OCPBUGS-35727: Ingress controller related certificates' validate dates gathering (#945)

* feat: ingress certificates gather

* refactor: invert ingress certificate logic

* refactor: better data serialization

* refactor: adjust cert check

* chore: remove deprecated linters

* fix: remove hardcored test data

* fix: missing controller for new certs

* Minor refactor filename and time format

* (draft) Add new unit test for getCertificateInfoFromSecret func

* Refactor unit tests for gatherClusterIngressCertificates func

* Add new unit test for custom certificate and minor refactor

* Add new unit test for failure in cluster certs and errors control

* Refactor cert match logic to a map and change on signature to improve unit tests

* Fix unit tests to adapt better to gather function return

* Fix linting

* Add documentation for ClusterIngressCertificates gatherer

* Add documentation for ClusterIngressCertificates gatherer

* Fix logline moved to error trigger

* Rollback golangci configuration

* Refactor function naming and minor slice accesses

---------

Co-authored-by: Ricardo Lüders <[email protected]>

Author: ncaak

docs/gathered-data.md

@@ -418,6 +418,34 @@ None
 None
 
 
+## ClusterIngressCertificates
+
+Collects the certificate's NotBefore and NotAfter dates from the cluster's ingress controller certificates.
+It also collects the name and namespace of any Ingress Controllers using the certificates.
+
+### API Reference
+- https://docs.openshift.com/container-platform/4.13/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.html
+- https://docs.openshift.com/container-platform/4.13/rest_api/security_apis/secret-v1.html
+
+### Sample data
+- [docs/insights-archive-sample/aggregated/ingress_controllers_certs.json](./insights-archive-sample/aggregated/ingress_controllers_certs.json)
+
+### Location in archive
+- `aggregated/ingress_controllers_certs.json`
+
+### Config ID
+`clusterconfig/ingress_certificates`
+
+### Released version
+- 4.17
+
+### Backported versions
+TBD
+
+### Changes
+None
+
+
 ## ClusterNetwork
 
 Collects the cluster Network with cluster name.

docs/insights-archive-sample/aggregated/ingress_controllers_certs.json

@@ -0,0 +1,21 @@
+[
+    {
+        "name": "router-ca",
+        "namespace": "openshift-ingress-operator",
+        "not_before": "2024-06-07T07:27:34Z",
+        "not_after": "2026-06-07T07:27:35Z",
+        "controllers": [
+            {
+                "name": "test-ingresscontroller-name",
+                "namespace": "openshift-ingress-operator"
+            }
+        ]
+    },
+    {
+        "name": "router-certs-default",
+        "namespace": "openshift-ingress",
+        "not_before": "2024-06-07T07:27:35Z",
+        "not_after": "2026-06-07T07:27:36Z",
+        "controllers": []
+    }
+]

pkg/gatherers/clusterconfig/clusterconfig_gatherer.go

@@ -45,6 +45,7 @@ var gatheringFunctions = map[string]gathererFuncPtr{
 	"image_registries":                  (*Gatherer).GatherClusterImageRegistry,
 	"infrastructures":                   (*Gatherer).GatherClusterInfrastructure,
 	"ingress":                           (*Gatherer).GatherClusterIngress,
+	"ingress_certificates":              (*Gatherer).GatherClusterIngressCertificates,
 	"install_plans":                     (*Gatherer).GatherInstallPlans,
 	"jaegers":                           (*Gatherer).GatherJaegerCR,
 	"kube_controller_manager_logs":      (*Gatherer).GatherKubeControllerManagerLogs,

pkg/gatherers/clusterconfig/gather_cluster_ingress_certificates.go

@@ -0,0 +1,225 @@
+package clusterconfig
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"time"
+
+	operatorclient "github.com/openshift/client-go/operator/clientset/versioned"
+
+	"k8s.io/klog/v2"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	"github.com/openshift/insights-operator/pkg/record"
+)
+
+const ingressCertificatesLimits = 64
+
+type CertificateInfo struct {
+	Name        string           `json:"name"`
+	Namespace   string           `json:"namespace"`
+	NotBefore   time.Time        `json:"not_before"`
+	NotAfter    time.Time        `json:"not_after"`
+	Controllers []ControllerInfo `json:"controllers"`
+}
+
+type ControllerInfo struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace"`
+}
+
+type CertificateInfoKey struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace"`
+}
+
+// GatherClusterIngressCertificates Collects the certificate's NotBefore and NotAfter dates from the cluster's ingress controller certificates.
+// It also collects the name and namespace of any Ingress Controllers using the certificates.
+//
+// ### API Reference
+// - https://docs.openshift.com/container-platform/4.13/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.html
+// - https://docs.openshift.com/container-platform/4.13/rest_api/security_apis/secret-v1.html
+//
+// ### Sample data
+// - docs/insights-archive-sample/aggregated/ingress_controllers_certs.json
+//
+// ### Location in archive
+// - `aggregated/ingress_controllers_certs.json`
+//
+// ### Config ID
+// `clusterconfig/ingress_certificates`
+//
+// ### Released version
+// - 4.17
+//
+// ### Backported versions
+// TBD
+//
+// ### Changes
+// None
+func (g *Gatherer) GatherClusterIngressCertificates(ctx context.Context) ([]record.Record, []error) {
+	const Filename = "aggregated/ingress_controllers_certs"
+
+	gatherKubeClient, err := kubernetes.NewForConfig(g.gatherProtoKubeConfig)
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	operatorClient, err := operatorclient.NewForConfig(g.gatherKubeConfig)
+	if err != nil {
+		return nil, []error{err}
+	}
+
+	certificates, errs := gatherClusterIngressCertificates(ctx, gatherKubeClient.CoreV1(), operatorClient)
+
+	return []record.Record{{
+		Name: Filename,
+		Item: record.JSONMarshaller{Object: certificates},
+	}}, errs
+}
+
+func gatherClusterIngressCertificates(
+	ctx context.Context,
+	coreClient corev1client.CoreV1Interface,
+	operatorClient operatorclient.Interface) ([]*CertificateInfo, []error) {
+	//
+	var ingressAllowedNS = [2]string{"openshift-ingress-operator", "openshift-ingress"}
+
+	var certificatesInfo = make(map[CertificateInfoKey]*CertificateInfo)
+	var errs []error
+
+	// Step 1: Collect router-ca and router-certs-default
+	rCAinfo, err := getRouterCACertInfo(ctx, coreClient)
+	if err != nil {
+		errs = append(errs, err)
+	}
+	if rCAinfo != nil {
+		certificatesInfo[newCertificateInfoKey(rCAinfo)] = rCAinfo
+	}
+
+	rCDinfo, err := getRouterCertsDefaultCertInfo(ctx, coreClient)
+	if err != nil {
+		errs = append(errs, err)
+	}
+	if rCDinfo != nil {
+		certificatesInfo[newCertificateInfoKey(rCDinfo)] = rCDinfo
+	}
+
+	// Step 2: List all Ingress Controllers
+	for _, namespace := range ingressAllowedNS {
+		controllers, err := operatorClient.OperatorV1().IngressControllers(namespace).List(ctx, metav1.ListOptions{})
+		if errors.IsNotFound(err) {
+			klog.V(2).Infof("Ingress Controllers not found in '%s' namespace", namespace)
+			continue
+		}
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+
+		// Step 3: Filter Ingress Controllers with spec.defaultCertificate and get certificate info
+		for i := range controllers.Items {
+			controller := controllers.Items[i]
+
+			// Step 4: Check the certificate limits
+			if len(certificatesInfo) >= ingressCertificatesLimits {
+				errs = append(errs, fmt.Errorf(
+					"reached the limit of ingress certificates (%d), skipping additional certificates",
+					ingressCertificatesLimits))
+				break
+			}
+
+			if controller.Spec.DefaultCertificate != nil {
+				secretName := controller.Spec.DefaultCertificate.Name
+				certInfo, certErr := getCertificateInfoFromSecret(ctx, coreClient, namespace, secretName)
+				if certErr != nil {
+					errs = append(errs, certErr)
+					continue
+				}
+
+				// Step 5: Add certificate info to the certificates list
+				c, exists := certificatesInfo[newCertificateInfoKey(certInfo)]
+				if exists {
+					c.Controllers = append(c.Controllers,
+						ControllerInfo{Name: controller.Name, Namespace: controller.Namespace},
+					)
+					//
+				} else {
+					certInfo.Controllers = append(certInfo.Controllers,
+						ControllerInfo{Name: controller.Name, Namespace: controller.Namespace},
+					)
+					certificatesInfo[newCertificateInfoKey(certInfo)] = certInfo
+				}
+			}
+		}
+	}
+
+	var ci []*CertificateInfo
+	if len(certificatesInfo) > 0 {
+		// Step 6: Generate the certificates record
+		for _, v := range certificatesInfo {
+			ci = append(ci, v)
+		}
+	}
+
+	return ci, errs
+}
+
+func getCertificateInfoFromSecret(
+	ctx context.Context, coreClient corev1client.CoreV1Interface,
+	namespace, secretName string) (*CertificateInfo, error) {
+	//
+	secret, err := coreClient.Secrets(namespace).Get(ctx, secretName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed to get secret '%s' in namespace '%s': %v", secretName, namespace, err)
+	}
+
+	crtData, found := secret.Data["tls.crt"]
+	if !found {
+		return nil, fmt.Errorf("'tls.crt' not found in secret '%s' in namespace '%s'", secretName, namespace)
+	}
+
+	block, _ := pem.Decode(crtData)
+	if block == nil {
+		return nil, fmt.Errorf("unable to decode certificate (x509) from secret '%s' in namespace '%s'", secretName, namespace)
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse certificate from secret '%s' in namespace '%s': %v", secretName, namespace, err)
+	}
+
+	return &CertificateInfo{
+		Name:        secretName,
+		Namespace:   namespace,
+		NotBefore:   cert.NotBefore,
+		NotAfter:    cert.NotAfter,
+		Controllers: []ControllerInfo{},
+	}, nil
+}
+
+func getRouterCACertInfo(ctx context.Context, coreClient corev1client.CoreV1Interface) (*CertificateInfo, error) {
+	const (
+		routerCASecret    string = "router-ca"
+		routerCANamespace string = "openshift-ingress-operator"
+	)
+	return getCertificateInfoFromSecret(ctx, coreClient, routerCANamespace, routerCASecret)
+}
+
+func getRouterCertsDefaultCertInfo(ctx context.Context, coreClient corev1client.CoreV1Interface) (*CertificateInfo, error) {
+	const (
+		routerCertsSecret    string = "router-certs-default"
+		routerCertsNamespace string = "openshift-ingress"
+	)
+	return getCertificateInfoFromSecret(ctx, coreClient, routerCertsNamespace, routerCertsSecret)
+}
+
+func newCertificateInfoKey(info *CertificateInfo) CertificateInfoKey {
+	return CertificateInfoKey{Name: info.Name, Namespace: info.Namespace}
+}

pkg/gatherers/clusterconfig/gather_cluster_ingress_certificates_test.go

@@ -0,0 +1,206 @@
+package clusterconfig
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"testing"
+
+	operatorv1 "github.com/openshift/api/operator/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corefake "k8s.io/client-go/kubernetes/fake"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_gatherClusterIngressCertificates(t *testing.T) {
+	// Mocks
+	mockBytes, mockX509 := getCertMock()
+
+	tests := []struct {
+		name         string
+		ingressDef   []operatorv1.IngressController
+		secretDef    []corev1.Secret
+		wantInfo     []*CertificateInfo
+		wantErrCount int
+	}{
+		{
+			name: "Custom Ingress controller with a cluster certificate is added to the collection",
+			ingressDef: []operatorv1.IngressController{{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-ingress-controller", Namespace: "openshift-ingress-operator"},
+				Spec: operatorv1.IngressControllerSpec{DefaultCertificate: &corev1.LocalObjectReference{
+					Name: "router-ca"},
+				}}},
+			secretDef: []corev1.Secret{{
+				ObjectMeta: metav1.ObjectMeta{Name: "router-ca", Namespace: "openshift-ingress-operator"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			}, {
+				ObjectMeta: metav1.ObjectMeta{Name: "router-certs-default", Namespace: "openshift-ingress"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			}},
+			wantInfo: []*CertificateInfo{{
+				Name:      "router-ca",
+				Namespace: "openshift-ingress-operator",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{
+					{Name: "test-ingress-controller", Namespace: "openshift-ingress-operator"},
+				},
+			}, {
+				Name:      "router-certs-default",
+				Namespace: "openshift-ingress",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{},
+			}},
+		}, {
+			name: "Custom Ingress Controller with custom certificate adds a new entry to the collection",
+			ingressDef: []operatorv1.IngressController{{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-custom-ingress", Namespace: "openshift-ingress-operator"},
+				Spec: operatorv1.IngressControllerSpec{DefaultCertificate: &corev1.LocalObjectReference{
+					Name: "test-custom-secret"},
+				}}},
+			secretDef: []corev1.Secret{{
+				ObjectMeta: metav1.ObjectMeta{Name: "router-ca", Namespace: "openshift-ingress-operator"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			}, {
+				ObjectMeta: metav1.ObjectMeta{Name: "router-certs-default", Namespace: "openshift-ingress"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			}, {
+				ObjectMeta: metav1.ObjectMeta{Name: "test-custom-secret", Namespace: "openshift-ingress-operator"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			}},
+			wantInfo: []*CertificateInfo{{
+				Name:      "router-ca",
+				Namespace: "openshift-ingress-operator",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{},
+			}, {
+				Name:      "router-certs-default",
+				Namespace: "openshift-ingress",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{},
+			}, {
+				Name:      "test-custom-secret",
+				Namespace: "openshift-ingress-operator",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{
+					{Name: "test-custom-ingress", Namespace: "openshift-ingress-operator"},
+				},
+			}},
+		}, {
+			name: "Cluster default certificates that fail to validate return an error per cert",
+			secretDef: []corev1.Secret{{
+				ObjectMeta: metav1.ObjectMeta{Name: "router-ca", Namespace: "openshift-ingress-operator"},
+			}, {
+				ObjectMeta: metav1.ObjectMeta{Name: "router-certs-default", Namespace: "openshift-ingress"},
+			}},
+			wantErrCount: 2,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Given
+			operatorClient := operatorfake.NewSimpleClientset()
+			for _, ic := range tc.ingressDef {
+				assert.NoError(t,
+					operatorClient.Tracker().Add(ic.DeepCopy()))
+			}
+			coreClient := corefake.NewSimpleClientset()
+			for _, sec := range tc.secretDef {
+				assert.NoError(t,
+					coreClient.Tracker().Add(&sec))
+			}
+
+			// When
+			test, errs := gatherClusterIngressCertificates(context.TODO(), coreClient.CoreV1(), operatorClient)
+
+			// Assert
+			assert.ElementsMatch(t, tc.wantInfo, test)
+			assert.Len(t, errs, tc.wantErrCount)
+		})
+	}
+}
+
+func Test_getCertificateInfoFromSecret(t *testing.T) {
+	// Mocks
+	mockBytes, mockX509 := getCertMock()
+
+	testCases := []struct {
+		name            string
+		secret          *corev1.Secret
+		expected        *CertificateInfo
+		expectErr       bool
+		secretName      string
+		secretNamespace string
+	}{
+		{
+			name:            "a Secret containing a certificate returns a CertificateInfo struct",
+			secretName:      "test",
+			secretNamespace: "test-namespace",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "test-namespace"},
+				Data:       map[string][]byte{"tls.crt": mockBytes},
+			},
+			expected: &CertificateInfo{
+				Name: "test", Namespace: "test-namespace",
+				NotBefore: mockX509.NotBefore, NotAfter: mockX509.NotAfter,
+				Controllers: []ControllerInfo{},
+			},
+		}, {
+			name:            "a Secret without a certificate returns an error",
+			secretName:      "test",
+			secretNamespace: "test-namespace",
+			secret:          &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "test", Namespace: "test-namespace"}},
+			expectErr:       true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Given
+			client := corefake.NewSimpleClientset(tc.secret)
+
+			// When
+			test, err := getCertificateInfoFromSecret(
+				context.Background(), client.CoreV1(), tc.secretNamespace, tc.secretName)
+
+			// Assert
+			if tc.expectErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.EqualValues(t, tc.expected, test)
+		})
+	}
+}
+
+func getCertMock() ([]byte, *x509.Certificate) {
+	mockCertbytes := []byte(`-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUfTstqHMAhGLL+j3n6pmwLw8vt84wDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMDYxMjU5MTFaFw0yNTAz
+MDYxMjU5MTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDoqkPZMeMi5qjkG384ZwpAc3QScOGYBWOEDFAioq5C
+YhtDGBSMq2VwS0r8RvEEhbebvXuH5PLcIuEVO/MZRQD9gSacCfLlMLRKZYpv168m
+KUYyhx1bXKmUlbQxCnpAPZ7nf14A3Pb0TzLfsKjoUdUOv/1eorA6+oU78StWx/Nt
+W94ad9n3o+cjiMPu/RS3g9b+x07bG5mFYuzpWk/Svb5Lb42g8AtonzqFJBbhlStU
+A+9UyzmyXMeTlbI9fFmku7mb5Uq0SZ8jhpH+fyCoQOxefTfVrvjrkkdavDn43hjz
+5hCwGJ3mV96MU9hh398oBguOHaJ6V3/UHtW1spsFY83RAgMBAAGjUzBRMB0GA1Ud
+DgQWBBR/zvuHjFadvifzAGBHegOxmRXnCzAfBgNVHSMEGDAWgBR/zvuHjFadvifz
+AGBHegOxmRXnCzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBs
+E2U+jQzJuEt9e6UEnS1T0cb2NxaGb7CYsSX0TjZK1VgloAKbnxaCLjRruTOOwfm6
+s5CFzFjJoIhUASzoA295Np2AR0UEYr5fendIjKCztCMlpj0fp92jFL6/RZWNGM1A
+qECHYtZckeqJjg9vUdfHtiBRoyEHJUJ/tsDDlslwzocdJUqKL8V6KerZsh5SIAkS
+rJ8EgVyDvwQaLPQMttjk62croI1Wi3FLmkvvtTbNcMgTnVhFfGjyHOiGnQeBfqax
+5P0VBuAUCihegskKEUCJB8HFPkC4hqbrEk0+psQ2Gm8kjoll/SpltFLS77Xjhrz9
+1qaiDHuWnUSifz6SGpWr
+-----END CERTIFICATE-----`)
+	b, _ := pem.Decode(mockCertbytes)
+	x509cert, _ := x509.ParseCertificate(b.Bytes)
+	return mockCertbytes, x509cert
+}