USHIFT-6590: Align certificate expiry dates

[pacevedom]

Summary by CodeRabbit

• Refactor
  • Certificate expirations now align to the next midnight, so all certs end at a uniform day boundary.
• Tests
  • Certificate-rotation tests adjusted to account for the aligned expiry calculations (expiry shifts by one day where applicable).
• Documentation
  • Date-computation docs updated to reflect that expiry calculations use midnight-tomorrow as the anchor.

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pacevedom]

/jira refresh

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Aligns certificate expirations to the next midnight by adding alignValidity and applying it to certificate validity values in certSetup; updates a certificate-rotation test to account for the aligned expiry calculations.

Changes

Cohort / File(s)	Summary
Certificate Validity Alignment pkg/cmd/init.go	Adds alignValidity helper that computes duration until next midnight plus base validity; replaces direct uses of cryptomaterial.ShortLivedCertificateValidity and cryptomaterial.LongLivedCertificateValidity with aligned values; introduces startTime and nextMidnight anchors.
Tests — certificate rotation test/suites/standard2/validate-certificate-rotation.robot	Adjusts expiry calculations to account for the alignment (uses 366 + FUTURE_DAYS and computes dates relative to tomorrow's midnight); updates comments and date computation commands accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'USHIFT-6590: Align certificate expiry dates' directly and clearly summarizes the main change: aligning certificate expiration dates to the next midnight boundary.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

test/suites/standard2/validate-certificate-rotation.robot (1)

82-82: Pre-existing typo: "ceritifate" → "certificate".

Not introduced by this PR, but worth a drive-by fix if you're already touching this file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

• Refactor
• Aligned certificate expiration times to occur uniformly at the next midnight boundary, improving consistency and predictability of certificate lifecycle management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/cmd/init.go`:
- Around line 66-77: The code builds nextMidnight and alignValidity using the
local time zone via startTime := time.Now(); replace this with UTC to avoid DST
drift: set startTime to time.Now().UTC() (and ensure nextMidnight is constructed
in that same UTC location) so that nextMidnight, targetExpiration and the
alignValidity(baseValidity) calculation are anchored to a fixed UTC midnight
rather than a potentially-shifting local midnight; update references to
startTime, nextMidnight and alignValidity accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Consider using UTC to avoid DST drift.

startTime.Location() uses the system's local timezone. If DST transitions occur during the certificate's validity window, nextMidnight.Add(baseValidity) won't land on midnight—durations are absolute, but wall-clock midnight shifts by an hour at DST boundaries.

Using time.Now().UTC() would guarantee the expiry anchor is always exactly midnight.

Proposed fix

-	startTime := time.Now()
+	startTime := time.Now().UTC()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	startTime := time.Now()
	nextMidnight := time.Date(
	startTime.Year(),
	startTime.Month(),
	startTime.Day()+1,
	0, 0, 0, 0,
	startTime.Location(),
	)
	alignValidity := func(baseValidity time.Duration) time.Duration {
	targetExpiration := nextMidnight.Add(baseValidity)
	return time.Until(targetExpiration)
	}
	startTime := time.Now().UTC()
	nextMidnight := time.Date(
	startTime.Year(),
	startTime.Month(),
	startTime.Day()+1,
	0, 0, 0, 0,
	startTime.Location(),
	)
	alignValidity := func(baseValidity time.Duration) time.Duration {
	targetExpiration := nextMidnight.Add(baseValidity)
	return time.Until(targetExpiration)
	}

🤖 Prompt for AI Agents

In `@pkg/cmd/init.go` around lines 66 - 77, The code builds nextMidnight and
alignValidity using the local time zone via startTime := time.Now(); replace
this with UTC to avoid DST drift: set startTime to time.Now().UTC() (and ensure
nextMidnight is constructed in that same UTC location) so that nextMidnight,
targetExpiration and the alignValidity(baseValidity) calculation are anchored to
a fixed UTC midnight rather than a potentially-shifting local midnight; update
references to startTime, nextMidnight and alignValidity accordingly.

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

• Refactor
• Certificate expirations now align to the next midnight, so all certs end at a uniform day boundary.
• Tests
• Certificate-rotation tests adjusted to account for the aligned expiry calculations (expiry shifts by one day where applicable).
• Documentation
• Date-computation docs updated to reflect that expiry calculations use midnight-tomorrow as the anchor.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pacevedom: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ocp-full-conformance-rhel-eus	cceaa4f	link	true	/test ocp-full-conformance-rhel-eus
ci/prow/ocp-full-conformance-serial-rhel-eus	cceaa4f	link	true	/test ocp-full-conformance-serial-rhel-eus

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.