diff --git a/pkg/monitor/cluster/etcdcertificateexpiry.go b/pkg/monitor/cluster/etcdcertificateexpiry.go index e43d338b09a..ad0756cb61e 100644 --- a/pkg/monitor/cluster/etcdcertificateexpiry.go +++ b/pkg/monitor/cluster/etcdcertificateexpiry.go @@ -6,6 +6,7 @@ package cluster import ( "context" "fmt" + "strconv" "strings" corev1 "k8s.io/api/core/v1" @@ -30,24 +31,35 @@ func (mon *Monitor) emitEtcdCertificateExpiry(ctx context.Context) error { return nil } - secretList, err := mon.cli.CoreV1().Secrets("openshift-etcd").List(ctx, metav1.ListOptions{}) + secretList, err := mon.cli.CoreV1().Secrets("openshift-etcd").List(ctx, metav1.ListOptions{FieldSelector: fmt.Sprintf("type=%s", corev1.SecretTypeTLS)}) if err != nil { return err } + // Fetch the latest etcd-all-certs-[0-9] revision + var secret corev1.Secret + expectedName := "etcd-all-certs" + for _, s := range secretList.Items { + if strings.Contains(s.ObjectMeta.Name, "etcd-all-certs") { + if findLargestString([]string{s.ObjectMeta.Name, expectedName}) == s.ObjectMeta.Name { + expectedName = s.ObjectMeta.Name + secret = s + } + } + } + isAtleastSingleCertNearExpiry := false minDaysUntilExpiration := 0 - for _, secret := range secretList.Items { - if strings.Contains(secret.ObjectMeta.Name, "etcd-peer") || strings.Contains(secret.ObjectMeta.Name, "etcd-serving") && secret.Type == corev1.SecretTypeTLS { - _, certs, err := utilpem.Parse(secret.Data[corev1.TLSCertKey]) + for certName, certData := range secret.Data { + if strings.Contains(certName, ".crt") { + _, cert, err := utilpem.Parse(certData) if err != nil { return err } - if certificate.LessThanMinimumDuration(certs[0], certificate.DefaultMinDurationPercent) { + if certificate.LessThanMinimumDuration(cert[0], certificate.DefaultMinDurationPercent) { isAtleastSingleCertNearExpiry = true - daysUntilExpiration := certificate.DaysUntilExpiration(certs[0]) - fmt.Println(daysUntilExpiration) + daysUntilExpiration := certificate.DaysUntilExpiration(cert[0]) if minDaysUntilExpiration < daysUntilExpiration { minDaysUntilExpiration = daysUntilExpiration } @@ -64,3 +76,28 @@ func (mon *Monitor) emitEtcdCertificateExpiry(ctx context.Context) error { return nil } + +func extractNumberSuffix(s string) int { + parts := strings.Split(s, "-") + if len(parts) < 2 { + return 0 + } + numStr := parts[len(parts)-1] + num, _ := strconv.Atoi(numStr) + return num +} + +func findLargestString(strings []string) string { + var largest string + maxSuffix := -1 + + for _, s := range strings { + suffix := extractNumberSuffix(s) + if suffix >= maxSuffix { + maxSuffix = suffix + largest = s + } + } + + return largest +} diff --git a/pkg/monitor/cluster/etcdcertificateexpiry_test.go b/pkg/monitor/cluster/etcdcertificateexpiry_test.go index 36d6c6a9d11..e85f2f2359d 100644 --- a/pkg/monitor/cluster/etcdcertificateexpiry_test.go +++ b/pkg/monitor/cluster/etcdcertificateexpiry_test.go @@ -34,10 +34,7 @@ func TestEtcdCertificateExpiry(t *testing.T) { name string configcli *configfake.Clientset cli *fake.Clientset - toExpire time.Time minDaysUntilExpiration int - certSubject string - expiration time.Time }{ { name: "emit etcd certificate expiry", @@ -59,21 +56,13 @@ func TestEtcdCertificateExpiry(t *testing.T) { cli: fake.NewSimpleClientset( &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Name: "etcd-peer", - Namespace: "openshift-etcd", - }, - Data: map[string][]byte{ - corev1.TLSCertKey: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert[0].Raw}), - }, - }, - &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "etcd-serving", + Name: "etcd-all-certs", Namespace: "openshift-etcd", }, Data: map[string][]byte{ corev1.TLSCertKey: pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert[0].Raw}), }, + Type: corev1.SecretTypeOpaque, }, ), minDaysUntilExpiration: 0,