NO-JIRA: Move AdditionalAnnotations to pkg/operator/tlsartifact

Move the AdditionalAnnotations type, Certificate* annotation constants,
and NewTLSArtifactObjectMeta helper from pkg/operator/certrotation to a
new pkg/operator/tlsartifact package.

These are part of the TLS Artifacts Registry and are used by packages
that have no relation to cert rotation (resourcesynccontroller, csr,
cert-inspection). Moving them removes unnecessary cross-package
dependencies on certrotation.

Backward-compatible type aliases and re-exported constants remain in
pkg/operator/certrotation/annotations.go.

Author: sanchezl

pkg/certs/cert-inspection/certgraphanalysis/metadata_options.go

@@ -11,7 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/tlsartifact"
 	corev1 "k8s.io/api/core/v1"
 )
 
@@ -172,7 +172,7 @@ var (
 )
 
 func humanizeRefreshPeriodFromMetadata(annotations map[string]string) {
-	period, ok := annotations[certrotation.CertificateRefreshPeriodAnnotation]
+	period, ok := annotations[tlsartifact.CertificateRefreshPeriodAnnotation]
 	if !ok {
 		return
 	}
@@ -182,7 +182,7 @@ func humanizeRefreshPeriodFromMetadata(annotations map[string]string) {
 		return
 	}
 	humanReadableDate := durationToHumanReadableString(d)
-	annotations[certrotation.CertificateRefreshPeriodAnnotation] = humanReadableDate
+	annotations[tlsartifact.CertificateRefreshPeriodAnnotation] = humanReadableDate
 	annotations[rewritePrefix+"RewriteRefreshPeriod"] = period
 	return
 }

pkg/operator/certrotation/annotations.go

@@ -1,102 +1,36 @@
 package certrotation
 
-import (
-	"github.com/google/go-cmp/cmp"
-	"github.com/openshift/api/annotations"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/klog/v2"
-)
+import "github.com/openshift/library-go/pkg/operator/tlsartifact"
+
+// AdditionalAnnotations is an alias for tlsartifact.AdditionalAnnotations.
+// Deprecated: Use tlsartifact.AdditionalAnnotations directly.
+type AdditionalAnnotations = tlsartifact.AdditionalAnnotations
 
 const (
 	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
-	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
+	// Deprecated: Use tlsartifact.CertificateNotBeforeAnnotation directly.
+	CertificateNotBeforeAnnotation = tlsartifact.CertificateNotBeforeAnnotation
 	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
-	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
+	// Deprecated: Use tlsartifact.CertificateNotAfterAnnotation directly.
+	CertificateNotAfterAnnotation = tlsartifact.CertificateNotAfterAnnotation
 	// CertificateIssuer contains the common name of the certificate that signed another certificate.
-	CertificateIssuer = "auth.openshift.io/certificate-issuer"
+	// Deprecated: Use tlsartifact.CertificateIssuer directly.
+	CertificateIssuer = tlsartifact.CertificateIssuer
 	// CertificateHostnames contains the hostnames used by a signer.
-	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
+	// Deprecated: Use tlsartifact.CertificateHostnames directly.
+	CertificateHostnames = tlsartifact.CertificateHostnames
 	// CertificateTestNameAnnotation is an e2e test name which verifies that TLS artifact is created and used correctly
-	CertificateTestNameAnnotation string = "certificates.openshift.io/test-name"
+	// Deprecated: Use tlsartifact.CertificateTestNameAnnotation directly.
+	CertificateTestNameAnnotation = tlsartifact.CertificateTestNameAnnotation
 	// CertificateAutoRegenerateAfterOfflineExpiryAnnotation contains a link to PR adding this annotation which verifies
 	// that TLS artifact is correctly regenerated after it has expired
-	CertificateAutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
+	// Deprecated: Use tlsartifact.CertificateAutoRegenerateAfterOfflineExpiryAnnotation directly.
+	CertificateAutoRegenerateAfterOfflineExpiryAnnotation = tlsartifact.CertificateAutoRegenerateAfterOfflineExpiryAnnotation
 	// CertificateRefreshPeriodAnnotation is the interval at which the certificate should be refreshed.
-	CertificateRefreshPeriodAnnotation string = "certificates.openshift.io/refresh-period"
+	// Deprecated: Use tlsartifact.CertificateRefreshPeriodAnnotation directly.
+	CertificateRefreshPeriodAnnotation = tlsartifact.CertificateRefreshPeriodAnnotation
 )
 
-type AdditionalAnnotations struct {
-	// JiraComponent annotates tls artifacts so that owner could be easily found
-	JiraComponent string
-	// Description is a human-readable one sentence description of certificate purpose
-	Description string
-	// TestName is an e2e test name which verifies that TLS artifact is created and used correctly
-	TestName string
-	// AutoRegenerateAfterOfflineExpiry contains a link to PR which adds this annotation on the TLS artifact
-	AutoRegenerateAfterOfflineExpiry string
-	// NotBefore contains certificate the certificate creation date in RFC3339 format.
-	NotBefore string
-	// NotAfter contains certificate the certificate validity date in RFC3339 format.
-	NotAfter string
-	// RefreshPeriod contains the interval at which the certificate should be refreshed.
-	RefreshPeriod string
-}
-
-func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool {
-	modified := false
-	if meta.Annotations == nil {
-		meta.Annotations = make(map[string]string)
-	}
-	if len(a.JiraComponent) > 0 && meta.Annotations[annotations.OpenShiftComponent] != a.JiraComponent {
-		diff := cmp.Diff(meta.Annotations[annotations.OpenShiftComponent], a.JiraComponent)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftComponent, meta.Namespace, meta.Name, diff)
-		meta.Annotations[annotations.OpenShiftComponent] = a.JiraComponent
-		modified = true
-	}
-	if len(a.Description) > 0 && meta.Annotations[annotations.OpenShiftDescription] != a.Description {
-		diff := cmp.Diff(meta.Annotations[annotations.OpenShiftDescription], a.Description)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftDescription, meta.Namespace, meta.Name, diff)
-		meta.Annotations[annotations.OpenShiftDescription] = a.Description
-		modified = true
-	}
-	if len(a.TestName) > 0 && meta.Annotations[CertificateTestNameAnnotation] != a.TestName {
-		diff := cmp.Diff(meta.Annotations[CertificateTestNameAnnotation], a.TestName)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateTestNameAnnotation, meta.Name, meta.Namespace, diff)
-		meta.Annotations[CertificateTestNameAnnotation] = a.TestName
-		modified = true
-	}
-	if len(a.AutoRegenerateAfterOfflineExpiry) > 0 && meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation] != a.AutoRegenerateAfterOfflineExpiry {
-		diff := cmp.Diff(meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation], a.AutoRegenerateAfterOfflineExpiry)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateAutoRegenerateAfterOfflineExpiryAnnotation, meta.Namespace, meta.Name, diff)
-		meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation] = a.AutoRegenerateAfterOfflineExpiry
-		modified = true
-	}
-	if len(a.NotBefore) > 0 && meta.Annotations[CertificateNotBeforeAnnotation] != a.NotBefore {
-		diff := cmp.Diff(meta.Annotations[CertificateNotBeforeAnnotation], a.NotBefore)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateNotBeforeAnnotation, meta.Name, meta.Namespace, diff)
-		meta.Annotations[CertificateNotBeforeAnnotation] = a.NotBefore
-		modified = true
-	}
-	if len(a.NotAfter) > 0 && meta.Annotations[CertificateNotAfterAnnotation] != a.NotAfter {
-		diff := cmp.Diff(meta.Annotations[CertificateNotAfterAnnotation], a.NotAfter)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateNotAfterAnnotation, meta.Name, meta.Namespace, diff)
-		meta.Annotations[CertificateNotAfterAnnotation] = a.NotAfter
-		modified = true
-	}
-	if len(a.RefreshPeriod) > 0 && meta.Annotations[CertificateRefreshPeriodAnnotation] != a.RefreshPeriod {
-		diff := cmp.Diff(meta.Annotations[CertificateRefreshPeriodAnnotation], a.RefreshPeriod)
-		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateRefreshPeriodAnnotation, meta.Name, meta.Namespace, diff)
-		meta.Annotations[CertificateRefreshPeriodAnnotation] = a.RefreshPeriod
-		modified = true
-	}
-	return modified
-}
-
-func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta {
-	meta := metav1.ObjectMeta{
-		Namespace: namespace,
-		Name:      name,
-	}
-	_ = annotations.EnsureTLSMetadataUpdate(&meta)
-	return meta
-}
+// NewTLSArtifactObjectMeta creates a new ObjectMeta with TLS artifact annotations.
+// Deprecated: Use tlsartifact.NewTLSArtifactObjectMeta directly.
+var NewTLSArtifactObjectMeta = tlsartifact.NewTLSArtifactObjectMeta

pkg/operator/csr/cert_controller.go

@@ -11,7 +11,7 @@ import (
 	"time"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/tlsartifact"
 	"github.com/openshift/library-go/pkg/operator/events"
 
 	certificates "k8s.io/api/certificates/v1"
@@ -67,7 +67,7 @@ type ClientCertOption struct {
 	// AdditonalSecretData contains data that will be added into client certificate secret besides tls.key/tls.crt
 	AdditonalSecretData map[string][]byte
 	// AdditionalAnnotations is a collection of annotations set for the secret
-	AdditionalAnnotations certrotation.AdditionalAnnotations
+	AdditionalAnnotations tlsartifact.AdditionalAnnotations
 }
 
 // clientCertificateController implements the common logic of hub client certification creation/rotation. It
@@ -154,7 +154,7 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
 	switch {
 	case errors.IsNotFound(err):
 		secret = &corev1.Secret{
-			ObjectMeta: certrotation.NewTLSArtifactObjectMeta(
+			ObjectMeta: tlsartifact.NewTLSArtifactObjectMeta(
 				c.SecretName,
 				c.SecretNamespace,
 				c.AdditionalAnnotations,

pkg/operator/resourcesynccontroller/core.go

@@ -11,10 +11,10 @@ import (
 	"k8s.io/client-go/util/cert"
 
 	"github.com/openshift/library-go/pkg/crypto"
-	"github.com/openshift/library-go/pkg/operator/certrotation"
+	"github.com/openshift/library-go/pkg/operator/tlsartifact"
 )
 
-func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister corev1listers.ConfigMapLister, additionalAnnotations certrotation.AdditionalAnnotations, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, error) {
+func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister corev1listers.ConfigMapLister, additionalAnnotations tlsartifact.AdditionalAnnotations, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, error) {
 	certificates := []*x509.Certificate{}
 	for _, input := range inputConfigMaps {
 		inputConfigMap, err := lister.ConfigMaps(input.Namespace).Get(input.Name)
@@ -59,7 +59,7 @@ func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister cor
 	}
 
 	cm := &corev1.ConfigMap{
-		ObjectMeta: certrotation.NewTLSArtifactObjectMeta(
+		ObjectMeta: tlsartifact.NewTLSArtifactObjectMeta(
 			destinationConfigMap.Name,
 			destinationConfigMap.Namespace,
 			additionalAnnotations,
@@ -71,7 +71,7 @@ func CombineCABundleConfigMaps(destinationConfigMap ResourceLocation, lister cor
 	return cm, nil
 }
 
-func CombineCABundleConfigMapsOptimistically(destinationConfigMap *corev1.ConfigMap, lister corev1listers.ConfigMapLister, additionalAnnotations certrotation.AdditionalAnnotations, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, bool, error) {
+func CombineCABundleConfigMapsOptimistically(destinationConfigMap *corev1.ConfigMap, lister corev1listers.ConfigMapLister, additionalAnnotations tlsartifact.AdditionalAnnotations, inputConfigMaps ...ResourceLocation) (*corev1.ConfigMap, bool, error) {
 	var cm *corev1.ConfigMap
 	if destinationConfigMap == nil {
 		cm = &corev1.ConfigMap{}

pkg/operator/tlsartifact/annotations.go

@@ -0,0 +1,105 @@
+package tlsartifact
+
+import (
+	"github.com/google/go-cmp/cmp"
+	"github.com/openshift/api/annotations"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+)
+
+const (
+	// CertificateNotBeforeAnnotation contains the certificate expiration date in RFC3339 format.
+	CertificateNotBeforeAnnotation = "auth.openshift.io/certificate-not-before"
+	// CertificateNotAfterAnnotation contains the certificate expiration date in RFC3339 format.
+	CertificateNotAfterAnnotation = "auth.openshift.io/certificate-not-after"
+	// CertificateIssuer contains the common name of the certificate that signed another certificate.
+	CertificateIssuer = "auth.openshift.io/certificate-issuer"
+	// CertificateHostnames contains the hostnames used by a signer.
+	CertificateHostnames = "auth.openshift.io/certificate-hostnames"
+	// CertificateTestNameAnnotation is an e2e test name which verifies that TLS artifact is created and used correctly
+	CertificateTestNameAnnotation string = "certificates.openshift.io/test-name"
+	// CertificateAutoRegenerateAfterOfflineExpiryAnnotation contains a link to PR adding this annotation which verifies
+	// that TLS artifact is correctly regenerated after it has expired
+	CertificateAutoRegenerateAfterOfflineExpiryAnnotation string = "certificates.openshift.io/auto-regenerate-after-offline-expiry"
+	// CertificateRefreshPeriodAnnotation is the interval at which the certificate should be refreshed.
+	CertificateRefreshPeriodAnnotation string = "certificates.openshift.io/refresh-period"
+)
+
+// AdditionalAnnotations holds TLS artifact metadata annotations as defined by
+// the TLS Artifacts Registry enhancement. These annotations identify the
+// owning component, purpose, and lifecycle of managed TLS artifacts.
+type AdditionalAnnotations struct {
+	// JiraComponent annotates tls artifacts so that owner could be easily found
+	JiraComponent string
+	// Description is a human-readable one sentence description of certificate purpose
+	Description string
+	// TestName is an e2e test name which verifies that TLS artifact is created and used correctly
+	TestName string
+	// AutoRegenerateAfterOfflineExpiry contains a link to PR which adds this annotation on the TLS artifact
+	AutoRegenerateAfterOfflineExpiry string
+	// NotBefore contains certificate the certificate creation date in RFC3339 format.
+	NotBefore string
+	// NotAfter contains certificate the certificate validity date in RFC3339 format.
+	NotAfter string
+	// RefreshPeriod contains the interval at which the certificate should be refreshed.
+	RefreshPeriod string
+}
+
+func (a AdditionalAnnotations) EnsureTLSMetadataUpdate(meta *metav1.ObjectMeta) bool {
+	modified := false
+	if meta.Annotations == nil {
+		meta.Annotations = make(map[string]string)
+	}
+	if len(a.JiraComponent) > 0 && meta.Annotations[annotations.OpenShiftComponent] != a.JiraComponent {
+		diff := cmp.Diff(meta.Annotations[annotations.OpenShiftComponent], a.JiraComponent)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftComponent, meta.Namespace, meta.Name, diff)
+		meta.Annotations[annotations.OpenShiftComponent] = a.JiraComponent
+		modified = true
+	}
+	if len(a.Description) > 0 && meta.Annotations[annotations.OpenShiftDescription] != a.Description {
+		diff := cmp.Diff(meta.Annotations[annotations.OpenShiftDescription], a.Description)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", annotations.OpenShiftDescription, meta.Namespace, meta.Name, diff)
+		meta.Annotations[annotations.OpenShiftDescription] = a.Description
+		modified = true
+	}
+	if len(a.TestName) > 0 && meta.Annotations[CertificateTestNameAnnotation] != a.TestName {
+		diff := cmp.Diff(meta.Annotations[CertificateTestNameAnnotation], a.TestName)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateTestNameAnnotation, meta.Name, meta.Namespace, diff)
+		meta.Annotations[CertificateTestNameAnnotation] = a.TestName
+		modified = true
+	}
+	if len(a.AutoRegenerateAfterOfflineExpiry) > 0 && meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation] != a.AutoRegenerateAfterOfflineExpiry {
+		diff := cmp.Diff(meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation], a.AutoRegenerateAfterOfflineExpiry)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateAutoRegenerateAfterOfflineExpiryAnnotation, meta.Namespace, meta.Name, diff)
+		meta.Annotations[CertificateAutoRegenerateAfterOfflineExpiryAnnotation] = a.AutoRegenerateAfterOfflineExpiry
+		modified = true
+	}
+	if len(a.NotBefore) > 0 && meta.Annotations[CertificateNotBeforeAnnotation] != a.NotBefore {
+		diff := cmp.Diff(meta.Annotations[CertificateNotBeforeAnnotation], a.NotBefore)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateNotBeforeAnnotation, meta.Name, meta.Namespace, diff)
+		meta.Annotations[CertificateNotBeforeAnnotation] = a.NotBefore
+		modified = true
+	}
+	if len(a.NotAfter) > 0 && meta.Annotations[CertificateNotAfterAnnotation] != a.NotAfter {
+		diff := cmp.Diff(meta.Annotations[CertificateNotAfterAnnotation], a.NotAfter)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateNotAfterAnnotation, meta.Name, meta.Namespace, diff)
+		meta.Annotations[CertificateNotAfterAnnotation] = a.NotAfter
+		modified = true
+	}
+	if len(a.RefreshPeriod) > 0 && meta.Annotations[CertificateRefreshPeriodAnnotation] != a.RefreshPeriod {
+		diff := cmp.Diff(meta.Annotations[CertificateRefreshPeriodAnnotation], a.RefreshPeriod)
+		klog.V(2).Infof("Updating %q annotation for %s/%s, diff: %s", CertificateRefreshPeriodAnnotation, meta.Name, meta.Namespace, diff)
+		meta.Annotations[CertificateRefreshPeriodAnnotation] = a.RefreshPeriod
+		modified = true
+	}
+	return modified
+}
+
+func NewTLSArtifactObjectMeta(name, namespace string, annotations AdditionalAnnotations) metav1.ObjectMeta {
+	meta := metav1.ObjectMeta{
+		Namespace: namespace,
+		Name:      name,
+	}
+	_ = annotations.EnsureTLSMetadataUpdate(&meta)
+	return meta
+}