MCO-607: MCO-237: Keep track of certs in ControllerConfigStatus

install/0000_80_machine-config-operator_01_machineconfigpool.crd.yaml

@@ -427,3 +427,19 @@ spec:
                   targeted by the pool that have the CurrentMachineConfig as their config.
                 type: integer
                 format: int32
+              certExpirys:
+                description: The certificate expiry dates from the controller config
+                type: array
+                items:
+                  description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+                  type: object
+                  properties:
+                    bundle:
+                      description: the bundle for which the expiry applies
+                      type: string
+                    subject:
+                      description: the subject of the cert
+                      type: string
+                    expiry:
+                      description: the date when the cert expires
+                      type: string 

manifests/controllerconfig.crd.yaml

@@ -1820,7 +1820,31 @@ spec:
                   by the controller.
                 format: int64
                 type: integer
+              controllerCertificates:
+                description: controllerCertificates holds the information about the MCCs certificates.
+                items:
+                  description: ControllerCertificate contains certificate
+                    information for ControllerConfigStatus
+                  properties:
+                    subject:
+                      description: the subject of the cert.
+                      nullable: true
+                      type: string
+                    signer:
+                      description: signer contains the issuer of the cert
+                      type: string
+                    notBefore:
+                      description: lower bound for validity
+                      type: string
+                    notAfter:
+                      description: upper bound for validity
+                      type: string
+                    bundleFile:
+                      description: the name of the bundle serving this cert.
+                      type: string
+                  type: object
+                type: array
             type: object
         required:
         - spec
-        type: object
+        type: object

pkg/apis/machineconfiguration.openshift.io/v1/types.go

@@ -139,6 +139,28 @@ type ControllerConfigStatus struct {
 	// conditions represents the latest available observations of current state.
 	// +optional
 	Conditions []ControllerConfigStatusCondition `json:"conditions"`
+
+	// controllerCertificates represents the latest available observations of the automatically rotating certificates in the MCO.
+	// +optional
+	ControllerCertificates []ControllerCertificate `json:"controllerCertificates"`
+}
+
+// ControllerCertificate contains info about a specific cert.
+type ControllerCertificate struct {
+	// subject is the cert subject
+	Subject string `json:"subject"`
+
+	// signer is the  cert Issuer
+	Signer string `json:"signer"`
+
+	// notBefore is the lower boundary for validity
+	NotBefore string `json:"notBefore"`
+
+	// notAfter is the upper boundary for validity
+	NotAfter string `json:"notAfter"`
+
+	// bundleFile is the larger bundle a cert comes from
+	BundleFile string `json:"bundleFile"`
 }
 
 // ControllerConfigStatusCondition contains condition information for ControllerConfigStatus
@@ -303,6 +325,16 @@ type MachineConfigPoolStatus struct {
 	// conditions represents the latest available observations of current state.
 	// +optional
 	Conditions []MachineConfigPoolCondition `json:"conditions"`
+
+	// certExpirys keeps track of important certificate expiration data
+	CertExpirys []CertExpiry `json:"certExpirys"`
+}
+
+// ceryExpiry contains the bundle name and the expiry date
+type CertExpiry struct {
+	Bundle  string `json:"bundle"`
+	Subject string `json:"subject"`
+	Expiry  string `json:"expiry"`
 }
 
 // MachineConfigPoolStatusConfiguration stores the current configuration for the pool, and

pkg/controller/node/node_controller_test.go

@@ -907,7 +907,7 @@ func TestShouldMakeProgress(t *testing.T) {
 				}
 				f.expectPatchNodeAction(expNode, exppatch)
 			}
-			expStatus := calculateStatus(mcp, nodes)
+			expStatus := calculateStatus(cc, mcp, nodes)
 			expMcp := mcp.DeepCopy()
 			expMcp.Status = expStatus
 			f.expectUpdateMachineConfigPoolStatus(expMcp)
@@ -930,6 +930,7 @@ func TestEmptyCurrentMachineConfig(t *testing.T) {
 
 func TestPaused(t *testing.T) {
 	f := newFixture(t)
+	cc := newControllerConfig(ctrlcommon.ControllerConfigName, configv1.TopologyMode(""))
 	mcp := helpers.NewMachineConfigPool("test-cluster-infra", nil, helpers.InfraSelector, "v1")
 	mcpWorker := helpers.NewMachineConfigPool("worker", nil, helpers.WorkerSelector, "v1")
 	mcp.Spec.MaxUnavailable = intStrPtr(intstr.FromInt(1))
@@ -939,14 +940,15 @@ func TestPaused(t *testing.T) {
 		newNodeWithLabel("node-1", "v0", "v0", map[string]string{"node-role/worker": "", "node-role/infra": ""}),
 	}
 
+	f.ccLister = append(f.ccLister, cc)
 	f.mcpLister = append(f.mcpLister, mcp, mcpWorker)
 	f.objects = append(f.objects, mcp, mcpWorker)
 	f.nodeLister = append(f.nodeLister, nodes...)
 	for idx := range nodes {
 		f.kubeobjects = append(f.kubeobjects, nodes[idx])
 	}
 
-	expStatus := calculateStatus(mcp, nodes)
+	expStatus := calculateStatus(cc, mcp, nodes)
 	expMcp := mcp.DeepCopy()
 	expMcp.Status = expStatus
 	f.expectUpdateMachineConfigPoolStatus(expMcp)
@@ -973,7 +975,7 @@ func TestShouldUpdateStatusOnlyUpdated(t *testing.T) {
 		f.kubeobjects = append(f.kubeobjects, nodes[idx])
 	}
 
-	expStatus := calculateStatus(mcp, nodes)
+	expStatus := calculateStatus(cc, mcp, nodes)
 	expMcp := mcp.DeepCopy()
 	expMcp.Status = expStatus
 	f.expectUpdateMachineConfigPoolStatus(expMcp)
@@ -1000,9 +1002,43 @@ func TestShouldUpdateStatusOnlyNoProgress(t *testing.T) {
 		f.kubeobjects = append(f.kubeobjects, nodes[idx])
 	}
 
-	expStatus := calculateStatus(mcp, nodes)
+	expStatus := calculateStatus(cc, mcp, nodes)
+	expMcp := mcp.DeepCopy()
+	expMcp.Status = expStatus
+	f.expectUpdateMachineConfigPoolStatus(expMcp)
+
+	f.run(getKey(mcp, t))
+}
+
+func TestCertStatus(t *testing.T) {
+	f := newFixture(t)
+	cc := newControllerConfig(ctrlcommon.ControllerConfigName, configv1.TopologyMode(""))
+
+	cc.Status.ControllerCertificates = append(cc.Status.ControllerCertificates, mcfgv1.ControllerCertificate{
+		BundleFile: "KubeAPIServerServingCAData",
+		NotAfter:   time.Now().String(),
+	})
+
+	mcp := helpers.NewMachineConfigPool("test-cluster-infra", nil, helpers.InfraSelector, "v1")
+	mcpWorker := helpers.NewMachineConfigPool("worker", nil, helpers.WorkerSelector, "v1")
+	mcp.Spec.MaxUnavailable = intStrPtr(intstr.FromInt(1))
+	nodes := []*corev1.Node{
+		newNodeWithLabel("node-0", "v1", "v1", map[string]string{"node-role/worker": "", "node-role/infra": ""}),
+		newNodeWithLabel("node-1", "v1", "v1", map[string]string{"node-role/worker": "", "node-role/infra": ""}),
+	}
+
+	f.ccLister = append(f.ccLister, cc)
+	f.mcpLister = append(f.mcpLister, mcp, mcpWorker)
+	f.objects = append(f.objects, mcp, mcpWorker)
+	f.nodeLister = append(f.nodeLister, nodes...)
+	for idx := range nodes {
+		f.kubeobjects = append(f.kubeobjects, nodes[idx])
+	}
+
+	expStatus := calculateStatus(cc, mcp, nodes)
 	expMcp := mcp.DeepCopy()
 	expMcp.Status = expStatus
+
 	f.expectUpdateMachineConfigPoolStatus(expMcp)
 
 	f.run(getKey(mcp, t))
@@ -1018,7 +1054,7 @@ func TestShouldDoNothing(t *testing.T) {
 		newNodeWithLabel("node-0", "v1", "v1", map[string]string{"node-role/worker": "", "node-role/infra": ""}),
 		newNodeWithLabel("node-1", "v1", "v1", map[string]string{"node-role/worker": "", "node-role/infra": ""}),
 	}
-	status := calculateStatus(mcp, nodes)
+	status := calculateStatus(cc, mcp, nodes)
 	mcp.Status = status
 
 	f.ccLister = append(f.ccLister, cc)
@@ -1107,7 +1143,7 @@ func TestControlPlaneTopology(t *testing.T) {
 	for _, node := range nodes {
 		addNodeAnnotations(node, annotations)
 	}
-	status := calculateStatus(mcp, nodes)
+	status := calculateStatus(cc, mcp, nodes)
 	mcp.Status = status
 
 	f.ccLister = append(f.ccLister, cc)

pkg/controller/node/status.go

@@ -6,6 +6,8 @@ import (
 	"strings"
 
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
+	v1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
+	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
 	"github.com/openshift/machine-config-operator/pkg/daemon/constants"
 	daemonconsts "github.com/openshift/machine-config-operator/pkg/daemon/constants"
 	corev1 "k8s.io/api/core/v1"
@@ -15,12 +17,16 @@ import (
 )
 
 func (ctrl *Controller) syncStatusOnly(pool *mcfgv1.MachineConfigPool) error {
+	cc, err := ctrl.ccLister.Get(ctrlcommon.ControllerConfigName)
+	if err != nil {
+		return err
+	}
 	nodes, err := ctrl.getNodesForPool(pool)
 	if err != nil {
 		return err
 	}
 
-	newStatus := calculateStatus(pool, nodes)
+	newStatus := calculateStatus(cc, pool, nodes)
 	if equality.Semantic.DeepEqual(pool.Status, newStatus) {
 		return nil
 	}
@@ -37,7 +43,20 @@ func (ctrl *Controller) syncStatusOnly(pool *mcfgv1.MachineConfigPool) error {
 	return err
 }
 
-func calculateStatus(pool *mcfgv1.MachineConfigPool, nodes []*corev1.Node) mcfgv1.MachineConfigPoolStatus {
+func calculateStatus(cconfig *v1.ControllerConfig, pool *mcfgv1.MachineConfigPool, nodes []*corev1.Node) mcfgv1.MachineConfigPoolStatus {
+	certExpirys := []v1.CertExpiry{}
+	if cconfig != nil {
+		for _, cert := range cconfig.Status.ControllerCertificates {
+			if cert.BundleFile == "KubeAPIServerServingCAData" {
+				certExpirys = append(certExpirys, v1.CertExpiry{
+					Bundle:  cert.BundleFile,
+					Subject: cert.Subject,
+					Expiry:  cert.NotAfter,
+				},
+				)
+			}
+		}
+	}
 	machineCount := int32(len(nodes))
 
 	updatedMachines := getUpdatedMachines(pool.Spec.Configuration.Name, nodes)
@@ -66,6 +85,7 @@ func calculateStatus(pool *mcfgv1.MachineConfigPool, nodes []*corev1.Node) mcfgv
 		ReadyMachineCount:       readyMachineCount,
 		UnavailableMachineCount: unavailableMachineCount,
 		DegradedMachineCount:    degradedMachineCount,
+		CertExpirys:             certExpirys,
 	}
 	status.Configuration = pool.Status.Configuration
 

pkg/controller/node/status_test.go

@@ -641,7 +641,7 @@ func TestCalculateStatus(t *testing.T) {
 					Paused:        test.paused,
 				},
 			}
-			status := calculateStatus(pool, test.nodes)
+			status := calculateStatus(nil, pool, test.nodes)
 			test.verify(status, t)
 		})
 	}

pkg/controller/template/status.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/client-go/util/retry"
 
 	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
 	mcfgclientv1 "github.com/openshift/machine-config-operator/pkg/generated/clientset/versioned/typed/machineconfiguration.openshift.io/v1"
 	"github.com/openshift/machine-config-operator/pkg/version"
+	"k8s.io/apimachinery/pkg/api/equality"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -74,6 +74,15 @@ func (ctrl *Controller) syncCompletedStatus(ctrlconfig *mcfgv1.ControllerConfig)
 	return updateControllerConfigStatus(ctrlconfig.GetName(), ctrl.ccLister.Get, ctrl.client.MachineconfigurationV1().ControllerConfigs(), updateFunc)
 }
 
+// syncCertificateStatus places the new certitifcate data into the actual controllerConfig that is our source of truth.
+func (ctrl *Controller) syncCertificateStatus(ctrlconfig *mcfgv1.ControllerConfig) error {
+	updateFunc := func(cfg *mcfgv1.ControllerConfig) error {
+		cfg.Status.ControllerCertificates = ctrlconfig.Status.ControllerCertificates
+		return nil
+	}
+	return updateControllerConfigStatus(ctrlconfig.GetName(), ctrl.ccLister.Get, ctrl.client.MachineconfigurationV1().ControllerConfigs(), updateFunc)
+}
+
 type updateControllerConfigStatusFunc func(*mcfgv1.ControllerConfig) error
 
 func updateControllerConfigStatus(name string,