Add README.md clarifying TLS registry purpose and processes

[vrutkovs]

/cc @deads2k

[deads2k]

Suggested change

	For simplicity this document will use "certificate" for both certificate, key or CA bundle.
	For simplicity this document will use "pki artifact" for both certificate, key or CA bundle.

? It's confusing to read certificate where it's actually a bundle.

[vrutkovs]

I really wanted to get away with this and just use "cert" throughout the text :/

Not sure if "pki artifact" is better, maybe "tls artifact"?

[deads2k]

Suggested change

	The test produces a json in `openshift-e2e-test/artifacts/rawTLSInfo`:
	The test produces a json in `openshift-e2e-test/artifacts/rawTLSInfo/<put-the-pattern-of-filename-here>json`:

[deads2k]

Suggested change

	* parses them and stores information
	* parses them and stores metadata

[deads2k]

Suggested change

	certificates created by `service-ca` are managed by network team regardless of the repo these are
	certificates created by `service-ca` are managed by service-ca jira component regardless of the repo these are

The ownership by jira components, not teams, is extremely intentional. Teams can move and dissolve, but we're good about making sure every jira component has an owner.

[deads2k]

Suggested change

	new entries is prohibited. This is enforced by using a separate `OWNERS` file for this directory.
	new entries is prohibited. This is enforced using an e2e test and by using a separate `OWNERS` file for this directory.

[deads2k]

add courtesy link

[deads2k]

followup consideration: we could streamline further by having annotation requirements indicate their annotations.

[deads2k]

indicate method and provide link. I think once we generalize the annotation based requirements most people won't need this.

[deads2k]

I'll accept "tls artifact" if you like. But calling it a certificate is incorrect

[deads2k]

The service-ca is owned by the service-ca component, not the networking component

[deads2k]

Suggested change

	This test would collect the TLS registry from the cluster and generate new violation files from it. If this new file
	This test collects the TLS registry from the cluster and generate new violation files from it. If this new file

And similar through. Not future ("would"), but current

[deads2k]

I plan to enforce ASAP. I think we have sufficient data to do so

[vrutkovs]

This will break a lot of optional operators (i.e. OpenShift GitOps or SRIOV operator), so we need a way of finding all jobs first

[deads2k]

This will break a lot of optional operators (i.e. OpenShift GitOps or SRIOV operator), so we need a way of finding all jobs first

do you have a link to such a job so we can see the result?

[vrutkovs]

Hmm, I was wrong - I noticed the test didn't pass on a cluster with pipelines+gitops operators installed, but probably its due to service serving CAs, which are accounted now.
However Hypershift jobs would certainly fail, but its relatively easy to fix.

Just to be safe we should switch flake to fail in a separate PR so that TRT would revert just the small part

[deads2k]

Just to be safe we should switch flake to fail in a separate PR so that TRT would revert just the small part

Yes. I also identified 21c9d0d which I'm prepared to sacrifice for now to get the majority enforcing.

[openshift-trt-bot]

Job Failure Risk Analysis for sha: a26f447

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node	IncompleteTests Tests for this run (24) are below the historical average (1651): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

[deads2k]

Suggested change

	problems with `service-ca` TLS artifacts are filed in Jira for "Networking / cluster-network-operator" component
	problems with `service-ca` TLS artifacts are filed in Jira for "service-ca" component

or perhaps you intended to point to the proxy-cas?

[vrutkovs]

Yeah, I meant proxy CAs

[deads2k]

Suggested change

	TLS artifact contents may however be insufficient - i.e. it's not clear which OpenShift is responsible
	TLS artifact contents may however be insufficient - i.e. it's not clear which product component is responsible

[deads2k]

Suggested change

	type OwnerRequirement struct {
	name string
	}
	func NewOwnerRequirement() tlsmetadatainterfaces.Requirement {
	return OwnerRequirement{
	name: "ownership",
	}
	}
	// Return requirement name for filenames. Must be unique
	func (o OwnerRequirement) GetName() string {
	return o.name
	}
	// Boilerplate function which processes TLS registry and produces RequirementResult or throws an error
	func (o OwnerRequirement) InspectRequirement(rawData []*certgraphapi.PKIList) (tlsmetadatainterfaces.RequirementResult, error) {
	pkiInfo, err := tlsmetadatainterfaces.ProcessByLocation(rawData)
	if err != nil {
	return nil, fmt.Errorf("transforming raw data %v: %w", o.GetName(), err)
	}
	ownershipJSONBytes, err := json.MarshalIndent(pkiInfo, "", " ")
	if err != nil {
	return nil, fmt.Errorf("failure marshalling %v.json: %w", o.GetName(), err)
	}
	markdown, err := generateOwnershipMarkdown(pkiInfo)
	if err != nil {
	return nil, fmt.Errorf("failure marshalling %v.md: %w", o.GetName(), err)
	}
	violations := generateViolationJSON(pkiInfo)
	violationJSONBytes, err := json.MarshalIndent(violations, "", " ")
	if err != nil {
	return nil, fmt.Errorf("failure marshalling %v-violations.json: %w", o.GetName(), err)
	}
	return tlsmetadata.NewRequirementResult(
	o.GetName(),
	ownershipJSONBytes,
	markdown,
	violationJSONBytes)
	}
	```
	This interface calls two internal functions:
	```golang
	func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.PKIRegistryInfo {
	ret := &certgraphapi.PKIRegistryInfo{}
	// Iterate over certificate-key pairs (==secrets)
	for i := range pkiInfo.CertKeyPairs {
	curr := pkiInfo.CertKeyPairs[i]
	owner := curr.CertKeyInfo.OwningJiraComponent
	// Include in the violations list if has no owner set or owner set to Unknown
	if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
	ret.CertKeyPairs = append(ret.CertKeyPairs, curr)
	}
	}
	// Iterate over CA bundles (==configmaps)
	for i := range pkiInfo.CertificateAuthorityBundles {
	curr := pkiInfo.CertificateAuthorityBundles[i]
	owner := curr.CABundleInfo.OwningJiraComponent
	// Include in the violations list if has no owner set or owner set to Unknown
	if len(owner) == 0 || owner == tlsmetadata.UnknownOwner {
	ret.CertificateAuthorityBundles = append(ret.CertificateAuthorityBundles, curr)
	}
	}
	return ret
	}
	const annotationName string = "certificates.openshift.io/supports-offline-hostname-change"
	type SupportsOfflineHostnameChange struct{}
	func NewSupportsOfflineHostnameChange() tlsmetadatainterfaces.Requirement {
	md := tlsmetadatainterfaces.NewMarkdown("")
	md.Text("Offline hostname change is an SNO feature driven using tool (provide link here) while a cluster is not running.")
	return tlsmetadatainterfaces.NewAnnotationRequirement(
	// requirement name
	"offline-hostname-change",
	// cert or configmap annotation
	annotationName,
	"Supports Offline Hostname Change",
	string(md.ExactBytes()),
	)
	}

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 33164f8

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-openstack-ovn	High [Jira:"Image Registry"] monitor test image-registry-availability setup This test has passed 100.00% of 3 runs on release 4.16 [amd64 ha openstack ovn] in the last week.

[deads2k]

a few typos to tidy up, but we can do that as a followup

/lgtm

[deads2k]

/retest-required

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b4b9ccc and 2 for PR HEAD c17a17c in total

[openshift-trt-bot]

Job Failure Risk Analysis for sha: c17a17c

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node-serial	Low [sig-arch] events should not repeat pathologically for ns/openshift-etcd-operator This test has passed 28.07% of 57 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node-serial'] in the last 14 days.

[vrutkovs]

/retest-required

[openshift-ci]

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-single-node	c17a17c	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-cgroupsv2	c17a17c	link	false	/test e2e-aws-ovn-cgroupsv2
ci/prow/e2e-openstack-ovn	c17a17c	link	false	/test e2e-openstack-ovn
ci/prow/e2e-aws-ovn-single-node-serial	c17a17c	link	false	/test e2e-aws-ovn-single-node-serial
ci/prow/e2e-agnostic-ovn-cmd	c17a17c	link	false	/test e2e-agnostic-ovn-cmd
ci/prow/e2e-aws-ovn-single-node-upgrade	c17a17c	link	false	/test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-gcp-ovn-rt-upgrade	c17a17c	link	false	/test e2e-gcp-ovn-rt-upgrade

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build openshift-enterprise-tests-container-v4.16.0-202401051232.p0.g4d2a9d3.assembly.stream for distgit openshift-enterprise-tests.
All builds following this will include this PR.