OCPBUGS-44842: Set not-before/not-after annotations

[vrutkovs]

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Summary by CodeRabbit

• New Features

  • Added certificate validity metadata (NotBefore/NotAfter) as annotations on generated webhook credentials to improve observability and rotation tooling.

• Bug Fixes

  • Validate that provided certificate and private key match and reject malformed/non-certificate PEM data.
  • Improved error handling during secret creation while preserving existing annotations.

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-57049, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vrutkovs
Once this PR has been reviewed and has the lgtm label, please assign liouk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vrutkovs]

/jira refresh

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gangwgr

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/retest-required

[wallylewis]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

Adds runtime TLS certificate/key validation and extracts certificate NotBefore/NotAfter to store as RFC3339 rotation annotations on the webhook kubeconfig Secret; existing component annotation is preserved. No public API or signature changes. (50 words)

Changes

Cohort / File(s)	Summary
Webhook authenticator secret handling pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go	Validate TLS key-pair with tls.X509KeyPair, ensure certificate bytes exist and parse leaf cert with x509.ParseCertificate(pair.Certificate[0]), and add rotation annotations certrotation.CertificateNotBeforeAnnotation and certrotation.CertificateNotAfterAnnotation (RFC3339). Preserves existing OpenShiftComponent annotation. New imports: crypto/tls, crypto/x509, certrotation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Controller
  participant TLS as tls.X509KeyPair
  participant X509 as x509.ParseCertificate
  participant S as K8s Secret Store

  C->>TLS: Build keypair from cert/key
  alt keypair valid
    TLS-->>C: keypair (DER chain)
    C->>X509: Parse leaf certificate (pair.Certificate[0])
    alt parse success
      X509-->>C: NotBefore / NotAfter
      C->>S: Create/Update Secret with annotations (component, notBefore, notAfter)
      S-->>C: ACK
    else parse failure
      X509-->>C: Error
      C-->>C: Return error
    end
  else invalid keypair
    TLS-->>C: Error
    C-->>C: Return error
  end

  rect rgba(220,240,255,0.5)
  note right of C: New logic: runtime keypair validation and\ncertificate validity annotations on Secret
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I chew through PEM and tidy keys,
I parse the dates with eager sneeze,
I pin "not-before" and "not-after" there,
A secret snug with careful care.
Hop—rotation ready, rabbit-verified! 🐇🔐

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 651b092 and d2ddcae.

📒 Files selected for processing (1)

• pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go (3)

203-217: Prefer deriving the leaf cert directly from tls.X509KeyPair and wrap underlying errors.

• tls.X509KeyPair already validates the key↔cert match. You can then parse the leaf from the returned pair instead of PEM-decoding manually. This avoids brittle assumptions (e.g., rejecting PEM headers) and ensures you extract NotBefore/NotAfter from the same cert TLS will present.
• Wrap the original errors with %w for easier debugging and telemetry.

Suggested refactor:

-	_, err = tls.X509KeyPair(cert, key)
-	if err != nil {
-		return nil, fmt.Errorf("private key doesn't match the certificate of authenticator secret")
-	}
-	// extract not-before/not-after timestamps valid x509 certificate
-	var block *pem.Block
-	block, _ = pem.Decode(cert)
-	if block == nil || block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-		return nil, fmt.Errorf("invalid first block found in the certificate of authenticator secret")
-	}
-	parsedCert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse the certificate of authenticator secret")
-	}
+	pair, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return nil, fmt.Errorf("invalid TLS keypair in authenticator secret (openshift-oauth-apiserver/openshift-authenticator-certs): %w", err)
+	}
+	// Use the same certificate bytes that TLS will treat as the leaf.
+	if len(pair.Certificate) == 0 {
+		return nil, fmt.Errorf("no certificate data found in authenticator secret (openshift-oauth-apiserver/openshift-authenticator-certs)")
+	}
+	parsedCert, err := x509.ParseCertificate(pair.Certificate[0])
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse leaf certificate from authenticator secret (openshift-oauth-apiserver/openshift-authenticator-certs): %w", err)
+	}

If you adopt this, you can drop the now-unused "encoding/pem" import.

---

203-226: Add focused tests for key/cert validation and annotation values.

• Positive: matching key/cert → Secret created with CertificateNotBefore/After populated and RFC3339 UTC values.
• Negative: mismatched key/cert → sync degraded with the new error.
• Negative: malformed cert content → degraded, no Secret apply.

I can draft unit tests using a fake client and an in-memory Secret with a generated client cert/key if helpful.

---

223-226: Normalize annotation timestamps to UTC explicitly

-				certrotation.CertificateNotBeforeAnnotation: parsedCert.NotBefore.Format(time.RFC3339),
-				certrotation.CertificateNotAfterAnnotation:  parsedCert.NotAfter.Format(time.RFC3339),
+				certrotation.CertificateNotBeforeAnnotation: parsedCert.NotBefore.UTC().Format(time.RFC3339),
+				certrotation.CertificateNotAfterAnnotation:  parsedCert.NotAfter.UTC().Format(time.RFC3339),

I verified that only this controller writes the webhook-authentication-integrated-oauth Secret (tests reference it but don’t mutate it). The ApplySecret helper (from the addon-framework) merges ObjectMeta—including annotations—when updating, so unrelated annotations are preserved (pkg.go.dev). Please apply the UTC normalization to avoid any timezone ambiguity in your RFC3339 annotation values.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 220cc9b and 651b092.

📒 Files selected for processing (1)

• pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go (3 hunks)

🔇 Additional comments (1)

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go (1)

5-9: Imports look correct for keypair validation and cert annotations.

The added imports (tls, x509, pem, certrotation) are appropriate for the new behavior.

Also applies to: 34-34

[wangke19]

/test e2e-agnostic-upgrade

[openshift-ci]

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-operator-encryption-rotation	e41a487	link	true	/test e2e-gcp-operator-encryption-rotation
ci/prow/okd-scos-e2e-aws-ovn	d2ddcae	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/test-operator-integration	d2ddcae	link	false	/test test-operator-integration
ci/prow/e2e-agnostic-ipv6	d2ddcae	link	false	/test e2e-agnostic-ipv6

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.