Add test which verifes that only short duration tests are present

vrutkovs · vrutkovs · commit 2f2c637ec199 · 2025-04-02T11:20:52.000+02:00
This test would run only when ShortCertRotation is enabled
diff --git a/test/extended/operators/certs.go b/test/extended/operators/certs.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"
 
+	promtime "github.com/prometheus/common/model"
+
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatadefaults"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 	"github.com/openshift/origin/pkg/monitortests/network/disruptionpodnetwork"
@@ -283,6 +285,37 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g
 		}
 	})
 
+	g.It("[OCPFeatureGate:ShortCertRotation] all certificates should expire in no more than 8 hours", func() {
+		var errs []error
+		for _, certKeyPair := range actualPKIContent.CertKeyPairs.Items {
+			if certKeyPair.Spec.CertMetadata.ValidityDuration == "" {
+				// Skip certificates with no duration set (proxy ca, key without certificate etc.)
+				continue
+			}
+			if certKeyPair.Spec.CertMetadata.ValidityDuration == "10y" {
+				// Skip "forever" certificates
+				continue
+			}
+			if strings.Contains(certKeyPair.Name, "ingress") ||
+				strings.Contains(certKeyPair.Spec.CertMetadata.CertIdentifier.CommonName, "router") {
+				// Skip ingress and router certificates
+				continue
+			}
+			// Use ParseDuration from prometheus as it can handle days/month/years durations
+			duration, err := promtime.ParseDuration(certKeyPair.Spec.CertMetadata.ValidityDuration)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("failed to parse validity duration for certificate %q: %v", certKeyPair.Name, err))
+				continue
+			}
+			if time.Duration(duration) > time.Hour*8 {
+				errs = append(errs, fmt.Errorf("certificate %q expires too soon: expected up to 8h, but was %s", certKeyPair.Name, duration))
+			}
+		}
+		if len(errs) > 0 {
+			testresult.Flakef("Errors found: %s", utilerrors.NewAggregate(errs).Error())
+		}
+	})
+
 })
 
 func fetchOnDiskCertificates(ctx context.Context, kubeClient kubernetes.Interface, podRESTConfig *rest.Config, nodeList []*corev1.Node, testPullSpec string) (*certgraphapi.PKIList, error) {
diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go
diff --git a/zz_generated.manifests/test-reporting.yaml b/zz_generated.manifests/test-reporting.yaml
@@ -542,6 +542,10 @@ spec:
         [LinuxOnly] [Feature:SELinux] [Serial] warning is not bumped on two Pods with
         the same context on RWO volume [FeatureGate:SELinuxMountReadWriteOncePod]
         [Beta] [Feature:SELinuxMountReadWriteOncePodOnly]'
+  - featureGate: ShortCertRotation
+    tests:
+    - testName: '[sig-arch][Late][Jira:"kube-apiserver"] [OCPFeatureGate:ShortCertRotation]
+        all certificates should expire in no more than 8 hours'
   - featureGate: VSphereDriverConfiguration
     tests:
     - testName: '[sig-storage][FeatureGate:VSphereDriverConfiguration][Serial][apigroup:operator.openshift.io]
