Merge pull request #3532 from stevekuznetsov/skuznets/backport-revoca…

…tion OCPBUGS-29303: release-4.15: revocation controller backport
openshift · Feb 9, 2024 · a847978 · a847978
2 parents 2f330ca + 4a958a1
commit a847978
Show file tree

Hide file tree

Showing 118 changed files with 36,857 additions and 1,145 deletions.
diff --git a/Makefile b/Makefile
@@ -184,7 +184,7 @@ fmt:
 # Run go vet against code
 .PHONY: vet
 vet:
-	$(GO) vet ./...
+	$(GO) vet -tags integration,e2e ./...
 
 .PHONY: promtool
 promtool:
@@ -204,6 +204,7 @@ deps:
 staticcheck: $(STATICCHECK)
 	$(STATICCHECK) \
 		./control-plane-operator/... \
+		./control-plane-pki-operator/... \
 		./hypershift-operator/controllers/... \
 		./ignition-server/... \
 		./cmd/... \
@@ -212,7 +213,8 @@ staticcheck: $(STATICCHECK)
 		./support/upsert/... \
 		./konnectivity-socks5-proxy/... \
 		./contrib/... \
-		./availability-prober/...
+		./availability-prober/... \
+		./test/integration/... \
 
 # Build the docker image with official golang image
 .PHONY: docker-build
@@ -261,3 +263,8 @@ ci-install-hypershift-private:
 .PHONY: ci-test-e2e
 ci-test-e2e:
 	hack/ci-test-e2e.sh ${CI_TESTS_RUN}
+
+.PHONY: regenerate-pki
+regenerate-pki:
+	REGENERATE_PKI=1 $(GO) test ./control-plane-pki-operator/...
+	REGENERATE_PKI=1 $(GO) test ./test/e2e/... -run TestRegeneratePKI
diff --git a/api/certificates/v1alpha1/certificaterevocationrequest_types.go b/api/certificates/v1alpha1/certificaterevocationrequest_types.go
@@ -0,0 +1,82 @@
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:resource:path=certificaterevocationrequests,shortName=crr;crrs,scope=Namespaced
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:storageversion
+
+// CertificateRevocationRequest defines the desired state of CertificateRevocationRequest.
+// A request denotes the user's desire to revoke a signer certificate of the class indicated in spec.
+type CertificateRevocationRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   CertificateRevocationRequestSpec   `json:"spec,omitempty"`
+	Status CertificateRevocationRequestStatus `json:"status,omitempty"`
+}
+
+// CertificateRevocationRequestSpec defines the desired state of CertificateRevocationRequest
+type CertificateRevocationRequestSpec struct {
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=customer-break-glass
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="signerClass is immutable"
+
+	// SignerClass identifies the class of signer to revoke. All the active signing CAs for the
+	// signer class will be revoked.
+	SignerClass string `json:"signerClass"`
+}
+
+const (
+	SignerClassValidType     string = "SignerClassValid"
+	SignerClassUnknownReason string = "SignerClassUnknown"
+
+	RootCertificatesRegeneratedType string = "RootCertificatesRegenerated"
+	RootCertificatesStaleReason     string = "RootCertificatesStale"
+
+	LeafCertificatesRegeneratedType string = "LeafCertificatesRegenerated"
+	LeafCertificatesStaleReason     string = "LeafCertificatesStale"
+
+	NewCertificatesTrustedType      = "NewCertificatesTrusted"
+	PreviousCertificatesRevokedType = "PreviousCertificatesRevoked"
+)
+
+// CertificateRevocationRequestStatus defines the observed state of CertificateRevocationRequest
+type CertificateRevocationRequestStatus struct {
+	// +optional
+
+	// RevocationTimestamp is the cut-off time for signing CAs to be revoked. All certificates that
+	// are valid before this time will be revoked; all re-generated certificates will not be valid
+	// at or before this time.
+	RevocationTimestamp *metav1.Time `json:"revocationTimestamp,omitempty"`
+
+	// +optional
+
+	// PreviousSigner stores a reference to the previous signer certificate. We require
+	// storing this data to ensure that we can validate that the old signer is no longer
+	// valid before considering revocation complete.
+	PreviousSigner *corev1.LocalObjectReference `json:"previousSigner,omitempty"`
+
+	// +optional
+	// +listType=map
+	// +listMapKey=type
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+
+	// Conditions contain details about the various aspects of certificate revocation.
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+}
+
+// +kubebuilder:object:root=true
+
+// CertificateRevocationRequestList contains a list of CertificateRevocationRequest.
+type CertificateRevocationRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []CertificateRevocationRequest `json:"items"`
+}
diff --git a/api/certificates/v1alpha1/register.go b/api/certificates/v1alpha1/register.go
@@ -31,6 +31,9 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&CertificateSigningRequestApproval{},
 		&CertificateSigningRequestApprovalList{},
+
+		&CertificateRevocationRequest{},
+		&CertificateRevocationRequestList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

diff --git a/api/certificates/v1alpha1/zz_generated.deepcopy.go b/api/certificates/v1alpha1/zz_generated.deepcopy.go
diff --git a/api/hypershift/v1beta1/hostedcluster_types.go b/api/hypershift/v1beta1/hostedcluster_types.go
@@ -41,9 +41,13 @@ const (
 	// KonnectivityAgentImageAnnotation is a temporary annotation that allows the specification of the konnectivity agent image.
 	// This will be removed when Konnectivity is added to the Openshift release payload
 	KonnectivityAgentImageAnnotation = "hypershift.openshift.io/konnectivity-agent-image"
-	// ControlPlaneOperatorImageAnnotation is a annotation that allows the specification of the control plane operator image.
+	// ControlPlaneOperatorImageAnnotation is an annotation that allows the specification of the control plane operator image.
 	// This is used for development and e2e workflows
 	ControlPlaneOperatorImageAnnotation = "hypershift.openshift.io/control-plane-operator-image"
+	// ControlPlaneOperatorImageLabelsAnnotation is an annotation that allows the specification of the control plane operator image labels.
+	// Labels are provided in a comma-delimited format: key=value,key2=value2
+	// This is used for development and e2e workflows
+	ControlPlaneOperatorImageLabelsAnnotation = "hypershift.openshift.io/control-plane-operator-image-labels"
 	// RestartDateAnnotation is a annotation that can be used to trigger a rolling restart of all components managed by hypershift.
 	// it is important in some situations like CA rotation where components need to be fully restarted to pick up new CAs. It's also
 	// important in some recovery situations where a fresh start of the component helps fix symptoms a user might be experiencing.