Add description annotations to service CA secret and configmap

Service CA generates a secret and configmap for its signing key.
These secret and configmap need to have description annotation
to conform to the new cert ownership validation.

For all secrets that are created by service CA for services, an
ownership and description annotations are generated to indicate
service CA owns these secrets and its corresponding service owner.

Signed-off-by: Vu Dinh <vudinh@outlook.com>

bindata/v4.0.0/controller/signing-cabundle.yaml

@@ -5,5 +5,6 @@ metadata:
   name: signing-cabundle
   annotations:
     openshift.io/owning-component: service-ca
+    openshift.io/description: "Service CA signing CA bundle"
 data:
   ca-bundle.crt:

bindata/v4.0.0/controller/signing-secret.yaml

@@ -5,6 +5,7 @@ metadata:
   name: signing-key
   annotations:
     openshift.io/owning-component: service-ca
+    openshift.io/description: "Service CA signing key"
 type: kubernetes.io/tls
 data:
   tls.crt:

pkg/controller/servingcert/controller/secret_creating_controller.go

@@ -141,6 +141,7 @@ func (sc *serviceServingCertController) generateCert(ctx context.Context, servic
 	if err := toRequiredSecret(sc.dnsSuffix, sc.ca, sc.intermediateCACert, serviceCopy, secret); err != nil {
 		return err
 	}
+	setSecretOwnerDescription(secret, serviceCopy)
 
 	_, err := sc.secretClient.Secrets(serviceCopy.Namespace).Create(ctx, secret, metav1.CreateOptions{})
 	if err != nil && !kapierrors.IsAlreadyExists(err) {
@@ -328,9 +329,8 @@ func toBaseSecret(service *corev1.Service) *corev1.Secret {
 				Name:      service.Annotations[api.ServingCertSecretAnnotation],
 				Namespace: service.Namespace,
 				Annotations: map[string]string{
-					api.ServiceUIDAnnotation:          string(service.UID),
-					api.ServiceNameAnnotation:         service.Name,
-					apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+					api.ServiceUIDAnnotation:  string(service.UID),
+					api.ServiceNameAnnotation: service.Name,
 				},
 			},
 			Type: corev1.SecretTypeTLS,
@@ -342,9 +342,8 @@ func toBaseSecret(service *corev1.Service) *corev1.Secret {
 			Name:      service.Annotations[api.AlphaServingCertSecretAnnotation],
 			Namespace: service.Namespace,
 			Annotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:     string(service.UID),
-				api.AlphaServiceNameAnnotation:    service.Name,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.AlphaServiceUIDAnnotation:  string(service.UID),
+				api.AlphaServiceNameAnnotation: service.Name,
 			},
 		},
 		Type: corev1.SecretTypeTLS,
@@ -410,7 +409,6 @@ func toRequiredSecret(dnsSuffix string, ca *crypto.CA, intermediateCACert *x509.
 
 	secretCopy.Annotations[api.AlphaServingCertExpiryAnnotation] = servingCert.Certs[0].NotAfter.Format(time.RFC3339)
 	secretCopy.Annotations[api.ServingCertExpiryAnnotation] = servingCert.Certs[0].NotAfter.Format(time.RFC3339)
-	secretCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
 
 	controller.EnsureOwnerRef(secretCopy, ownerRef(service))
 
@@ -433,3 +431,26 @@ func uidsEqual(secret *corev1.Secret, service *corev1.Service) bool {
 	return secret.Annotations[api.AlphaServiceUIDAnnotation] == suid ||
 		secret.Annotations[api.ServiceUIDAnnotation] == suid
 }
+
+// Set ownership and description annotations. Return true if there are changes on
+// the two annotations
+func setSecretOwnerDescription(secret *corev1.Secret, service *corev1.Service) bool {
+	changed := false
+	if secret.Annotations == nil {
+		secret.Annotations = map[string]string{}
+		changed = true
+	}
+	// Set service CA owner annotation to generated secret
+	if len(secret.Annotations[apiannotations.OpenShiftDescription]) == 0 {
+		secret.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
+		changed = true
+	}
+
+	// Copy description annotation from service to secret if exists. Otherwise, generate
+	// a description for it <service name>/<service namespace>
+	if len(secret.Annotations[apiannotations.OpenShiftDescription]) == 0 {
+		secret.Annotations[apiannotations.OpenShiftDescription] = fmt.Sprintf("Generated by Service CA for %s/%s", service.Name, service.Namespace)
+		changed = true
+	}
+	return changed
+}

pkg/controller/servingcert/controller/secret_creating_controller_test.go

@@ -37,6 +37,7 @@ const (
 	testServiceName       = "svc-name"
 	testNamespace         = "svc-namespace"
 	testSecretName        = "new-secret"
+	descAnnotation        = "Generated by Service CA for svc-name/svc-namespace"
 	testCertUnknownIssuer = `
 -----BEGIN CERTIFICATE-----
 MIIDETCCAfmgAwIBAgIUdbBKh0jOJxli4wl34q0TYJu8+n0wDQYJKoZIhvcNAQEL
@@ -146,9 +147,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:     testServiceUID,
-				api.AlphaServiceNameAnnotation:    testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.AlphaServiceUIDAnnotation:       testServiceUID,
+				api.AlphaServiceNameAnnotation:      testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -164,9 +166,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -183,9 +186,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -205,9 +209,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.AlphaServiceUIDAnnotation:     testServiceUID,
-				api.AlphaServiceNameAnnotation:    testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.AlphaServiceUIDAnnotation:       testServiceUID,
+				api.AlphaServiceNameAnnotation:      testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -227,9 +232,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateSecret:  true,
 			updateService: true,
@@ -318,9 +324,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 			},
 			secretData: generateServerCertPemForCA(t, ca, false),
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			expectedServiceAnnotations: map[string]string{
 				api.ServingCertSecretAnnotation: testSecretName,
@@ -338,9 +345,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 			},
 			secretData: generateServerCertPemForCA(t, ca, true),
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			expectedServiceAnnotations: map[string]string{
 				api.ServingCertSecretAnnotation: testSecretName,
@@ -362,9 +370,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateService: true,
 			updateSecret:  true,
@@ -386,9 +395,10 @@ func TestServiceServingCertControllerSync(t *testing.T) {
 				api.ServingCertCreatedByAnnotation:      signerName,
 			},
 			expectedSecretAnnotations: map[string]string{
-				api.ServiceUIDAnnotation:          testServiceUID,
-				api.ServiceNameAnnotation:         testServiceName,
-				apiannotations.OpenShiftComponent: api.OwningJiraComponent,
+				api.ServiceUIDAnnotation:            testServiceUID,
+				api.ServiceNameAnnotation:           testServiceName,
+				apiannotations.OpenShiftComponent:   api.OwningJiraComponent,
+				apiannotations.OpenShiftDescription: descAnnotation,
 			},
 			updateService: true,
 			updateSecret:  true,

pkg/controller/servingcert/controller/secret_updating_controller.go

@@ -16,7 +16,6 @@ import (
 	listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/klog/v2"
 
-	apiannotations "github.com/openshift/api/annotations"
 	ocontroller "github.com/openshift/library-go/pkg/controller"
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/crypto"
@@ -210,8 +209,7 @@ func (sc *serviceServingCertUpdateController) ensureSecretData(service *v1.Servi
 	}
 
 	// set the owning-component unless someone else has claimed it.
-	if !update && len(secretCopy.Annotations[apiannotations.OpenShiftComponent]) == 0 {
-		secretCopy.Annotations[apiannotations.OpenShiftComponent] = api.OwningJiraComponent
+	if !update && setSecretOwnerDescription(secretCopy, service) {
 		update = true
 	}