Skip to content

OCPBUGS-86310: Handle CA bundle aggregation delay by requeuing revocation #8563

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
May 21, 2026
+87 −10
Merged

OCPBUGS-86310: Handle CA bundle aggregation delay by requeuing revocation #8563

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ...rol-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -733,7 +733,7 @@ func (c *CertificateRevocationController) ensureNewSignerCertificatePropagated(c
// that, though, and it's always valid to first check that our certificates have propagated as far
// as we can tell in the system before asking the KAS, since that's expensive
if len(trustedCertificates(totalClientTrustBundle, []*certificateSecret{{cert: signers[0]}}, now)) == 0 {
return true, nil, false, nil
return true, nil, true, nil
}

// if the updated trust bundle has propagated as far as we can tell, let's go ahead and ask
Expand Down Expand Up @@ -1033,7 +1033,7 @@ func (c *CertificateRevocationController) ensureOldSignerCertificateRevoked(ctx
// that, though, and it's always valid to first check that our certificates have propagated as far
// as we can tell in the system before asking the KAS, since that's expensive
if len(trustedCertificates(totalClientTrustBundle, []*certificateSecret{{cert: oldCerts[0]}}, now)) != 0 {
return true, nil, false, nil
return true, nil, true, nil
}

// if the updated trust bundle has propagated as far as we can tell, let's go ahead and ask
Expand Down
93 changes: 85 additions & 8 deletions ...lane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,10 +463,11 @@ func TestCertificateRevocationController_processCertificateRevocationRequest(t *
},
},
{
name: "not yet propagated, nothing to do",
now: postRevocationClock.Now,
crrNamespace: "crr-ns",
crrName: "crr-name",
name: "not yet propagated, nothing to do",

@coderabbitai coderabbitai Bot May 21, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Rename edited test cases to the required Gherkin format.

The updated test titles should follow When ... it should ... to match repo test naming requirements.

Suggested rename 
- name:            "not yet propagated, nothing to do",
+ name:            "When new signer cert is not yet propagated it should requeue",
...
- name:            "validating, previous still valid",
+ name:            "When previous signer cert is still trusted it should requeue",

As per coding guidelines, "**/*_test.{go,ts,tsx,js,jsx}: Always use "When ... it should ..." format for describing test cases when creating unit tests" and "**/*_test.go: Use Gherkin Syntax to define unit test cases with 'When... it should...' pattern".

Also applies to: 851-851

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-pki-operator/certificaterevocationcontroller/certificaterevocationcontroller_test.go`
at line 466, Rename the test case title string in the table-driven tests in
certificaterevocationcontroller_test.go: change the 'name' field value "not yet
propagated, nothing to do" to the Gherkin-style "When not yet propagated it
should do nothing"; apply the same "When ... it should ..." renaming pattern to
the other affected test case mentioned (around the other occurrence referenced)
so all '*_test.go' cases use the required Gherkin format.

now: postRevocationClock.Now,
crrNamespace: "crr-ns",
crrName: "crr-name",
expectedRequeue: true, // New cert not yet in total bundle, requeue to wait for TargetConfigController
crr: &certificatesv1alpha1.CertificateRevocationRequest{
ObjectMeta: metav1.ObjectMeta{Namespace: "crr-ns", Name: "crr-name"},
Spec: certificatesv1alpha1.CertificateRevocationRequestSpec{SignerClass: string(certificates.CustomerBreakGlassSigner)},
Expand Down Expand Up @@ -847,10 +848,11 @@ func TestCertificateRevocationController_processCertificateRevocationRequest(t *
},
},
{
name: "validating, previous still valid",
now: postRevocationClock.Now,
crrNamespace: "crr-ns",
crrName: "crr-name",
name: "validating, previous still valid",
now: postRevocationClock.Now,
crrNamespace: "crr-ns",
crrName: "crr-name",
expectedRequeue: true, // Old cert still in total bundle, requeue to wait for TargetConfigController
crr: &certificatesv1alpha1.CertificateRevocationRequest{
ObjectMeta: metav1.ObjectMeta{Namespace: "crr-ns", Name: "crr-name"},
Spec: certificatesv1alpha1.CertificateRevocationRequestSpec{SignerClass: string(certificates.CustomerBreakGlassSigner)},
Expand Down Expand Up @@ -1033,6 +1035,81 @@ func TestCertificateRevocationController_processCertificateRevocationRequest(t *
},
},
},
{
name: "SRE signer: validating, previous still valid (requeue path)",
now: postRevocationClock.Now,
crrNamespace: "crr-ns",
crrName: "crr-name-sre",
expectedRequeue: true, // Old cert still in total bundle for SRE signer, must requeue
crr: &certificatesv1alpha1.CertificateRevocationRequest{
ObjectMeta: metav1.ObjectMeta{Namespace: "crr-ns", Name: "crr-name-sre"},
Spec: certificatesv1alpha1.CertificateRevocationRequestSpec{SignerClass: string(certificates.SREBreakGlassSigner)},
Status: certificatesv1alpha1.CertificateRevocationRequestStatus{
RevocationTimestamp: ptr.To(metav1.NewTime(revocationClock.Now())),
PreviousSigner: &corev1.LocalObjectReference{Name: "1pfcydcz358pa1glirkmc72sdkf5zw21uam4jbnj03pw"},
Conditions: []metav1.Condition{{
Type: certificatesv1alpha1.LeafCertificatesRegeneratedType,
Status: metav1.ConditionTrue,
LastTransitionTime: metav1.NewTime(postRevocationClock.Now()),
Reason: hypershiftv1beta1.AsExpectedReason,
Message: `All leaf certificates are re-generated.`,
}, {
Type: certificatesv1alpha1.RootCertificatesRegeneratedType,
Status: metav1.ConditionTrue,
LastTransitionTime: metav1.NewTime(postRevocationClock.Now()),
Reason: hypershiftv1beta1.AsExpectedReason,
Message: `Signer certificate crr-ns/sre-system-admin-signer regenerated.`,
}, {
Type: certificatesv1alpha1.NewCertificatesTrustedType,
Status: metav1.ConditionTrue,
LastTransitionTime: metav1.NewTime(postRevocationClock.Now()),
Reason: hypershiftv1beta1.AsExpectedReason,
Message: `New signer certificate crr-ns/sre-system-admin-signer trusted.`,
}},
},
},
secrets: []*corev1.Secret{{
ObjectMeta: metav1.ObjectMeta{
Namespace: "crr-ns",
Name: manifests.SRESystemAdminSigner("").Name,
Annotations: map[string]string{certrotation.CertificateIssuer: "crr-ns_sre-break-glass-signer@1234"},
},
Data: map[string][]byte{
corev1.TLSCertKey: data.future.raw.signerCert,
corev1.TLSPrivateKeyKey: data.future.raw.signerKey,
},
}, {
ObjectMeta: metav1.ObjectMeta{
Namespace: "crr-ns",
Name: "1pfcydcz358pa1glirkmc72sdkf5zw21uam4jbnj03pw",
},
Data: map[string][]byte{
corev1.TLSCertKey: data.original.raw.signerCert,
corev1.TLSPrivateKeyKey: data.original.raw.signerKey,
},
}, {
ObjectMeta: metav1.ObjectMeta{
Namespace: "crr-ns",
Name: manifests.SRESystemAdminClientCertSecret("").Name,
Annotations: map[string]string{certrotation.CertificateIssuer: "crr-ns_sre-break-glass-signer@1234"},
},
Data: map[string][]byte{
corev1.TLSCertKey: data.future.raw.signedCert,
corev1.TLSPrivateKeyKey: data.future.raw.clientKey,
},
}},
cms: []*corev1.ConfigMap{{
ObjectMeta: metav1.ObjectMeta{Namespace: "crr-ns", Name: manifests.SRESystemAdminSignerCA("").Name},
Data: map[string]string{
"ca-bundle.crt": string(data.future.raw.signerCert),
},
}, {
ObjectMeta: metav1.ObjectMeta{Namespace: "crr-ns", Name: manifests.TotalKASClientCABundle("").Name},
Data: map[string]string{
"ca-bundle.crt": string(data.original.raw.signerCert) + string(data.future.raw.signerCert),
},
}},
},
} {
t.Run(testCase.name, func(t *testing.T) {
c := &CertificateRevocationController{
Expand Down
Loading