Update auth.openshift.io/certificate-not{after,before} annotations wh…

…en regenerating certs Signed-off-by: Michail Resvanis <mresvani@redhat.com>
rh-ecosystem-edge · Feb 29, 2024 · 6c1cae7 · 6c1cae7
1 parent ef985bc
commit 6c1cae7
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/src/cluster_crypto/cert_key_pair.rs b/src/cluster_crypto/cert_key_pair.rs
@@ -13,7 +13,10 @@ use super::{
 use crate::{
     cluster_crypto::locations::LocationValueType,
     config::CryptoCustomizations,
-    file_utils::{add_recert_edited_annotation, commit_file, get_filesystem_yaml, recreate_yaml_at_location_with_new_pem},
+    file_utils::{
+        add_recert_edited_annotation, commit_file, get_filesystem_yaml, recreate_yaml_at_location_with_new_pem,
+        update_auth_certificate_annotations,
+    },
     k8s_etcd::{get_etcd_json, InMemoryK8sEtcd},
     rsa_key_pool::RsaKeyPool,
 };
@@ -333,6 +336,15 @@ impl CertKeyPair {
                 .encode_pem(),
         )?;
 
+        let certificate = self
+            .distributed_cert
+            .borrow()
+            .certificate_regenerated
+            .clone()
+            .context("certificate was not regenerated")?;
+
+        update_auth_certificate_annotations(&mut resource, &certificate)?;
+
         etcd_client
             .put(
                 &k8slocation.resource_location.as_etcd_key(),

diff --git a/src/file_utils.rs b/src/file_utils.rs
@@ -1,9 +1,11 @@
 use crate::cluster_crypto::{
+    certificate::Certificate,
     locations::{FileLocation, JsonLocation, LocationValueType},
     pem_utils,
 };
 use anyhow::{bail, Context, Result};
 use base64::{engine::general_purpose::STANDARD as base64_standard, Engine as _};
+use chrono::{DateTime, SecondsFormat, Utc};
 use serde_json::Value;
 use std::{
     path::{Path, PathBuf},
@@ -235,3 +237,33 @@ pub(crate) fn add_recert_edited_annotation(_resource: &mut Value, _yaml_location
 
     Ok(())
 }
+
+fn time_rfc3339(asn1time: &x509_certificate::asn1time::Time) -> String {
+    match asn1time {
+        x509_certificate::asn1time::Time::UtcTime(time) => time.to_rfc3339_opts(SecondsFormat::Secs, true),
+        x509_certificate::asn1time::Time::GeneralTime(time) => {
+            DateTime::<Utc>::from((*time).clone()).to_rfc3339_opts(SecondsFormat::Secs, true)
+        }
+    }
+}
+
+/// Updates the auth.openshift.io/certificate-not-{after,before} annotations to match the
+/// validity period of the regenerated certificate. When such annotations are missing, it skips
+/// them. Those annotations are used by cluster operators based on library-go to rotate those crypto
+/// objects via the certrotation component.
+///
+/// Reference:
+/// - https://github.com/openshift/library-go/blob/master/pkg/operator/certrotation/signer.go#L85
+pub(crate) fn update_auth_certificate_annotations(resource: &mut Value, certificate: &Certificate) -> Result<()> {
+    let cert: &x509_certificate::X509Certificate = &certificate.cert;
+    let certificate: &x509_certificate::rfc5280::Certificate = cert.as_ref();
+
+    if let Some(not_before) = resource.pointer_mut("/metadata/annotations/auth.openshift.io~1certificate-not-before") {
+        *not_before = Value::String(time_rfc3339(&certificate.tbs_certificate.validity.not_before));
+    }
+    if let Some(not_after) = resource.pointer_mut("/metadata/annotations/auth.openshift.io~1certificate-not-after") {
+        *not_after = Value::String(time_rfc3339(&certificate.tbs_certificate.validity.not_after));
+    }
+
+    Ok(())
+}