OCPBUGS-44842: Set not-before/not-after annotations

[vrutkovs]

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-57049, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/test e2e-aws-ovn

[vrutkovs]

/test e2e-aws-ovn

[vrutkovs]

/test e2e-aws-ovn

[vrutkovs]

/test e2e-aws-ovn

[vrutkovs]

/cc @p0lyn0mial

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-44842, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

/jira refresh

[wangke19]

Found minor typo in original code,
infrastuctureLister configv1listers.InfrastructureLister
Typo in infrastuctureLister → should be infrastructureLister (spelling consistency)

[vrutkovs]

good catch, fixed it

[p0lyn0mial]

LGTM, added some minor comments. thanks.

[wangke19]

/retest-required

[p0lyn0mial]

lgtm, just one more question.

[p0lyn0mial]

@wangke19 is there anything else we should consider before merging this pr ?

[wangke19]

@wangke19 is there anything else we should consider before merging this pr ?

lgtm

[p0lyn0mial]

in go reading from nil map works, no ?
xref: https://go.dev/play/p/hrmvBX3L2Q1

[wangke19]

yes, you are right.
Reading from a nil map does NOT panic — it returns the zero value for the type.
Here’s an idiomatic and explicit version.

if val, ok := systemAdminCredsSecret.Annotations[certrotation.CertificateNotBeforeAnnotation]; ok && len(val) > 0 {
    requiredSecret.Annotations[certrotation.CertificateNotBeforeAnnotation] = val
}
if val, ok := systemAdminCredsSecret.Annotations[certrotation.CertificateNotAfterAnnotation]; ok && len(val) > 0 {
    requiredSecret.Annotations[certrotation.CertificateNotAfterAnnotation] = val
}

[p0lyn0mial]

if len(systemAdminCredsSecret.Annotations[certrotation.CertificateNotBeforeAnnotation]) > 0 also works, right ?

[wangke19]

yes, the original code snippet is safe as-is regarding nil map reads. Suggestion improves readability and maintainability for other devs

[p0lyn0mial]

I would prefer len(systemAdminCredsSecret.Annotations[certrotation.CertificateNotBeforeAnnotation]) > 0 as it is idiomatic and more concise. maybe it is just me. do you mind brining the original version?

[vrutkovs]

Done

[p0lyn0mial]

thanks

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: p0lyn0mial, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [p0lyn0mial,vrutkovs]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 7e89682 and 2 for PR HEAD 80afb73 in total

[openshift-ci]

@vrutkovs: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-ovn-serial	c4d8d5c	link	true	/test e2e-aws-ovn-serial
ci/prow/e2e-gcp-operator-single-node	80afb73	link	false	/test e2e-gcp-operator-single-node
ci/prow/e2e-azure-ovn	80afb73	link	false	/test e2e-azure-ovn
ci/prow/e2e-aws-operator-disruptive-single-node	80afb73	link	false	/test e2e-aws-operator-disruptive-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@vrutkovs: Jira Issue OCPBUGS-44842: Some pull requests linked via external trackers have merged:

• openshift/library-go#1889
• openshift/cluster-kube-apiserver-operator#1873

The following pull requests linked via external trackers have not merged:

• openshift/cluster-authentication-operator#776 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-44842 has not been moved to the MODIFIED state.

In response to this:

Pull in openshift/library-go#1971 to make sure most secrets created by controller would have refresh-period annotation set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-kube-apiserver-operator
This PR has been included in build ose-cluster-kube-apiserver-operator-container-v4.20.0-202507302114.p0.ga08323d.assembly.stream.el9.
All builds following this will include this PR.