From b40e404c67d2fababf7d027fe7cf862f06093751 Mon Sep 17 00:00:00 2001
From: Jason Healy <jahealy@redhat.com>
Date: Wed, 26 Jul 2023 10:34:54 -0400
Subject: [PATCH] fix managed secret names

---
 .../cluster/certificateexpirationstatuses.go  |  9 +++--
 .../certificateexpirationstatuses_test.go     | 34 ++++++++++++++-----
 pkg/monitor/cluster/cluster.go                | 16 +++++----
 3 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/pkg/monitor/cluster/certificateexpirationstatuses.go b/pkg/monitor/cluster/certificateexpirationstatuses.go
index 4ffdaad388d..851ed96e359 100644
--- a/pkg/monitor/cluster/certificateexpirationstatuses.go
+++ b/pkg/monitor/cluster/certificateexpirationstatuses.go
@@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
+	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -39,8 +40,12 @@ func (mon *Monitor) emitCertificateExpirationStatuses(ctx context.Context) error
 	}
 
 	if dns.IsManagedDomain(mon.oc.Properties.ClusterProfile.Domain) {
-		infraID := mon.oc.Properties.InfraID
-		for _, secretName := range []string{infraID + "-ingress", infraID + "-apiserver"} {
+		ingressController, err := mon.operatorcli.OperatorV1().IngressControllers("openshift-ingress-operator").Get(ctx, "default", metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+		ingressSecretName := ingressController.Spec.DefaultCertificate.Name
+		for _, secretName := range []string{ingressSecretName, strings.Replace(ingressSecretName, "-ingress", "-apiserver", 1)} {
 			certificate, err := mon.getCertificate(ctx, secretName, operator.Namespace, corev1.TLSCertKey)
 			if kerrors.IsNotFound(err) {
 				mon.emitGauge(secretMissingMetricName, int64(1), map[string]string{
diff --git a/pkg/monitor/cluster/certificateexpirationstatuses_test.go b/pkg/monitor/cluster/certificateexpirationstatuses_test.go
index d11815e07b9..4db1a1c9529 100644
--- a/pkg/monitor/cluster/certificateexpirationstatuses_test.go
+++ b/pkg/monitor/cluster/certificateexpirationstatuses_test.go
@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/golang/mock/gomock"
+	operatorv1 "github.com/openshift/api/operator/v1"
+	operatorfake "github.com/openshift/client-go/operator/clientset/versioned/fake"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -16,6 +18,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/api"
 	mock_metrics "github.com/Azure/ARO-RP/pkg/util/mocks/metrics"
 	utiltls "github.com/Azure/ARO-RP/pkg/util/tls"
+	"github.com/Azure/ARO-RP/pkg/util/uuid"
 	utilerror "github.com/Azure/ARO-RP/test/util/error"
 )
 
@@ -33,6 +36,8 @@ const (
 func TestEmitCertificateExpirationStatuses(t *testing.T) {
 	expiration := time.Now().Add(time.Hour * 24 * 5)
 	expirationString := expiration.UTC().Format(time.RFC3339)
+	clusterID := uuid.DefaultGenerator.Generate()
+
 	for _, tt := range []struct {
 		name            string
 		domain          string
@@ -57,8 +62,8 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 			domain: managedDomainName,
 			certsPresent: []certInfo{
 				{"cluster", "geneva.certificate"},
-				{"foo12-ingress", managedDomainName},
-				{"foo12-apiserver", "api." + managedDomainName},
+				{clusterID + "-ingress", managedDomainName},
+				{clusterID + "-apiserver", "api." + managedDomainName},
 			},
 			wantExpirations: []map[string]string{
 				{
@@ -89,7 +94,7 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 			domain: managedDomainName,
 			certsPresent: []certInfo{
 				{"cluster", "geneva.certificate"},
-				{"foo12-ingress", managedDomainName},
+				{clusterID + "-ingress", managedDomainName},
 			},
 			wantExpirations: []map[string]string{
 				{
@@ -97,13 +102,13 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 					"expirationDate": expirationString,
 				},
 				{
-					"subject": "contoso.aroapp.io",
+					"subject":        "contoso.aroapp.io",
 					"expirationDate": expirationString,
 				},
 			},
 			wantWarning: []map[string]string{
 				{
-					"secretMissing": "foo12-apiserver",
+					"secretMissing": clusterID + "-apiserver",
 				},
 			},
 		},
@@ -126,7 +131,7 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 				m.EXPECT().EmitGauge(certificateExpirationMetricName, int64(1), g)
 			}
 
-			mon := buildMonitor(m, tt.domain, secrets...)
+			mon := buildMonitor(m, tt.domain, clusterID, secrets...)
 
 			err = mon.emitCertificateExpirationStatuses(ctx)
 
@@ -142,7 +147,7 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 
 		ctx := context.Background()
 		m := mock_metrics.NewMockEmitter(gomock.NewController(t))
-		mon := buildMonitor(m, managedDomainName, secrets...)
+		mon := buildMonitor(m, managedDomainName, clusterID, secrets...)
 
 		wantErr := `certificate "gcscert.pem" not found on secret "cluster"`
 		err := mon.emitCertificateExpirationStatuses(ctx)
@@ -190,7 +195,18 @@ func buildSecret(secretName string, data map[string][]byte) *corev1.Secret {
 	return s
 }
 
-func buildMonitor(m *mock_metrics.MockEmitter, domain string, secrets ...runtime.Object) *Monitor {
+func buildMonitor(m *mock_metrics.MockEmitter, domain, id string, secrets ...runtime.Object) *Monitor {
+	ingressController := &operatorv1.IngressController{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: "openshift-ingress-operator",
+		},
+		Spec: operatorv1.IngressControllerSpec{
+			DefaultCertificate: &corev1.LocalObjectReference{
+				Name: id + "-ingress",
+			},
+		},
+	}
 	mon := &Monitor{
 		cli: fake.NewSimpleClientset(secrets...),
 		m:   m,
@@ -199,9 +215,9 @@ func buildMonitor(m *mock_metrics.MockEmitter, domain string, secrets ...runtime
 				ClusterProfile: api.ClusterProfile{
 					Domain: domain,
 				},
-				InfraID: "foo12",
 			},
 		},
+		operatorcli: operatorfake.NewSimpleClientset(ingressController),
 	}
 	return mon
 }
diff --git a/pkg/monitor/cluster/cluster.go b/pkg/monitor/cluster/cluster.go
index b0aae7a8178..9c05c873cce 100644
--- a/pkg/monitor/cluster/cluster.go
+++ b/pkg/monitor/cluster/cluster.go
@@ -11,6 +11,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	configclient "github.com/openshift/client-go/config/clientset/versioned"
 	machineclient "github.com/openshift/client-go/machine/clientset/versioned"
+	operatorclient "github.com/openshift/client-go/operator/clientset/versioned"
 	mcoclient "github.com/openshift/machine-config-operator/pkg/generated/clientset/versioned"
 	"github.com/sirupsen/logrus"
 	appsv1 "k8s.io/api/apps/v1"
@@ -33,13 +34,14 @@ type Monitor struct {
 	oc   *api.OpenShiftCluster
 	dims map[string]string
 
-	restconfig *rest.Config
-	cli        kubernetes.Interface
-	configcli  configclient.Interface
-	maocli     machineclient.Interface
-	mcocli     mcoclient.Interface
-	m          metrics.Emitter
-	arocli     aroclient.Interface
+	restconfig  *rest.Config
+	cli         kubernetes.Interface
+	configcli   configclient.Interface
+	maocli      machineclient.Interface
+	mcocli      mcoclient.Interface
+	m           metrics.Emitter
+	arocli      aroclient.Interface
+	operatorcli operatorclient.Interface
 
 	hiveclientset client.Client