Use etcd-all-certs secret of type Opaque

pkg/monitor/cluster/etcdcertificateexpiry.go

@@ -6,6 +6,7 @@ package cluster
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
@@ -30,24 +31,35 @@ func (mon *Monitor) emitEtcdCertificateExpiry(ctx context.Context) error {
 		return nil
 	}
 
-	secretList, err := mon.cli.CoreV1().Secrets("openshift-etcd").List(ctx, metav1.ListOptions{})
+	secretList, err := mon.cli.CoreV1().Secrets("openshift-etcd").List(ctx, metav1.ListOptions{FieldSelector: fmt.Sprintf("type=%s", corev1.SecretTypeTLS)})
 	if err != nil {
 		return err
 	}
 
+	// Fetch the latest etcd-all-certs-[0-9] revision
+	var secret corev1.Secret
+	expectedName := "etcd-all-certs"
+	for _, s := range secretList.Items {
+		if strings.Contains(s.ObjectMeta.Name, "etcd-all-certs") {
+			if findLargestString([]string{s.ObjectMeta.Name, expectedName}) == s.ObjectMeta.Name {
+				expectedName = s.ObjectMeta.Name
+				secret = s
+			}
+		}
+	}
+
 	isAtleastSingleCertNearExpiry := false
 	minDaysUntilExpiration := 0
-	for _, secret := range secretList.Items {
-		if strings.Contains(secret.ObjectMeta.Name, "etcd-peer") || strings.Contains(secret.ObjectMeta.Name, "etcd-serving") && secret.Type == corev1.SecretTypeTLS {
-			_, certs, err := utilpem.Parse(secret.Data[corev1.TLSCertKey])
+	for certName, certData := range secret.Data {
+		if strings.Contains(certName, ".crt") {
+			_, cert, err := utilpem.Parse(certData)
 			if err != nil {
 				return err
 			}
 
-			if certificate.LessThanMinimumDuration(certs[0], certificate.DefaultMinDurationPercent) {
+			if certificate.LessThanMinimumDuration(cert[0], certificate.DefaultMinDurationPercent) {
 				isAtleastSingleCertNearExpiry = true
-				daysUntilExpiration := certificate.DaysUntilExpiration(certs[0])
-				fmt.Println(daysUntilExpiration)
+				daysUntilExpiration := certificate.DaysUntilExpiration(cert[0])
 				if minDaysUntilExpiration < daysUntilExpiration {
 					minDaysUntilExpiration = daysUntilExpiration
 				}
@@ -64,3 +76,28 @@ func (mon *Monitor) emitEtcdCertificateExpiry(ctx context.Context) error {
 
 	return nil
 }
+
+func extractNumberSuffix(s string) int {
+	parts := strings.Split(s, "-")
+	if len(parts) < 2 {
+		return 0
+	}
+	numStr := parts[len(parts)-1]
+	num, _ := strconv.Atoi(numStr)
+	return num
+}
+
+func findLargestString(strings []string) string {
+	var largest string
+	maxSuffix := -1
+
+	for _, s := range strings {
+		suffix := extractNumberSuffix(s)
+		if suffix >= maxSuffix {
+			maxSuffix = suffix
+			largest = s
+		}
+	}
+
+	return largest
+}

pkg/monitor/cluster/etcdcertificateexpiry_test.go

@@ -34,10 +34,7 @@ func TestEtcdCertificateExpiry(t *testing.T) {
 		name                   string
 		configcli              *configfake.Clientset
 		cli                    *fake.Clientset
-		toExpire               time.Time
 		minDaysUntilExpiration int
-		certSubject            string
-		expiration             time.Time
 	}{
 		{
 			name: "emit etcd certificate expiry",
@@ -59,21 +56,13 @@ func TestEtcdCertificateExpiry(t *testing.T) {
 			cli: fake.NewSimpleClientset(
 				&corev1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      "etcd-peer",
-						Namespace: "openshift-etcd",
-					},
-					Data: map[string][]byte{
-						corev1.TLSCertKey: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert[0].Raw}),
-					},
-				},
-				&corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "etcd-serving",
+						Name:      "etcd-all-certs",
 						Namespace: "openshift-etcd",
 					},
 					Data: map[string][]byte{
 						corev1.TLSCertKey: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert[0].Raw}),
 					},
+					Type: corev1.SecretTypeOpaque,
 				},
 			),
 			minDaysUntilExpiration: 0,