USHIFT-6590: Align certificate expiry dates

[pacevedom]

Summary by CodeRabbit

• Refactor
  • Certificate expirations now align to the next midnight, so all certs end at a uniform day boundary.
• Tests
  • Certificate-rotation tests adjusted to account for the aligned expiry calculations (expiry shifts by one day where applicable).
• Documentation
  • Date-computation docs updated to reflect that expiry calculations use midnight-tomorrow as the anchor.

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "openshift-4.21" instead.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pacevedom]

/jira refresh

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

Aligns certificate expirations to the next midnight by adding alignValidity and applying it to certificate validity values in certSetup; updates a certificate-rotation test to account for the aligned expiry calculations.

Changes

Cohort / File(s)	Summary
Certificate Validity Alignment pkg/cmd/init.go	Adds alignValidity helper that computes duration until next midnight plus base validity; replaces direct uses of cryptomaterial.ShortLivedCertificateValidity and cryptomaterial.LongLivedCertificateValidity with aligned values; introduces startTime and nextMidnight anchors.
Tests — certificate rotation test/suites/standard2/validate-certificate-rotation.robot	Adjusts expiry calculations to account for the alignment (uses 366 + FUTURE_DAYS and computes dates relative to tomorrow's midnight); updates comments and date computation commands accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'USHIFT-6590: Align certificate expiry dates' directly and clearly summarizes the main change: aligning certificate expiration dates to the next midnight boundary.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

test/suites/standard2/validate-certificate-rotation.robot (1)

82-82: Pre-existing typo: "ceritifate" → "certificate".

Not introduced by this PR, but worth a drive-by fix if you're already touching this file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

• Refactor
• Aligned certificate expiration times to occur uniformly at the next midnight boundary, improving consistency and predictability of certificate lifecycle management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/cmd/init.go`:
- Around line 66-77: The code builds nextMidnight and alignValidity using the
local time zone via startTime := time.Now(); replace this with UTC to avoid DST
drift: set startTime to time.Now().UTC() (and ensure nextMidnight is constructed
in that same UTC location) so that nextMidnight, targetExpiration and the
alignValidity(baseValidity) calculation are anchored to a fixed UTC midnight
rather than a potentially-shifting local midnight; update references to
startTime, nextMidnight and alignValidity accordingly.

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6590 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

• Refactor
• Certificate expirations now align to the next midnight, so all certs end at a uniform day boundary.
• Tests
• Certificate-rotation tests adjusted to account for the aligned expiry calculations (expiry shifts by one day where applicable).
• Documentation
• Date-computation docs updated to reflect that expiry calculations use midnight-tomorrow as the anchor.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pacevedom]

/retest

[pacevedom]

/override ci/prow/ocp-full-conformance-rhel-eus ci/prow/ocp-full-conformance-serial-rhel-eus

Failures are because of unrelated issues being taken care of in a different PR.

[openshift-ci]

@pacevedom: Overrode contexts on behalf of pacevedom: ci/prow/ocp-full-conformance-rhel-eus, ci/prow/ocp-full-conformance-serial-rhel-eus

Details

In response to this:

/override ci/prow/ocp-full-conformance-rhel-eus ci/prow/ocp-full-conformance-serial-rhel-eus

Failures are because of unrelated issues being taken care of in a different PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.