Merge remote-tracking branch 'up/master' into drop-interval-loc-msg

openshift · Apr 30, 2024 · d87fae9 · d87fae9
2 parents 09ae5aa + efa2ab6
commit d87fae9
Show file tree

Hide file tree

Showing 16 changed files with 502 additions and 171 deletions.
diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/openshift/build-machinery-go v0.0.0-20231128094528-1e9b1b0595c8
 	github.com/openshift/client-go v0.0.0-20240405120947-c67c8325cdd8
 	github.com/openshift/cluster-network-operator v0.0.0-20240111190956-90754aa19843
-	github.com/openshift/library-go v0.0.0-20240411091851-558ed29cc1dd
+	github.com/openshift/library-go v0.0.0-20240422143640-fad649cbbd63
 	github.com/pborman/uuid v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0

diff --git a/go.sum b/go.sum
@@ -692,8 +692,8 @@ github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0
 github.com/openshift/kubernetes/staging/src/k8s.io/pod-security-admission v0.0.0-20240415183844-5fa180624ad5/go.mod h1:KO9+e3Vs9szCaGa71Rzbl5yjVZJRVdOedcQA9Rd0jqg=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20240415183844-5fa180624ad5 h1:MPbBds/nKoeE9aUzsynDrdhqw2s+ga8jIraaQon1pA0=
 github.com/openshift/kubernetes/staging/src/k8s.io/sample-apiserver v0.0.0-20240415183844-5fa180624ad5/go.mod h1:gt+x8e/xXgY6PAhP9S6wHwnQ1BeD8/3kqgCi7efOSzU=
-github.com/openshift/library-go v0.0.0-20240411091851-558ed29cc1dd h1:svnVGaIsBgNRW/6FRRxIWOyYmpL7jL7LkkRYiYS8OFk=
-github.com/openshift/library-go v0.0.0-20240411091851-558ed29cc1dd/go.mod h1:m/HsttSi90vSixwoy5mPUBHcZid2YRw/QbsLErLxF9s=
+github.com/openshift/library-go v0.0.0-20240422143640-fad649cbbd63 h1:Cv1pmE4m2MJrytpTOk0HHJfaw7gvBOwAj8FJeGuffCg=
+github.com/openshift/library-go v0.0.0-20240422143640-fad649cbbd63/go.mod h1:m/HsttSi90vSixwoy5mPUBHcZid2YRw/QbsLErLxF9s=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7 h1:ACi574W+KszWNNkWT+8xNY7NpvpoHA+EPOKLlHB4MiQ=
 github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20231031162821-c5e24be53ea7/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=

diff --git a/pkg/certs/types.go b/pkg/certs/types.go
@@ -10,6 +10,9 @@ type ConfigMapRefByNamespaceName []certgraphapi.InClusterConfigMapLocation
 type SecretRefByNamespaceName []certgraphapi.InClusterSecretLocation
 type SecretInfoByNamespaceName map[certgraphapi.InClusterSecretLocation]certgraphapi.PKIRegistryCertKeyPairInfo
 type ConfigMapInfoByNamespaceName map[certgraphapi.InClusterConfigMapLocation]certgraphapi.PKIRegistryCertificateAuthorityInfo
+type OnDiskLocationByPath []certgraphapi.OnDiskLocation
+type CertKeyPairInfoByOnDiskLocation map[certgraphapi.OnDiskLocation]certgraphapi.PKIRegistryCertKeyPairInfo
+type CABundleInfoByOnDiskLocation map[certgraphapi.OnDiskLocation]certgraphapi.PKIRegistryCertificateAuthorityInfo
 
 func (n SecretRefByNamespaceName) Len() int {
 	return len(n)
@@ -46,3 +49,13 @@ func (n ConfigMapRefByNamespaceName) Less(i, j int) bool {
 
 	return strings.Compare(n[i].Name, n[j].Name) < 0
 }
+
+func (n OnDiskLocationByPath) Len() int {
+	return len(n)
+}
+func (n OnDiskLocationByPath) Swap(i, j int) {
+	n[i], n[j] = n[j], n[i]
+}
+func (n OnDiskLocationByPath) Less(i, j int) bool {
+	return strings.Compare(n[i].Path, n[j].Path) < 0
+}
diff --git a/pkg/certs/utils.go b/pkg/certs/utils.go
@@ -8,43 +8,92 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-func GetPKIInfoFromEmbeddedOwnership(ownershipFile []byte) (*certgraphapi.PKIRegistryInfo, error) {
-	certs := SecretInfoByNamespaceName{}
-	caBundles := ConfigMapInfoByNamespaceName{}
+// PKIRegistryInfo holds information about TLS artifacts stored in etcd. This includes object location and metadata based on object annotations
+type PKIRegistryInfo struct {
+	// +mapType:=atomic
+	CertificateAuthorityBundles []certgraphapi.PKIRegistryCABundle `json:"certificateAuthorityBundles"`
+	// +mapType:=atomic
+	CertKeyPairs []certgraphapi.PKIRegistryCertKeyPair `json:"certKeyPairs"`
+}
+
+func GetPKIInfoFromEmbeddedOwnership(ownershipFile []byte) (*PKIRegistryInfo, error) {
+	inClusterCerts := SecretInfoByNamespaceName{}
+	onDiskCerts := CertKeyPairInfoByOnDiskLocation{}
+	inClusterCABundles := ConfigMapInfoByNamespaceName{}
+	onDiskCABundles := CABundleInfoByOnDiskLocation{}
 
-	currPKI := &certgraphapi.PKIRegistryInfo{}
+	currPKI := &PKIRegistryInfo{}
 	err := json.Unmarshal(ownershipFile, currPKI)
 	if err != nil {
 		return nil, err
 	}
 
 	for _, currCert := range currPKI.CertKeyPairs {
-		certs[currCert.SecretLocation] = currCert.CertKeyInfo
+		if currCert.InClusterLocation != nil {
+			inClusterCerts[currCert.InClusterLocation.SecretLocation] = currCert.InClusterLocation.CertKeyInfo
+		}
+		if currCert.OnDiskLocation != nil {
+			onDiskCerts[currCert.OnDiskLocation.OnDiskLocation] = currCert.OnDiskLocation.CertKeyInfo
+		}
 	}
 	for _, currCABundle := range currPKI.CertificateAuthorityBundles {
-		caBundles[currCABundle.ConfigMapLocation] = currCABundle.CABundleInfo
+		if currCABundle.InClusterLocation != nil {
+			inClusterCABundles[currCABundle.InClusterLocation.ConfigMapLocation] = currCABundle.InClusterLocation.CABundleInfo
+		}
+		if currCABundle.OnDiskLocation != nil {
+			onDiskCABundles[currCABundle.OnDiskLocation.OnDiskLocation] = currCABundle.OnDiskLocation.CABundleInfo
+		}
 	}
-	return CertsToRegistryInfo(certs, caBundles), nil
+	return CertsToRegistryInfo(inClusterCerts, onDiskCerts, inClusterCABundles, onDiskCABundles), nil
 }
 
-func CertsToRegistryInfo(certs SecretInfoByNamespaceName, caBundles ConfigMapInfoByNamespaceName) *certgraphapi.PKIRegistryInfo {
-	result := &certgraphapi.PKIRegistryInfo{}
+func CertsToRegistryInfo(
+	certs SecretInfoByNamespaceName,
+	onDiskCerts CertKeyPairInfoByOnDiskLocation,
+	caBundles ConfigMapInfoByNamespaceName,
+	onDiskCABundles CABundleInfoByOnDiskLocation,
+) *PKIRegistryInfo {
+	result := &PKIRegistryInfo{}
 
-	certKeys := sets.KeySet[certgraphapi.InClusterSecretLocation, certgraphapi.PKIRegistryCertKeyPairInfo](certs).UnsortedList()
-	sort.Sort(SecretRefByNamespaceName(certKeys))
-	for _, key := range certKeys {
-		result.CertKeyPairs = append(result.CertKeyPairs, certgraphapi.PKIRegistryInClusterCertKeyPair{
-			SecretLocation: key,
-			CertKeyInfo:    certs[key],
+	inClusterCertKeys := sets.KeySet[certgraphapi.InClusterSecretLocation, certgraphapi.PKIRegistryCertKeyPairInfo](certs).UnsortedList()
+	sort.Sort(SecretRefByNamespaceName(inClusterCertKeys))
+	for _, key := range inClusterCertKeys {
+		result.CertKeyPairs = append(result.CertKeyPairs, certgraphapi.PKIRegistryCertKeyPair{
+			InClusterLocation: &certgraphapi.PKIRegistryInClusterCertKeyPair{
+				SecretLocation: key,
+				CertKeyInfo:    certs[key],
+			},
+		})
+	}
+	onDiskCertKeys := sets.KeySet[certgraphapi.OnDiskLocation, certgraphapi.PKIRegistryCertKeyPairInfo](onDiskCerts).UnsortedList()
+	sort.Sort(OnDiskLocationByPath(onDiskCertKeys))
+	for _, key := range onDiskCertKeys {
+		result.CertKeyPairs = append(result.CertKeyPairs, certgraphapi.PKIRegistryCertKeyPair{
+			OnDiskLocation: &certgraphapi.PKIRegistryOnDiskCertKeyPair{
+				OnDiskLocation: key,
+				CertKeyInfo:    onDiskCerts[key],
+			},
 		})
 	}
 
-	caKeys := sets.KeySet[certgraphapi.InClusterConfigMapLocation, certgraphapi.PKIRegistryCertificateAuthorityInfo](caBundles).UnsortedList()
-	sort.Sort(ConfigMapRefByNamespaceName(caKeys))
-	for _, key := range caKeys {
-		result.CertificateAuthorityBundles = append(result.CertificateAuthorityBundles, certgraphapi.PKIRegistryInClusterCABundle{
-			ConfigMapLocation: key,
-			CABundleInfo:      caBundles[key],
+	inClusterCAKeys := sets.KeySet[certgraphapi.InClusterConfigMapLocation, certgraphapi.PKIRegistryCertificateAuthorityInfo](caBundles).UnsortedList()
+	sort.Sort(ConfigMapRefByNamespaceName(inClusterCAKeys))
+	for _, key := range inClusterCAKeys {
+		result.CertificateAuthorityBundles = append(result.CertificateAuthorityBundles, certgraphapi.PKIRegistryCABundle{
+			InClusterLocation: &certgraphapi.PKIRegistryInClusterCABundle{
+				ConfigMapLocation: key,
+				CABundleInfo:      caBundles[key],
+			},
+		})
+	}
+	onDiskCAKeys := sets.KeySet[certgraphapi.OnDiskLocation, certgraphapi.PKIRegistryCertificateAuthorityInfo](onDiskCABundles).UnsortedList()
+	sort.Sort(OnDiskLocationByPath(onDiskCAKeys))
+	for _, key := range onDiskCAKeys {
+		result.CertificateAuthorityBundles = append(result.CertificateAuthorityBundles, certgraphapi.PKIRegistryCABundle{
+			OnDiskLocation: &certgraphapi.PKIRegistryOnDiskCABundle{
+				OnDiskLocation: key,
+				CABundleInfo:   onDiskCABundles[key],
+			},
 		})
 	}
 	return result

diff --git a/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/ownership/requirement.go b/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/ownership/requirement.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"github.com/openshift/origin/pkg/certs"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
@@ -47,19 +48,25 @@ func (o OwnerRequirement) InspectRequirement(rawData []*certgraphapi.PKIList) (t
 		violationJSONBytes)
 }
 
-func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.PKIRegistryInfo {
-	ret := &certgraphapi.PKIRegistryInfo{}
+func generateViolationJSON(pkiInfo *certs.PKIRegistryInfo) *certs.PKIRegistryInfo {
+	ret := &certs.PKIRegistryInfo{}
 
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
-		owner := curr.CertKeyInfo.OwningJiraComponent
+		if curr.InClusterLocation == nil {
+			continue
+		}
+		owner := curr.InClusterLocation.CertKeyInfo.OwningJiraComponent
 		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			ret.CertKeyPairs = append(ret.CertKeyPairs, curr)
 		}
 	}
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
-		owner := curr.CABundleInfo.OwningJiraComponent
+		if curr.InClusterLocation == nil {
+			continue
+		}
+		owner := curr.InClusterLocation.CABundleInfo.OwningJiraComponent
 		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			ret.CertificateAuthorityBundles = append(ret.CertificateAuthorityBundles, curr)
 		}
@@ -68,15 +75,18 @@ func generateViolationJSON(pkiInfo *certgraphapi.PKIRegistryInfo) *certgraphapi.
 	return ret
 }
 
-func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, error) {
-	certsByOwner := map[string][]certgraphapi.PKIRegistryInClusterCertKeyPair{}
-	certsWithoutOwners := []certgraphapi.PKIRegistryInClusterCertKeyPair{}
-	caBundlesByOwner := map[string][]certgraphapi.PKIRegistryInClusterCABundle{}
-	caBundlesWithoutOwners := []certgraphapi.PKIRegistryInClusterCABundle{}
+func generateOwnershipMarkdown(pkiInfo *certs.PKIRegistryInfo) ([]byte, error) {
+	certsByOwner := map[string][]certgraphapi.PKIRegistryCertKeyPair{}
+	certsWithoutOwners := []certgraphapi.PKIRegistryCertKeyPair{}
+	caBundlesByOwner := map[string][]certgraphapi.PKIRegistryCABundle{}
+	caBundlesWithoutOwners := []certgraphapi.PKIRegistryCABundle{}
 
 	for i := range pkiInfo.CertKeyPairs {
 		curr := pkiInfo.CertKeyPairs[i]
-		owner := curr.CertKeyInfo.OwningJiraComponent
+		if curr.InClusterLocation == nil {
+			continue
+		}
+		owner := curr.InClusterLocation.CertKeyInfo.OwningJiraComponent
 		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			certsWithoutOwners = append(certsWithoutOwners, curr)
 			continue
@@ -85,7 +95,10 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 	}
 	for i := range pkiInfo.CertificateAuthorityBundles {
 		curr := pkiInfo.CertificateAuthorityBundles[i]
-		owner := curr.CABundleInfo.OwningJiraComponent
+		if curr.InClusterLocation == nil {
+			continue
+		}
+		owner := curr.InClusterLocation.CABundleInfo.OwningJiraComponent
 		if len(owner) == 0 || owner == tlsmetadatainterfaces.UnknownOwner {
 			caBundlesWithoutOwners = append(caBundlesWithoutOwners, curr)
 			continue
@@ -101,9 +114,12 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 			md.Title(3, fmt.Sprintf("Certificates (%d)", len(certsWithoutOwners)))
 			md.OrderedListStart()
 			for _, curr := range certsWithoutOwners {
+				if curr.InClusterLocation == nil {
+					continue
+				}
 				md.NewOrderedListItem()
-				md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
-				md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
+				md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
+				md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
 				md.Text("\n")
 			}
 			md.OrderedListEnd()
@@ -113,9 +129,12 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 			md.Title(3, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundlesWithoutOwners)))
 			md.OrderedListStart()
 			for _, curr := range caBundlesWithoutOwners {
+				if curr.InClusterLocation == nil {
+					continue
+				}
 				md.NewOrderedListItem()
-				md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
-				md.Textf("**Description:** %v", curr.CABundleInfo.Description)
+				md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
+				md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
 				md.Text("\n")
 			}
 			md.OrderedListEnd()
@@ -132,9 +151,12 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 			md.Title(3, fmt.Sprintf("Certificates (%d)", len(certs)))
 			md.OrderedListStart()
 			for _, curr := range certs {
+				if curr.InClusterLocation == nil {
+					continue
+				}
 				md.NewOrderedListItem()
-				md.Textf("ns/%v secret/%v\n", curr.SecretLocation.Namespace, curr.SecretLocation.Name)
-				md.Textf("**Description:** %v", curr.CertKeyInfo.Description)
+				md.Textf("ns/%v secret/%v\n", curr.InClusterLocation.SecretLocation.Namespace, curr.InClusterLocation.SecretLocation.Name)
+				md.Textf("**Description:** %v", curr.InClusterLocation.CertKeyInfo.Description)
 				md.Text("\n")
 			}
 			md.OrderedListEnd()
@@ -146,9 +168,12 @@ func generateOwnershipMarkdown(pkiInfo *certgraphapi.PKIRegistryInfo) ([]byte, e
 			md.Title(3, fmt.Sprintf("Certificate Authority Bundles (%d)", len(caBundles)))
 			md.OrderedListStart()
 			for _, curr := range caBundles {
+				if curr.InClusterLocation == nil {
+					continue
+				}
 				md.NewOrderedListItem()
-				md.Textf("ns/%v configmap/%v\n", curr.ConfigMapLocation.Namespace, curr.ConfigMapLocation.Name)
-				md.Textf("**Description:** %v", curr.CABundleInfo.Description)
+				md.Textf("ns/%v configmap/%v\n", curr.InClusterLocation.ConfigMapLocation.Namespace, curr.InClusterLocation.ConfigMapLocation.Name)
+				md.Textf("**Description:** %v", curr.InClusterLocation.CABundleInfo.Description)
 				md.Text("\n")
 			}
 			md.OrderedListEnd()