder events.Recorder) certrotation.CABundleConfigMap {
 
 	return certrotation.CABundleConfigMap{
-		Name:          EtcdMetricsSignerCaBundleConfigMapName,
-		Namespace:     operatorclient.TargetNamespace,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "bundle for etcd metrics signer certificate authorities",
+		Name:      EtcdMetricsSignerCaBundleConfigMapName,
+		Namespace: operatorclient.TargetNamespace,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "bundle for etcd metrics signer certificate authorities",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
 		Informer:      cmInformer,
 		Lister:        cmLister,
 		Client:        cmGetter,
@@ -114,12 +120,15 @@ func CreateSignerCert(
 	recorder events.Recorder) certrotation.RotatedSigningCASecret {
 
 	return certrotation.RotatedSigningCASecret{
-		Namespace:     operatorclient.TargetNamespace,
-		Name:          EtcdSignerCertSecretName,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "etcd signer certificate authorities",
-		Validity:      etcdCaCertValidity,
-		Refresh:       etcdCaCertValidityRefresh,
+		Namespace: operatorclient.TargetNamespace,
+		Name:      EtcdSignerCertSecretName,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "etcd signer certificate authorities",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
+		Validity: etcdCaCertValidity,
+		Refresh:  etcdCaCertValidityRefresh,
 
 		Informer:      secretInformer,
 		Lister:        secretLister,
@@ -146,12 +155,15 @@ func CreateMetricsSignerCert(
 	recorder events.Recorder) certrotation.RotatedSigningCASecret {
 
 	return certrotation.RotatedSigningCASecret{
-		Namespace:     operatorclient.TargetNamespace,
-		Name:          EtcdMetricsSignerCertSecretName,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "etcd metrics signer certificate authorities",
-		Validity:      etcdCaCertValidity,
-		Refresh:       etcdCaCertValidityRefresh,
+		Namespace: operatorclient.TargetNamespace,
+		Name:      EtcdMetricsSignerCertSecretName,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "etcd metrics signer certificate authorities",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
+		Validity: etcdCaCertValidity,
+		Refresh:  etcdCaCertValidityRefresh,
 
 		Informer:      secretInformer,
 		Lister:        secretLister,
@@ -229,13 +241,16 @@ func createCertForNode(description, secretName string, node *corev1.Node,
 	}
 
 	return &certrotation.RotatedSelfSignedCertKeySecret{
-		Namespace:     operatorclient.TargetNamespace,
-		Name:          secretName,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   description,
-		Validity:      etcdCertValidity,
-		Refresh:       etcdCertValidityRefresh,
-		CertCreator:   creator,
+		Namespace: operatorclient.TargetNamespace,
+		Name:      secretName,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      description,
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
+		Validity:    etcdCertValidity,
+		Refresh:     etcdCertValidityRefresh,
+		CertCreator: creator,
 
 		Informer:      secretInformer,
 		Lister:        secretLister,
@@ -257,13 +272,16 @@ func CreateMetricsClientCert(
 	}
 
 	return certrotation.RotatedSelfSignedCertKeySecret{
-		Namespace:     operatorclient.TargetNamespace,
-		Name:          EtcdMetricsClientCertSecretName,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "etcd metrics client certificate",
-		Validity:      etcdCertValidity,
-		Refresh:       etcdCertValidityRefresh,
-		CertCreator:   creator,
+		Namespace: operatorclient.TargetNamespace,
+		Name:      EtcdMetricsClientCertSecretName,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "etcd metrics client certificate",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
+		Validity:    etcdCertValidity,
+		Refresh:     etcdCertValidityRefresh,
+		CertCreator: creator,
 
 		Informer:      secretInformer,
 		Lister:        secretLister,
@@ -285,13 +303,16 @@ func CreateEtcdClientCert(
 	}
 
 	return certrotation.RotatedSelfSignedCertKeySecret{
-		Namespace:     operatorclient.TargetNamespace,
-		Name:          EtcdClientCertSecretName,
-		JiraComponent: EtcdJiraComponentName,
-		Description:   "etcd client certificate",
-		Validity:      etcdCertValidity,
-		Refresh:       etcdCertValidityRefresh,
-		CertCreator:   creator,
+		Namespace: operatorclient.TargetNamespace,
+		Name:      EtcdClientCertSecretName,
+		AdditionalAnnotations: certrotation.AdditionalAnnotations{
+			JiraComponent:                    EtcdJiraComponentName,
+			Description:                      "etcd client certificate",
+			AutoRegenerateAfterOfflineExpiry: "",
+		},
+		Validity:    etcdCertValidity,
+		Refresh:     etcdCertValidityRefresh,
+		CertCreator: creator,
 
 		Informer:      secretInformer,
 		Lister:        secretLister,

diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/annotations.go
diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/cabundle.go
diff --git a/...hub.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go b/...hub.com/openshift/library-go/pkg/operator/certrotation/client_cert_rotation_controller.go
diff --git a/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go b/vendor/github.com/openshift/library-go/pkg/operator/certrotation/signer.go