API-1853: make TLS registry tests required

pkg/cmd/update-tls-artifacts/generate-owners/tlsmetadatainterfaces/helpers.go

@@ -29,7 +29,8 @@ var (
 	}
 	onDiskCABundles = certs.CABundleInfoByOnDiskLocation{
 		{Path: "/etc/kubernetes/ca.crt"}: {OwningJiraComponent: "Machine Config Operator"},
-		{Path: "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt"}:          {OwningJiraComponent: "kube-apiserver"},
+		{Path: "/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt"}: {OwningJiraComponent: "kube-apiserver"},
+		{Path: "/etc/kubernetes/kubeconfig"}: {OwningJiraComponent: "kube-apiserver"},
 		{Path: "/etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/trusted-ca-bundle/ca-bundle.crt"}: {OwningJiraComponent: "kube-controller-manager"},
 		{Path: "/etc/pki/tls/cert.pem"}:            {OwningJiraComponent: "RHCOS"},
 		{Path: "/etc/pki/tls/certs/ca-bundle.crt"}: {OwningJiraComponent: "RHCOS"},

test/extended/operators/certs.go

@@ -32,7 +32,6 @@ import (
 
 	"github.com/openshift/origin/pkg/certs"
 	"github.com/openshift/origin/pkg/monitortestlibrary/platformidentification"
-	testresult "github.com/openshift/origin/pkg/test/ginkgo/result"
 	exutil "github.com/openshift/origin/test/extended/util"
 	"github.com/openshift/origin/test/extended/util/image"
 	ownership "github.com/openshift/origin/tls"
@@ -262,12 +261,9 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g
 		if len(newTLSRegistry.CertKeyPairs) > 0 || len(newTLSRegistry.CertificateAuthorityBundles) > 0 {
 			registryString, err := json.MarshalIndent(newTLSRegistry, "", "  ")
 			if err != nil {
-				//g.Fail("Failed to marshal registry %#v: %v", newTLSRegistry, err)
-				testresult.Flakef("Failed to marshal registry %#v: %v", newTLSRegistry, err)
+				g.Fail(fmt.Sprintf("Failed to marshal registry %#v: %v", newTLSRegistry, err))
 			}
-			// TODO: uncomment when test no longer fails and enhancement is merged
-			//g.Fail(fmt.Sprintf("Unregistered TLS certificates:\n%s", registryString))
-			testresult.Flakef(fmt.Sprintf("Unregistered TLS certificates found:\n%s\nSee tls/ownership/README.md in origin repo", registryString))
+			g.Fail(fmt.Sprintf("Unregistered TLS certificates:\n%s\nSee https://github.com/openshift/origin/blob/master/tls/README.md", registryString))
 		}
 	})
 
@@ -277,9 +273,7 @@ var _ = g.Describe(fmt.Sprintf("[sig-arch][Late][Jira:%q]", "kube-apiserver"), g
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		if len(messages) > 0 {
-			// TODO: uncomment when test no longer fails and enhancement is merged
-			//g.Fail(strings.Join(messages, "\n"))
-			testresult.Flakef(strings.Join(messages, "\n"))
+			g.Fail(strings.Join(messages, "\n"))
 		}
 	})
 

tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json

@@ -1623,6 +1623,18 @@
                 }
             }
         },
+        {
+            "InClusterLocation": null,
+            "OnDiskLocation": {
+                "onDiskLocation": {
+                    "Path": "/etc/kubernetes/kubeconfig"
+                },
+                "certificateAuthorityBundleInfo": {
+                    "owningJiraComponent": "kube-apiserver",
+                    "description": ""
+                }
+            }
+        },
         {
             "InClusterLocation": null,
             "OnDiskLocation": {

tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md

@@ -2,7 +2,7 @@
 
 ## Table of Contents
   - [How to meet the requirement](#How-to-meet-the-requirement)
-  - [Items Do NOT Meet the Requirement (258)](#Items-Do-NOT-Meet-the-Requirement-258)
+  - [Items Do NOT Meet the Requirement (259)](#Items-Do-NOT-Meet-the-Requirement-259)
     - [Unknown Owner (4)](#Unknown-Owner-4)
       - [Certificates (2)](#Certificates-2)
       - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2)
@@ -37,9 +37,9 @@
     - [etcd (31)](#etcd-31)
       - [Certificates (22)](#Certificates-22)
       - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9)
-    - [kube-apiserver (45)](#kube-apiserver-45)
+    - [kube-apiserver (46)](#kube-apiserver-46)
       - [Certificates (25)](#Certificates-25)
-      - [Certificate Authority Bundles (20)](#Certificate-Authority-Bundles-20)
+      - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21)
     - [kube-controller-manager (12)](#kube-controller-manager-12)
       - [Certificates (3)](#Certificates-3)
       - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9)
@@ -69,7 +69,7 @@ This assertion means that you have
       QE has required test every release that ensures the functionality works every release.
 If you have not done this, you should not merge the annotation.
 
-## Items Do NOT Meet the Requirement (258)
+## Items Do NOT Meet the Requirement (259)
 ### Unknown Owner (4)
 #### Certificates (2)
 1. ns/openshift-ingress secret/router-certs-default
@@ -759,7 +759,7 @@ If you have not done this, you should not merge the annotation.
 
 
 
-### kube-apiserver (45)
+### kube-apiserver (46)
 #### Certificates (25)
 1. ns/openshift-config-managed secret/kube-controller-manager-client-cert-key
 
@@ -964,7 +964,7 @@ If you have not done this, you should not merge the annotation.
 
 
 
-#### Certificate Authority Bundles (20)
+#### Certificate Authority Bundles (21)
 1. ns/openshift-config configmap/admin-kubeconfig-client-ca
 
       **Description:** 
@@ -1131,7 +1131,20 @@ If you have not done this, you should not merge the annotation.
       * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt
 
 
-20. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
+20. file /etc/kubernetes/kubeconfig
+
+      **Description:** 
+
+
+      Other locations:
+
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-ext.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig
+
+
+21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
 
       **Description:** 
 

tls/descriptions/descriptions.json

@@ -1623,6 +1623,18 @@
                 }
             }
         },
+        {
+            "InClusterLocation": null,
+            "OnDiskLocation": {
+                "onDiskLocation": {
+                    "Path": "/etc/kubernetes/kubeconfig"
+                },
+                "certificateAuthorityBundleInfo": {
+                    "owningJiraComponent": "kube-apiserver",
+                    "description": ""
+                }
+            }
+        },
         {
             "InClusterLocation": null,
             "OnDiskLocation": {

tls/descriptions/descriptions.md

@@ -2,7 +2,7 @@
 
 ## Table of Contents
   - [How to meet the requirement](#How-to-meet-the-requirement)
-  - [Items Do NOT Meet the Requirement (127)](#Items-Do-NOT-Meet-the-Requirement-127)
+  - [Items Do NOT Meet the Requirement (128)](#Items-Do-NOT-Meet-the-Requirement-128)
     - [Unknown Owner (4)](#Unknown-Owner-4)
       - [Certificates (2)](#Certificates-2)
       - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2)
@@ -34,9 +34,9 @@
       - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2)
     - [cluster-network-operator (1)](#cluster-network-operator-1)
       - [Certificate Authority Bundles (1)](#Certificate-Authority-Bundles-1)
-    - [kube-apiserver (45)](#kube-apiserver-45)
+    - [kube-apiserver (46)](#kube-apiserver-46)
       - [Certificates (25)](#Certificates-25)
-      - [Certificate Authority Bundles (20)](#Certificate-Authority-Bundles-20)
+      - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21)
     - [kube-controller-manager (12)](#kube-controller-manager-12)
       - [Certificates (3)](#Certificates-3)
       - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9)
@@ -62,7 +62,7 @@ These descriptions must be in the style of API documentation and must include
 
 To create a description, set the `openshift.io/description` annotation to the markdown formatted string describing your TLS artifact. 
 
-## Items Do NOT Meet the Requirement (127)
+## Items Do NOT Meet the Requirement (128)
 ### Unknown Owner (4)
 #### Certificates (2)
 1. ns/openshift-ingress secret/router-certs-default
@@ -500,7 +500,7 @@ To create a description, set the `openshift.io/description` annotation to the ma
 
 
 
-### kube-apiserver (45)
+### kube-apiserver (46)
 #### Certificates (25)
 1. ns/openshift-config-managed secret/kube-controller-manager-client-cert-key
 
@@ -705,7 +705,7 @@ To create a description, set the `openshift.io/description` annotation to the ma
 
 
 
-#### Certificate Authority Bundles (20)
+#### Certificate Authority Bundles (21)
 1. ns/openshift-config configmap/admin-kubeconfig-client-ca
 
       **Description:** 
@@ -872,7 +872,20 @@ To create a description, set the `openshift.io/description` annotation to the ma
       * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt
 
 
-20. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
+20. file /etc/kubernetes/kubeconfig
+
+      **Description:** 
+
+
+      Other locations:
+
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-ext.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig
+
+
+21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
 
       **Description:** 
 

tls/ownership/ownership.json

@@ -1623,6 +1623,18 @@
                 }
             }
         },
+        {
+            "InClusterLocation": null,
+            "OnDiskLocation": {
+                "onDiskLocation": {
+                    "Path": "/etc/kubernetes/kubeconfig"
+                },
+                "certificateAuthorityBundleInfo": {
+                    "owningJiraComponent": "kube-apiserver",
+                    "description": ""
+                }
+            }
+        },
         {
             "InClusterLocation": null,
             "OnDiskLocation": {

tls/ownership/ownership.md

@@ -35,9 +35,9 @@
   - [etcd (31)](#etcd-31)
     - [Certificates (22)](#Certificates-22)
     - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9)
-  - [kube-apiserver (45)](#kube-apiserver-45)
+  - [kube-apiserver (46)](#kube-apiserver-46)
     - [Certificates (25)](#Certificates-25)
-    - [Certificate Authority Bundles (20)](#Certificate-Authority-Bundles-20)
+    - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21)
   - [kube-controller-manager (12)](#kube-controller-manager-12)
     - [Certificates (3)](#Certificates-3)
     - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9)
@@ -737,7 +737,7 @@
 
 
 
-## kube-apiserver (45)
+## kube-apiserver (46)
 ### Certificates (25)
 1. ns/openshift-config-managed secret/kube-controller-manager-client-cert-key
 
@@ -942,7 +942,7 @@
 
 
 
-### Certificate Authority Bundles (20)
+### Certificate Authority Bundles (21)
 1. ns/openshift-config configmap/admin-kubeconfig-client-ca
 
       **Description:** 
@@ -1109,7 +1109,20 @@
       * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt
 
 
-20. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
+20. file /etc/kubernetes/kubeconfig
+
+      **Description:** 
+
+
+      Other locations:
+
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-ext.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig
+      * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig
+
+
+21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
 
       **Description:** 
 

tls/violations/autoregenerate-after-expiry/autoregenerate-after-expiry-violations.json

@@ -1101,6 +1101,18 @@
                 }
             }
         },
+        {
+            "InClusterLocation": null,
+            "OnDiskLocation": {
+                "onDiskLocation": {
+                    "Path": "/etc/kubernetes/kubeconfig"
+                },
+                "certificateAuthorityBundleInfo": {
+                    "owningJiraComponent": "",
+                    "description": ""
+                }
+            }
+        },
         {
             "InClusterLocation": null,
             "OnDiskLocation": {

tls/violations/descriptions/descriptions-violations.json

@@ -945,6 +945,18 @@
                 }
             }
         },
+        {
+            "InClusterLocation": null,
+            "OnDiskLocation": {
+                "onDiskLocation": {
+                    "Path": "/etc/kubernetes/kubeconfig"
+                },
+                "certificateAuthorityBundleInfo": {
+                    "owningJiraComponent": "",
+                    "description": ""
+                }
+            }
+        },
         {
             "InClusterLocation": null,
             "OnDiskLocation": {