Merge pull request #29327 from vrutkovs/tls-registry-test-using-the-cert

OCPBUGS-57049: TLS registry: refactor testcase annotations

Author: openshift-merge-bot[bot]

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/autoregenerate_after_expiry/requirement.go

@@ -2,6 +2,7 @@ package autoregenerate_after_expiry
 
 import (
 	"github.com/openshift/library-go/pkg/markdown"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/testcase"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 )
 
@@ -20,7 +21,7 @@ func NewAutoRegenerateAfterOfflineExpiryRequirement() tlsmetadatainterfaces.Requ
 	md.Text("To assert that a particular cert/key pair or CA bundle can do this, add the annotation to the secret or configmap.")
 	md.Text("```yaml")
 	md.Text("  annotations:")
-	md.Textf("    %v: https//github.com/link/to/pr/adding/annotation, \"quote escaped formatted name of e2e test that ensures the PKI artifact functions properly\"", annotationName)
+	md.Textf("    %v: https//github.com/link/to/pr/adding/annotation", annotationName)
 	md.Text("```")
 	md.Text("")
 	md.Text("This assertion means that you have")
@@ -29,7 +30,9 @@ func NewAutoRegenerateAfterOfflineExpiryRequirement() tlsmetadatainterfaces.Requ
 	md.Text("Manually tested that this works or seen someone else manually test that this works.  AND")
 	md.NewOrderedListItem()
 	md.Text("Written an automated e2e test to ensure this PKI artifact is function that is a blocking GA criteria, and/or")
+	md.NewOrderedListItem()
 	md.Text("QE has required test every release that ensures the functionality works every release.")
+	md.Textf("This TLS artifact has associated test name annotation (%q).", testcase.AnnotationName)
 	md.OrderedListEnd()
 	md.Text("If you have not done this, you should not merge the annotation.")
 

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/refresh_period/requirement.go

@@ -0,0 +1,46 @@
+package refresh_period
+
+import (
+	"github.com/openshift/library-go/pkg/markdown"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/testcase"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
+)
+
+const annotationName string = "certificates.openshift.io/refresh-period"
+
+type RefreshPeriodRequirement struct{}
+
+func NewRefreshPeriodRequirement() tlsmetadatainterfaces.Requirement {
+
+	md := markdown.NewMarkdown("")
+	md.Text("Acknowledging that a cert/key pair or CA bundle can be refreshed means")
+	md.Text("that certificate is being updated before its expiration date as required without human")
+	md.Text("intervention.")
+	md.Text("")
+	md.Text("To assert that a particular cert/key pair or CA bundle can be refreshed, add the annotation to the secret or configmap.")
+	md.Text("```yaml")
+	md.Text("  annotations:")
+	md.Textf("    %v: <refresh period, e.g. 15d or 2y>", annotationName)
+	md.Text("```")
+	md.Text("")
+	md.Text("This assertion means that you have")
+	md.OrderedListStart()
+	md.NewOrderedListItem()
+	md.Text("Manually tested that this works or seen someone else manually test that this works.  AND")
+	md.NewOrderedListItem()
+	md.Text("Written an automated e2e test to ensure this PKI artifact is function that is a blocking GA criteria, and/or")
+	md.Text("QE has required test every release that ensures the functionality works every release.")
+	md.NewOrderedListItem()
+	md.Textf("This TLS artifact has associated test name annotation (%q).", testcase.AnnotationName)
+	md.OrderedListEnd()
+	md.Text("If you have not done this, you should not merge the annotation.")
+
+	return tlsmetadatainterfaces.NewAnnotationRequirement(
+		// requirement name
+		"refresh-period",
+		// cert or configmap annotation
+		annotationName,
+		"Refresh Period",
+		string(md.ExactBytes()),
+	)
+}

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/testcase/requirement.go

@@ -0,0 +1,43 @@
+package testcase
+
+import (
+	"github.com/openshift/library-go/pkg/markdown"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
+)
+
+const AnnotationName string = "certificates.openshift.io/test-name"
+
+type TestNameRequirement struct{}
+
+func NewTestNameRequirement() tlsmetadatainterfaces.Requirement {
+
+	md := markdown.NewMarkdown("")
+	md.Text("Every TLS artifact should be associated with a test, which checks that cert key pair.")
+	md.Text("or CA bundle is being properly issued, refreshed, regenerated while offline")
+	md.Text("and correctly reloaded.")
+	md.Text("")
+	md.Text("To assert that a particular cert/key pair or CA bundle is being tested, add the annotation to the secret or configmap.")
+	md.Text("```yaml")
+	md.Text("  annotations:")
+	md.Textf("    %v: name of e2e test that ensures the PKI artifact functions properly", AnnotationName)
+	md.Text("```")
+	md.Text("")
+	md.Text("This assertion means that you have")
+	md.OrderedListStart()
+	md.NewOrderedListItem()
+	md.Text("Manually tested that this works or seen someone else manually test that this works.  AND")
+	md.NewOrderedListItem()
+	md.Text("Written an automated e2e test to ensure this PKI artifact is function that is a blocking GA criteria, and/or")
+	md.Text("QE has required test every release that ensures the functionality works every release.")
+	md.OrderedListEnd()
+	md.Text("If you have not done this, you should not merge the annotation.")
+
+	return tlsmetadatainterfaces.NewAnnotationRequirement(
+		// requirement name
+		"testcase",
+		// cert or configmap annotation
+		AnnotationName,
+		"Test Cases",
+		string(md.ExactBytes()),
+	)
+}

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatadefaults/defaults.go

@@ -4,13 +4,17 @@ import (
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/autoregenerate_after_expiry"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/descriptions"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/ownership"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/refresh_period"
+	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadata/testcase"
 	"github.com/openshift/origin/pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces"
 )
 
 func GetDefaultTLSRequirements() []tlsmetadatainterfaces.Requirement {
 	return []tlsmetadatainterfaces.Requirement{
 		ownership.NewOwnerRequirement(),
+		testcase.NewTestNameRequirement(),
 		autoregenerate_after_expiry.NewAutoRegenerateAfterOfflineExpiryRequirement(),
+		refresh_period.NewRefreshPeriodRequirement(),
 		descriptions.NewDescriptionRequirement(),
 	}
 }

tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md

@@ -65,13 +65,14 @@ intervention.
 To assert that a particular cert/key pair or CA bundle can do this, add the annotation to the secret or configmap.
 ```yaml
   annotations:
-    certificates.openshift.io/auto-regenerate-after-offline-expiry: https//github.com/link/to/pr/adding/annotation, "quote escaped formatted name of e2e test that ensures the PKI artifact functions properly"
+    certificates.openshift.io/auto-regenerate-after-offline-expiry: https//github.com/link/to/pr/adding/annotation
 ```
 
 This assertion means that you have
 1. Manually tested that this works or seen someone else manually test that this works.  AND
 2. Written an automated e2e test to ensure this PKI artifact is function that is a blocking GA criteria, and/or
-      QE has required test every release that ensures the functionality works every release.
+3. QE has required test every release that ensures the functionality works every release.
+      This TLS artifact has associated test name annotation ("certificates.openshift.io/test-name").
 If you have not done this, you should not merge the annotation.
 
 ## Items Do NOT Meet the Requirement (240)