OCPBUGS-57049: certrotation: move test case name outside of AutoRegenerateAfterOfflineExpiry

[vrutkovs]

Move out test name into "TestCase" annotation so that AutoRotate... would contain just the PR URL when it was added and other annotations didn't have to repeat the testcase used.

This PR also updates conflicting descriptions to kube-control-plane-signer secret to make sure controllers don't hotloop erasing each other changes

Summary by CodeRabbit

• Refactor
  • Standardized certificate rotation annotations by separating human-readable test names from URLs, improving clarity of metadata without altering rotation behavior.
• Chores
  • Updated configuration across certificate signers to use the new annotation structure for better consistency and future troubleshooting.
• Bug Fixes
  • None.
• Documentation
  • None.
• Notes
  • No user-visible changes; certificate validity periods and rotation logic remain unchanged.

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-57049, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/retest-required

[vrutkovs]

/retest

[vrutkovs]

/retest

[vrutkovs]

/retest

[sanchezl]

/lgtm

[vrutkovs]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 05014ca and 2 for PR HEAD 6ca45e9 in total

[vrutkovs]

/retest-required

[vrutkovs]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 36917f5 and 1 for PR HEAD 6ca45e9 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 36917f5 and 2 for PR HEAD 6ca45e9 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 36917f5 and 2 for PR HEAD 6ca45e9 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 36917f5 and 2 for PR HEAD 6ca45e9 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 36917f5 and 2 for PR HEAD 6ca45e9 in total

[vrutkovs]

/retest-required

[p0lyn0mial]

are there any other changes except moving the test name to the new field ?

[vrutkovs]

Nope, squashed two commits here (the second commit was fixing issues introduced by the first one, so no need to keep it around)

[p0lyn0mial]

from the PR description:

This PR also updates conflicting descriptions to kube-control-plane-signer secret to make sure controllers don't hotloop erasing each other changes

does adding a description prevents controllers from erasing changes added by the others controllers?

[vrutkovs]

Any metadata change needs to make sure that all controllers set the same set of metadata to prevent hotlooping

[coderabbitai]

Walkthrough

A new field TestName was added to certrotation.AdditionalAnnotations. Usages in cert rotation configurations were updated so TestName holds a human-readable test name, while AutoRegenerateAfterOfflineExpiry now contains only the PR URL. No certificate rotation logic or control flow changed.

Changes

Cohort / File(s)	Summary
Cert rotation controller annotations pkg/operator/certrotationcontroller/certrotationcontroller.go	Updated initializations of certrotation.AdditionalAnnotations: added TestName values and trimmed AutoRegenerateAfterOfflineExpiry to PR URLs across multiple signer configs (e.g., aggregator-client, kube-apiserver-to-kubelet, service-network-serving).
External type update (dependency) .../github.com/openshift/library-go/pkg/operator/certrotation	Exported struct AdditionalAnnotations gained new field TestName string; repository code adjusted to use it.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I twitch my ears at fields that gleam,
A TestName hops into the scheme.
URLs slim, annotations neat—
Metadata tidied, clean and sweet.
With carrots signed and burrows sure,
Our certs relax; the tests endure. 🥕📝

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-57049, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

Move out test name into "TestCase" annotation so that AutoRotate... would contain just the PR URL when it was added and other annotations didn't have to repeat the testcase used.

This PR also updates conflicting descriptions to kube-control-plane-signer secret to make sure controllers don't hotloop erasing each other changes

Summary by CodeRabbit

• Refactor
• Standardized certificate rotation annotations by separating human-readable test names from URLs, improving clarity of metadata without altering rotation behavior.
• Chores
• Updated configuration across certificate signers to use the new annotation structure for better consistency and future troubleshooting.
• Bug Fixes
• None.
• Documentation
• None.
• Notes
• No user-visible changes; certificate validity periods and rotation logic remain unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

pkg/operator/certrotationcontroller/certrotationcontroller.go (4)

340-365: Fix minor typo in service-network CA description.

Description currently says “kuberentes.default.svc”; should be “kubernetes.default.svc”.

Apply this diff:

- Description:   "CA for recognizing the kube-apiserver when connecting via the service network (kuberentes.default.svc)."
+ Description:   "CA for recognizing the kube-apiserver when connecting via the service network (kubernetes.default.svc)."

Also applies to: 366-382, 383-403

---

734-753: Correct Description for control-plane-node-admin client secret.

The Description for control-plane-node-admin client (Line 773) says “kube-controller-manager and kube-scheduler client certificates.” That appears to be a copy/paste from the control-plane signer, but this secret is for system:control-plane-node-admin. It’s misleading and could confuse operators.

Apply this diff:

-                Description:                      "kube-controller-manager and kube-scheduler client certificates.",
+                Description:                      "Client certificate used by the control-plane node admin (system:control-plane-node-admin) to authenticate to the kube-apiserver for local recovery and debugging.",

Also applies to: 754-768, 769-790

---

153-163: Consistency check: TestName vs. PR URL.

Across all updated blocks, TestName is used solely for the human-readable test case and AutoRegenerateAfterOfflineExpiry contains only the PR URL (currently PR 1631). This matches the PR goal to avoid repeating the test name in other annotations. If the intent is to reference the PR that originally introduced the auto-regenerate semantics (1631), then keeping 1631 everywhere is correct. If you prefer the “latest touch” provenance, consider changing the URL to this PR (1870) for traceability, but keep it consistent across all writers of the same object.

If you want to prevent accidental drift in the future, consider centralizing these repeated AdditionalAnnotations in small helper functions/constants per signer family, e.g.:

func controlPlaneSignerAnnotations() certrotation.AdditionalAnnotations {
  return certrotation.AdditionalAnnotations{
    JiraComponent: "kube-apiserver",
    Description:   "Signer for kube-controller-manager and kube-scheduler client certificates.",
    TestName:      "[sig-apps] Deployment RollingUpdateDeployment should delete old pods and create new ones [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]",
    AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631",
  }
}

Then reuse it in all places that reference kube-control-plane-signer and its CA to eliminate future drift.

Also applies to: 176-180, 191-195, 220-222, 239-241, 254-256, 283-285, 306-308, 321-323, 350-352, 373-375, 388-390, 418-420, 441-443, 456-458, 486-488, 509-511, 524-526, 554-556, 577-579, 593-595, 624-626, 641-643, 656-658, 683-685, 701-702, 715-717, 742-744, 759-761, 773-776, 801-803, 818-820, 833-835, 860-862, 879-881, 894-896

---

153-163: Naming in PR description vs. code: TestCase vs. TestName.

The PR description mentions a “TestCase” annotation, but the code uses the field name “TestName” in certrotation.AdditionalAnnotations. Assuming library-go added TestName, the code is correct. Consider updating the PR description to avoid confusion.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 94cb40f and 51bfa4b.

📒 Files selected for processing (1)

• pkg/operator/certrotationcontroller/certrotationcontroller.go (36 hunks)

🔇 Additional comments (11)

pkg/operator/certrotationcontroller/certrotationcontroller.go (11)

153-172: LGTM: Test name moved into AdditionalAnnotations.TestName; URL-only in AutoRegenerateAfterOfflineExpiry.

The AggregatorProxyClientCert set (signer/CA/client) now cleanly separates a human-readable TestName from the PR URL. Values are consistent across the three resources. No behavioral changes beyond annotations.

Also applies to: 173-187, 188-209

---

212-233: LGTM: kube-apiserver-to-kubelet set updated consistently.

All three resources now use TestName for the e2e reference and keep AutoRegenerateAfterOfflineExpiry as the original PR URL. No drift spotted among the three blocks.

Also applies to: 234-248, 249-270

---

273-298: LGTM: localhost-serving set annotations normalized.

TestName placement and URL-only AutoRegenerateAfterOfflineExpiry look correct and consistent in signer/CA/client resources.

Also applies to: 299-315, 316-337

---

408-433: LGTM: external load balancer set annotations normalized.

Consistent TestName and URL usage across signer/CA/client. No discrepancies found.

Also applies to: 434-450, 451-473

---

476-501: LGTM: internal load balancer set annotations normalized.

Consistent annotations; mirrors the external LB set appropriately.

Also applies to: 502-518, 519-541

---

544-569: LGTM: localhost-recovery set annotations normalized.

TestName now contains the localhost-recovery.kubeconfig test; URL remains in AutoRegenerateAfterOfflineExpiry. Looks good.

Also applies to: 570-586, 587-610

---

616-635: LGTM: kube-control-plane-signer (controller-manager client) — descriptions aligned.

The signer and its CA use identical Description strings, which is important since multiple reconcilers reference the same signer secret. Good step toward preventing hotloops.

Also applies to: 636-649, 650-670

---

675-694: LGTM: kube-control-plane-signer (scheduler client) — descriptions aligned.

Matches the controller-manager block; no drift in TestName, Description, or URL fields.

Also applies to: 695-709, 710-732

---

793-812: LGTM: check-endpoints client set normalized.

Annotation values are consistent; TestName references the correct conformance test for check-endpoints.

Also applies to: 813-826, 827-849

---

852-873: LGTM: node-system-admin signer/CA/client annotations normalized.

All three use the localhost-recovery-related TestName and consistent descriptions. Good.

Also applies to: 874-887, 888-914

---

616-626: Verified identical descriptions across reconcilers — no remaining drift

I’ve confirmed that the Description (and other AdditionalAnnotations) for both the kube-control-plane-signer Secret and its kube-control-plane-signer-ca ConfigMap are identical across all four reconcilers (KubeControllerManagerClient, KubeSchedulerClient, ControlPlaneNodeAdminClient, CheckEndpointsClient). This alignment ensures the controllers will converge on the same content and prevents the hot-loop “erase each other” behavior.

Approving these changes.

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: p0lyn0mial, sanchezl, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [p0lyn0mial,sanchezl,vrutkovs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial	ae1ed86	link	true	/test e2e-aws-ovn-serial
ci/prow/e2e-gcp-operator-single-node	51bfa4b	link	false	/test e2e-gcp-operator-single-node
ci/prow/e2e-aws-ovn-single-node	51bfa4b	link	false	/test e2e-aws-ovn-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@vrutkovs: Jira Issue OCPBUGS-57049: Some pull requests linked via external trackers have merged:

• openshift/origin#29327
• openshift/library-go#1971
• openshift/cluster-kube-apiserver-operator#1873
• openshift/library-go#1981

The following pull requests linked via external trackers have not merged:

• openshift/cluster-authentication-operator#776 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-57049 has not been moved to the MODIFIED state.

In response to this:

Move out test name into "TestCase" annotation so that AutoRotate... would contain just the PR URL when it was added and other annotations didn't have to repeat the testcase used.

This PR also updates conflicting descriptions to kube-control-plane-signer secret to make sure controllers don't hotloop erasing each other changes

Summary by CodeRabbit

• Refactor
• Standardized certificate rotation annotations by separating human-readable test names from URLs, improving clarity of metadata without altering rotation behavior.
• Chores
• Updated configuration across certificate signers to use the new annotation structure for better consistency and future troubleshooting.
• Bug Fixes
• None.
• Documentation
• None.
• Notes
• No user-visible changes; certificate validity periods and rotation logic remain unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.