certrotation: update details specific for annotations and owners

This also removed type change, which no longer happens since 4.17

Author: vrutkovs

pkg/operator/certrotation/cabundle.go

@@ -69,10 +69,8 @@ func (c CABundleConfigMap) EnsureConfigMapCABundle(ctx context.Context, signingC
 	// run Update if metadata needs changing unless running in RefreshOnlyWhenExpired mode
 	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
-		updateRequired = ensureOwnerRefAndTLSAnnotationsForConfigMap(caBundleConfigMap, c.Owner, c.AdditionalAnnotations)
-		if updateRequired {
-			updateDetail = fmt.Sprintf("annotations set to %#v", c.AdditionalAnnotations)
-		}
+		updateDetail = ensureOwnerRefAndTLSAnnotationsForConfigMap(caBundleConfigMap, c.Owner, c.AdditionalAnnotations)
+		updateRequired = len(updateDetail) > 0
 	}
 
 	updatedCerts, err := manageCABundleConfigMap(caBundleConfigMap, signingCertKeyPair.Config.Certs[0])

pkg/operator/certrotation/metadata.go

@@ -1,46 +1,40 @@
 package certrotation
 
 import (
+	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func ensureOwnerRefAndTLSAnnotationsForSecret(secret *corev1.Secret, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) bool {
-	needsMetadataUpdate := false
+func ensureOwnerRefAndTLSAnnotationsForSecret(secret *corev1.Secret, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) string {
+	updateDetails := ""
 	// no ownerReference set
-	if owner != nil {
-		needsMetadataUpdate = ensureOwnerReference(&secret.ObjectMeta, owner)
+	if owner != nil && ensureOwnerReference(&secret.ObjectMeta, owner) {
+		updateDetails = fmt.Sprintf("owner reference updated to %#v", owner)
 	}
 	// ownership annotations not set
-	return additionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta) || needsMetadataUpdate
+	if additionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta) {
+		if len(updateDetails) > 0 {
+			updateDetails += ", "
+		}
+		updateDetails += fmt.Sprintf("annotations set to %#v", additionalAnnotations)
+	}
+	return updateDetails
 }
 
-func ensureOwnerRefAndTLSAnnotationsForConfigMap(configMap *corev1.ConfigMap, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) bool {
-	needsMetadataUpdate := false
+func ensureOwnerRefAndTLSAnnotationsForConfigMap(configMap *corev1.ConfigMap, owner *metav1.OwnerReference, additionalAnnotations AdditionalAnnotations) string {
+	updateDetails := ""
 	// no ownerReference set
-	if owner != nil {
-		needsMetadataUpdate = ensureOwnerReference(&configMap.ObjectMeta, owner)
+	if owner != nil && ensureOwnerReference(&configMap.ObjectMeta, owner) {
+		updateDetails = fmt.Sprintf("owner reference updated to %#v", owner)
 	}
 	// ownership annotations not set
-	return additionalAnnotations.EnsureTLSMetadataUpdate(&configMap.ObjectMeta) || needsMetadataUpdate
-}
-
-func ensureSecretTLSTypeSet(secret *corev1.Secret) bool {
-	// Existing secret not found - no need to update metadata (will be done by needNewSigningCertKeyPair / NeedNewTargetCertKeyPair)
-	if len(secret.ResourceVersion) == 0 {
-		return false
-	}
-
-	// convert outdated secret type (created by pre 4.7 installer)
-	if secret.Type != corev1.SecretTypeTLS {
-		secret.Type = corev1.SecretTypeTLS
-		// wipe secret contents if tls.crt and tls.key are missing
-		_, certExists := secret.Data[corev1.TLSCertKey]
-		_, keyExists := secret.Data[corev1.TLSPrivateKeyKey]
-		if !certExists || !keyExists {
-			secret.Data = map[string][]byte{}
+	if additionalAnnotations.EnsureTLSMetadataUpdate(&configMap.ObjectMeta) {
+		if len(updateDetails) > 0 {
+			updateDetails += ", "
 		}
-		return true
+		updateDetails += fmt.Sprintf("annotations set to %#v", additionalAnnotations)
 	}
-	return false
+	return updateDetails
 }

pkg/operator/certrotation/metadata_test.go

@@ -0,0 +1,274 @@
+package certrotation
+
+import (
+	"testing"
+
+	"github.com/openshift/api/annotations"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestEnsureOwnerRefAndTLSAnnotationsForSecret(t *testing.T) {
+	testOwner := &metav1.OwnerReference{
+		APIVersion: "apps/v1",
+		Kind:       "Deployment",
+		Name:       "test-deployment",
+		UID:        "test-uid",
+	}
+
+	testAnnotations := AdditionalAnnotations{
+		JiraComponent: "test-component",
+		Description:   "test description",
+		TestName:      "test-name",
+	}
+
+	tests := []struct {
+		name                    string
+		secret                  *corev1.Secret
+		owner                   *metav1.OwnerReference
+		additionalAnnotations   AdditionalAnnotations
+		expectedUpdateDetails   string
+		expectedOwnerReferences []metav1.OwnerReference
+		expectedAnnotations     map[string]string
+	}{
+		{
+			name: "no updates needed - already has owner and annotations",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret",
+					Namespace: "test-namespace",
+					OwnerReferences: []metav1.OwnerReference{
+						*testOwner,
+					},
+					Annotations: map[string]string{
+						annotations.OpenShiftComponent:   "test-component",
+						annotations.OpenShiftDescription: "test description",
+						CertificateTestNameAnnotation:    "test-name",
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "only owner reference needs updating",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret",
+					Namespace: "test-namespace",
+					Annotations: map[string]string{
+						annotations.OpenShiftComponent:   "test-component",
+						annotations.OpenShiftDescription: "test description",
+						CertificateTestNameAnnotation:    "test-name",
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "owner reference updated to &v1.OwnerReference{APIVersion:\"apps/v1\", Kind:\"Deployment\", Name:\"test-deployment\", UID:\"test-uid\", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "only annotations need updating",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret",
+					Namespace: "test-namespace",
+					OwnerReferences: []metav1.OwnerReference{
+						*testOwner,
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "annotations set to certrotation.AdditionalAnnotations{JiraComponent:\"test-component\", Description:\"test description\", TestName:\"test-name\", AutoRegenerateAfterOfflineExpiry:\"\", NotBefore:\"\", NotAfter:\"\", RefreshPeriod:\"\"}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "both owner reference and annotations need updating",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-secret",
+					Namespace: "test-namespace",
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "owner reference updated to &v1.OwnerReference{APIVersion:\"apps/v1\", Kind:\"Deployment\", Name:\"test-deployment\", UID:\"test-uid\", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}, annotations set to certrotation.AdditionalAnnotations{JiraComponent:\"test-component\", Description:\"test description\", TestName:\"test-name\", AutoRegenerateAfterOfflineExpiry:\"\", NotBefore:\"\", NotAfter:\"\", RefreshPeriod:\"\"}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ensureOwnerRefAndTLSAnnotationsForSecret(tt.secret, tt.owner, tt.additionalAnnotations)
+
+			require.Equal(t, result, tt.expectedUpdateDetails, "expected update detail")
+			require.Equal(t, tt.expectedOwnerReferences, tt.secret.OwnerReferences, "expected owner references")
+			require.Equal(t, tt.expectedAnnotations, tt.secret.Annotations, "expected owner annotations")
+		})
+	}
+}
+
+func TestEnsureOwnerRefAndTLSAnnotationsForConfigMap(t *testing.T) {
+	testOwner := &metav1.OwnerReference{
+		APIVersion: "apps/v1",
+		Kind:       "Deployment",
+		Name:       "test-deployment",
+		UID:        "test-uid",
+	}
+
+	testAnnotations := AdditionalAnnotations{
+		JiraComponent: "test-component",
+		Description:   "test description",
+		TestName:      "test-name",
+	}
+
+	tests := []struct {
+		name                    string
+		configMap               *corev1.ConfigMap
+		owner                   *metav1.OwnerReference
+		additionalAnnotations   AdditionalAnnotations
+		expectedUpdateDetails   string
+		expectedOwnerReferences []metav1.OwnerReference
+		expectedAnnotations     map[string]string
+	}{
+		{
+			name: "no updates needed - already has owner and annotations",
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-configmap",
+					Namespace: "test-namespace",
+					OwnerReferences: []metav1.OwnerReference{
+						*testOwner,
+					},
+					Annotations: map[string]string{
+						annotations.OpenShiftComponent:   "test-component",
+						annotations.OpenShiftDescription: "test description",
+						CertificateTestNameAnnotation:    "test-name",
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "only owner reference needs updating",
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-configmap",
+					Namespace: "test-namespace",
+					Annotations: map[string]string{
+						annotations.OpenShiftComponent:   "test-component",
+						annotations.OpenShiftDescription: "test description",
+						CertificateTestNameAnnotation:    "test-name",
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "owner reference updated to &v1.OwnerReference{APIVersion:\"apps/v1\", Kind:\"Deployment\", Name:\"test-deployment\", UID:\"test-uid\", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "only annotations need updating",
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-configmap",
+					Namespace: "test-namespace",
+					OwnerReferences: []metav1.OwnerReference{
+						*testOwner,
+					},
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "annotations set to certrotation.AdditionalAnnotations{JiraComponent:\"test-component\", Description:\"test description\", TestName:\"test-name\", AutoRegenerateAfterOfflineExpiry:\"\", NotBefore:\"\", NotAfter:\"\", RefreshPeriod:\"\"}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+		{
+			name: "both owner reference and annotations need updating",
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-configmap",
+					Namespace: "test-namespace",
+				},
+			},
+			owner:                 testOwner,
+			additionalAnnotations: testAnnotations,
+			expectedUpdateDetails: "owner reference updated to &v1.OwnerReference{APIVersion:\"apps/v1\", Kind:\"Deployment\", Name:\"test-deployment\", UID:\"test-uid\", Controller:(*bool)(nil), BlockOwnerDeletion:(*bool)(nil)}, annotations set to certrotation.AdditionalAnnotations{JiraComponent:\"test-component\", Description:\"test description\", TestName:\"test-name\", AutoRegenerateAfterOfflineExpiry:\"\", NotBefore:\"\", NotAfter:\"\", RefreshPeriod:\"\"}",
+			expectedOwnerReferences: []metav1.OwnerReference{
+				*testOwner,
+			},
+			expectedAnnotations: map[string]string{
+				annotations.OpenShiftComponent:   "test-component",
+				annotations.OpenShiftDescription: "test description",
+				CertificateTestNameAnnotation:    "test-name",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ensureOwnerRefAndTLSAnnotationsForConfigMap(tt.configMap, tt.owner, tt.additionalAnnotations)
+
+			require.Equal(t, result, tt.expectedUpdateDetails, "expected update detail")
+			require.Equal(t, tt.expectedOwnerReferences, tt.configMap.OwnerReferences, "expected owner references")
+			require.Equal(t, tt.expectedAnnotations, tt.configMap.Annotations, "expected owner annotations")
+		})
+	}
+}

pkg/operator/certrotation/signer.go

@@ -81,15 +81,8 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (*
 	// run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode
 	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
-		needsMetadataUpdate := ensureOwnerRefAndTLSAnnotationsForSecret(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
-		if needsMetadataUpdate {
-			updateDetail = fmt.Sprintf("annotations update: %v", c.AdditionalAnnotations)
-		}
-		needsTypeChange := ensureSecretTLSTypeSet(signingCertKeyPairSecret)
-		if needsTypeChange {
-			updateDetail = "secret type update"
-		}
-		updateRequired = needsMetadataUpdate || needsTypeChange
+		updateDetail = ensureOwnerRefAndTLSAnnotationsForSecret(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
+		updateRequired = len(updateDetail) > 0
 	}
 
 	// run Update if signer content needs changing

pkg/operator/certrotation/target.go

@@ -115,15 +115,8 @@ func (c RotatedSelfSignedCertKeySecret) EnsureTargetCertKeyPair(ctx context.Cont
 	// run Update if metadata needs changing unless we're in RefreshOnlyWhenExpired mode
 	updateDetail := ""
 	if !c.RefreshOnlyWhenExpired {
-		needsMetadataUpdate := ensureOwnerRefAndTLSAnnotationsForSecret(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
-		if needsMetadataUpdate {
-			updateDetail = fmt.Sprintf("annotations update: %v", c.AdditionalAnnotations)
-		}
-		needsTypeChange := ensureSecretTLSTypeSet(targetCertKeyPairSecret)
-		if needsTypeChange {
-			updateDetail = "secret type update"
-		}
-		updateRequired = needsMetadataUpdate || needsTypeChange
+		updateDetail = ensureOwnerRefAndTLSAnnotationsForSecret(targetCertKeyPairSecret, c.Owner, c.AdditionalAnnotations)
+		updateRequired = len(updateDetail) > 0
 	}
 
 	if reason := c.CertCreator.NeedNewTargetCertKeyPair(targetCertKeyPairSecret, signingCertKeyPair, caBundleCerts, c.Refresh, c.RefreshOnlyWhenExpired, creationRequired); len(reason) > 0 {