Merge pull request #1294 from tjungblu/ETCD-574

ETCD-574: Update TLS artifact descriptions according to registry requ…
openshift · Jul 11, 2024 · f161fde · f161fde
2 parents 767256e + 7d26d41
commit f161fde
Showing 1 changed file with 28 additions and 21 deletions.
diff --git a/pkg/tlshelpers/tlshelpers.go b/pkg/tlshelpers/tlshelpers.go
@@ -76,9 +76,8 @@ func CreateSignerCertRotationBundleConfigMap(
 		Name:      EtcdSignerCaBundleConfigMapName,
 		Namespace: operatorclient.TargetNamespace,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "bundle for etcd signer certificate authorities",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description:   "Generated by cluster-etcd-operator for etcd and is used to authenticate clients and peers of etcd.",
 		},
 		Informer:      cmInformer,
 		Lister:        cmLister,
@@ -97,9 +96,8 @@ func CreateMetricsSignerCertRotationBundleConfigMap(
 		Name:      EtcdMetricsSignerCaBundleConfigMapName,
 		Namespace: operatorclient.TargetNamespace,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "bundle for etcd metrics signer certificate authorities",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description:   "Generated by cluster-etcd-operator for etcd and is used to authenticate Prometheus ServiceMonitors reaching etcd.",
 		},
 		Informer:      cmInformer,
 		Lister:        cmLister,
@@ -118,9 +116,9 @@ func CreateSignerCert(
 		Namespace: operatorclient.TargetNamespace,
 		Name:      EtcdSignerCertSecretName,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "etcd signer certificate authorities",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description: fmt.Sprintf("Generated by cluster-etcd-operator for etcd and is used to sign peer, server and client certificates. "+
+				"This certificate is valid for %d days and starts refreshing after %d days.", durationDays(EtcdCaCertValidity), durationDays(EtcdCaCertValidityRefresh)),
 		},
 		Validity: EtcdCaCertValidity,
 		Refresh:  EtcdCaCertValidityRefresh,
@@ -153,9 +151,9 @@ func CreateMetricsSignerCert(
 		Namespace: operatorclient.TargetNamespace,
 		Name:      EtcdMetricsSignerCertSecretName,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "etcd metrics signer certificate authorities",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description: fmt.Sprintf("Generated by cluster-etcd-operator for etcd and is used to sign peer, server and client certificates for Prometheus ServiceMonitors. "+
+				"This certificate is valid for %d days and starts refreshing after %d days.", durationDays(EtcdCaCertValidity), durationDays(EtcdCaCertValidityRefresh)),
 		},
 		Validity: EtcdCaCertValidity,
 		Refresh:  EtcdCaCertValidityRefresh,
@@ -184,7 +182,8 @@ func CreatePeerCertificate(node *corev1.Node,
 	secretGetter corev1client.SecretsGetter,
 	recorder events.Recorder) (*certrotation.RotatedSelfSignedCertKeySecret, error) {
 	return createCertForNode(
-		fmt.Sprintf("Peer Cert for node %s", node.Name),
+		fmt.Sprintf("Peer (client and server) certificate for node %s, generated by cluster-etcd-operator for etcd. "+
+			"This certificate is valid for %d days and starts refreshing after %d days.", node.Name, durationDays(EtcdCertValidity), durationDays(EtcdCertValidityRefresh)),
 		GetPeerClientSecretNameForNode(node.Name),
 		node, secretInformer, secretLister, secretGetter, recorder)
 }
@@ -195,7 +194,8 @@ func CreateServingCertificate(node *corev1.Node,
 	secretGetter corev1client.SecretsGetter,
 	recorder events.Recorder) (*certrotation.RotatedSelfSignedCertKeySecret, error) {
 	return createCertForNode(
-		fmt.Sprintf("Serving Cert for node %s", node.Name),
+		fmt.Sprintf("Serving (client and server) certificate for node %s, generated by cluster-etcd-operator for etcd. "+
+			"This certificate is valid for %d days and starts refreshing after %d days.", node.Name, durationDays(EtcdCertValidity), durationDays(EtcdCertValidityRefresh)),
 		GetServingSecretNameForNode(node.Name),
 		node, secretInformer, secretLister, secretGetter, recorder)
 }
@@ -206,7 +206,8 @@ func CreateMetricsServingCertificate(node *corev1.Node,
 	secretGetter corev1client.SecretsGetter,
 	recorder events.Recorder) (*certrotation.RotatedSelfSignedCertKeySecret, error) {
 	return createCertForNode(
-		fmt.Sprintf("Metric Serving Cert for node %s", node.Name),
+		fmt.Sprintf("Serving (client and server) certificate for node %s, generated by cluster-etcd-operator for etcd. "+
+			"This certificate is valid for %d days and starts refreshing after %d days.", node.Name, durationDays(EtcdCertValidity), durationDays(EtcdCertValidityRefresh)),
 		GetServingMetricsSecretNameForNode(node.Name),
 		node, secretInformer, secretLister, secretGetter, recorder)
 }
@@ -274,9 +275,10 @@ func CreateMetricsClientCert(
 		Namespace: operatorclient.TargetNamespace,
 		Name:      EtcdMetricsClientCertSecretName,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "etcd metrics client certificate",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description: fmt.Sprintf("Client certificate for Prometheus ServiceMonitors to reach etcd grpc-proxy to retrieve metrics. "+
+				"Generated by cluster-etcd-operator for etcd. "+
+				"This certificate is valid for %d days and starts refreshing after %d days.", durationDays(EtcdCertValidity), durationDays(EtcdCertValidityRefresh)),
 		},
 		Validity:    EtcdCertValidity,
 		Refresh:     EtcdCertValidityRefresh,
@@ -307,9 +309,10 @@ func CreateEtcdClientCert(
 		Namespace: operatorclient.TargetNamespace,
 		Name:      EtcdClientCertSecretName,
 		AdditionalAnnotations: certrotation.AdditionalAnnotations{
-			JiraComponent:                    EtcdJiraComponentName,
-			Description:                      "etcd client certificate",
-			AutoRegenerateAfterOfflineExpiry: "",
+			JiraComponent: EtcdJiraComponentName,
+			Description: fmt.Sprintf("Client certificate for apiserver, cluster-etcd-operator and etcdctl to reach etcd. "+
+				"Generated by cluster-etcd-operator for etcd. "+
+				"This certificate is valid for %d days and starts refreshing after %d days.", durationDays(EtcdCertValidity), durationDays(EtcdCertValidityRefresh)),
 		},
 		Validity:    EtcdCertValidity,
 		Refresh:     EtcdCertValidityRefresh,
@@ -354,3 +357,7 @@ func SupportedEtcdCiphers(cipherSuites []string) []string {
 	return allowedCiphers
 
 }
+
+func durationDays(d time.Duration) int {
+	return int(d.Hours() / 24)
+}