Add event for certificate in KubeadmControlPlane

Signed-off-by: nayuta-ai <[email protected]>

Author: nayuta723

controlplane/kubeadm/internal/controllers/consts.go

@@ -30,4 +30,12 @@ const (
 	// dependentCertRequeueAfter is how long to wait before checking again to see if
 	// dependent certificates have been created.
 	dependentCertRequeueAfter = 30 * time.Second
+
+	// CertificatesExpiringReason is the event reason when certificates are expiring soon
+	// and rollout is triggered (RolloutBefore).
+	CertificatesExpiringReason = "CertificatesExpiring"
+
+	// CertificatesExpiredReason is the event reason when certificates have already expired
+	// and rollout is triggered (RolloutAfter).
+	CertificatesExpiredReason = "CertificatesExpired"
 )

controlplane/kubeadm/internal/controllers/controller.go

@@ -515,6 +515,10 @@ func (r *KubeadmControlPlaneReconciler) reconcile(ctx context.Context, controlPl
 		for machine, machineUpToDateResult := range machinesUpToDateResults {
 			allMessages = append(allMessages, fmt.Sprintf("Machine %s needs rollout: %s", machine, strings.Join(machineUpToDateResult.LogMessages, ",")))
 		}
+
+		// Emit CertificateRenewalTriggered event (only on first detection)
+		r.emitCertificateRenewalTriggeredEvent(ctx, controlPlane, machinesUpToDateResults)
+
 		log.Info(fmt.Sprintf("Rolling out Control Plane machines: %s", strings.Join(allMessages, ",")), "machinesNeedingRollout", machinesNeedingRollout.Names())
 		v1beta1conditions.MarkFalse(controlPlane.KCP, controlplanev1.MachinesSpecUpToDateV1Beta1Condition, controlplanev1.RollingUpdateInProgressV1Beta1Reason, clusterv1.ConditionSeverityWarning, "Rolling %d replicas with outdated spec (%d replicas up to date)", len(machinesNeedingRollout), len(controlPlane.Machines)-len(machinesNeedingRollout))
 		return r.updateControlPlane(ctx, controlPlane, machinesNeedingRollout, machinesUpToDateResults)

controlplane/kubeadm/internal/controllers/helpers.go

@@ -39,6 +39,7 @@ import (
 	"sigs.k8s.io/cluster-api/internal/util/ssa"
 	"sigs.k8s.io/cluster-api/util"
 	"sigs.k8s.io/cluster-api/util/certs"
+	"sigs.k8s.io/cluster-api/util/conditions"
 	v1beta1conditions "sigs.k8s.io/cluster-api/util/conditions/deprecated/v1beta1"
 	"sigs.k8s.io/cluster-api/util/kubeconfig"
 	"sigs.k8s.io/cluster-api/util/patch"
@@ -326,3 +327,85 @@ func (r *KubeadmControlPlaneReconciler) updateMachine(ctx context.Context, machi
 	}
 	return updatedMachine, nil
 }
+
+// emitCertificateRenewalTriggeredEvent detects certificate renewal triggers and emits an event.
+// This function checks ConditionMessages for certificate expiry and uses condition state transitions
+// to ensure the event is emitted only once per rollout cycle.
+// Note: The message format "Certificates will expire soon" is set in filters.go.
+func (r *KubeadmControlPlaneReconciler) emitCertificateRenewalTriggeredEvent(
+	ctx context.Context,
+	controlPlane *internal.ControlPlane,
+	machinesUpToDateResults map[string]internal.UpToDateResult,
+) {
+	// Check if certificate renewal is the reason for rollout
+	certificatesExpiring := []string{}
+	certificatesExpired := []string{}
+
+	for machineName, result := range machinesUpToDateResults {
+		for _, msg := range result.ConditionMessages {
+			if strings.Contains(msg, internal.CertificatesExpirySoonMessage) {
+				certificatesExpiring = append(certificatesExpiring, machineName)
+			}
+			if strings.Contains(msg, internal.RolloutAfterExpiredMessage) {
+				certificatesExpired = append(certificatesExpired, machineName)
+			}
+		}
+	}
+
+	// No certificate renewal detected
+	if len(certificatesExpiring) == 0 && len(certificatesExpired) == 0 {
+		return
+	}
+
+	// Check v2 RollingOutCondition (if exists)
+	rollingOutCondition := conditions.Get(controlPlane.KCP, controlplanev1.KubeadmControlPlaneRollingOutCondition)
+	if rollingOutCondition != nil && rollingOutCondition.Status == metav1.ConditionTrue {
+		// Already rolling out, don't emit duplicate event
+		return
+	}
+
+	// Check v1beta1 MachinesSpecUpToDateCondition (fallback for backward compatibility)
+	v1beta1Condition := v1beta1conditions.Get(controlPlane.KCP, controlplanev1.MachinesSpecUpToDateV1Beta1Condition)
+	if v1beta1Condition != nil && v1beta1Condition.Status == corev1.ConditionFalse {
+		// Already rolling out, don't emit duplicate event
+		return
+	}
+
+	// Emit event for expiring certificates (RolloutBefore)
+	if len(certificatesExpiring) > 0 {
+		daysThreshold := controlPlane.KCP.Spec.Rollout.Before.CertificatesExpiryDays
+
+		if len(certificatesExpiring) == 1 {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiringReason,
+				"Machine %s has certificates expiring within %d days and will be rolled out",
+				certificatesExpiring[0], daysThreshold)
+		} else if len(certificatesExpiring) <= 3 {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiringReason,
+				"%d Machines have certificates expiring within %d days and will be rolled out: %s",
+				len(certificatesExpiring), daysThreshold, strings.Join(certificatesExpiring, ", "))
+		} else {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiringReason,
+				"%d Machines have certificates expiring within %d days and will be rolled out: %s, ... (%d more)",
+				len(certificatesExpiring), daysThreshold,
+				strings.Join(certificatesExpiring[:3], ", "), len(certificatesExpiring)-3)
+		}
+	}
+
+	// Emit event for expired certificates (RolloutAfter)
+	if len(certificatesExpired) > 0 {
+		if len(certificatesExpired) == 1 {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiredReason,
+				"Machine %s has expired certificates and will be rolled out",
+				certificatesExpired[0])
+		} else if len(certificatesExpired) <= 3 {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiredReason,
+				"%d Machines have expired certificates and will be rolled out: %s",
+				len(certificatesExpired), strings.Join(certificatesExpired, ", "))
+		} else {
+			r.recorder.Eventf(controlPlane.KCP, corev1.EventTypeWarning, CertificatesExpiredReason,
+				"%d Machines have expired certificates and will be rolled out: %s, ... (%d more)",
+				len(certificatesExpired),
+				strings.Join(certificatesExpired[:3], ", "), len(certificatesExpired)-3)
+		}
+	}
+}

controlplane/kubeadm/internal/controllers/helpers_test.go

@@ -18,6 +18,7 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"testing"
 
@@ -914,3 +915,246 @@ func trimSpaces(s string) string {
 	s = strings.ReplaceAll(s, "\t", "")
 	return s
 }
+
+func TestEmitCertificateRenewalTriggeredEvent(t *testing.T) {
+	tests := []struct {
+		name                    string
+		machinesUpToDateResults map[string]internal.UpToDateResult
+		rollingOutCondition     *metav1.Condition
+		v1beta1Condition        *clusterv1.Condition
+		certificatesExpiryDays  int32
+		expectedEventCount      int
+		expectedEventReason     string
+		expectedMachinesInEvent []string
+		expectedDaysInEvent     int32
+	}{
+		{
+			name: "should emit event when certificate renewal is detected for the first time",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+			},
+			rollingOutCondition:     nil, // No RollingOut condition exists yet
+			v1beta1Condition:        nil, // No v1beta1 condition exists yet
+			certificatesExpiryDays:  30,
+			expectedEventCount:      1,
+			expectedEventReason:     "CertificatesExpiring",
+			expectedMachinesInEvent: []string{"machine-1"},
+			expectedDaysInEvent:     30,
+		},
+		{
+			name: "should emit event for multiple machines",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+				"machine-2": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+			},
+			rollingOutCondition:     nil,
+			v1beta1Condition:        nil,
+			certificatesExpiryDays:  30,
+			expectedEventCount:      1,
+			expectedEventReason:     "CertificatesExpiring",
+			expectedMachinesInEvent: []string{"machine-1", "machine-2"},
+			expectedDaysInEvent:     30,
+		},
+		{
+			name: "should not emit event when already rolling out (v2 RollingOutCondition=True)",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+			},
+			rollingOutCondition: &metav1.Condition{
+				Type:   controlplanev1.KubeadmControlPlaneRollingOutCondition,
+				Status: metav1.ConditionTrue,
+			},
+			v1beta1Condition:       nil,
+			certificatesExpiryDays: 30,
+			expectedEventCount:     0,
+		},
+		{
+			name: "should not emit event when already rolling out (v1beta1 MachinesSpecUpToDate=False)",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+			},
+			rollingOutCondition: nil,
+			v1beta1Condition: &clusterv1.Condition{
+				Type:   controlplanev1.MachinesSpecUpToDateV1Beta1Condition,
+				Status: corev1.ConditionFalse,
+			},
+			certificatesExpiryDays: 30,
+			expectedEventCount:     0,
+		},
+		{
+			name: "should not emit event when no certificate renewal detected",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Version mismatch",
+					},
+				},
+			},
+			rollingOutCondition:    nil,
+			v1beta1Condition:       nil,
+			certificatesExpiryDays: 30,
+			expectedEventCount:     0,
+		},
+		{
+			name:                    "should not emit event when no machines need rollout",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{},
+			rollingOutCondition:     nil,
+			v1beta1Condition:        nil,
+			certificatesExpiryDays:  30,
+			expectedEventCount:      0,
+		},
+		{
+			name: "should emit CertificatesExpired event when certificates have already expired",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"KubeadmControlPlane spec.rolloutAfter expired",
+					},
+				},
+			},
+			rollingOutCondition:     nil,
+			v1beta1Condition:        nil,
+			certificatesExpiryDays:  30,
+			expectedEventCount:      1,
+			expectedEventReason:     "CertificatesExpired",
+			expectedMachinesInEvent: []string{"machine-1"},
+		},
+		{
+			name: "should emit CertificatesExpired event for multiple machines with expired certificates",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"KubeadmControlPlane spec.rolloutAfter expired",
+					},
+				},
+				"machine-2": {
+					ConditionMessages: []string{
+						"KubeadmControlPlane spec.rolloutAfter expired",
+					},
+				},
+			},
+			rollingOutCondition:     nil,
+			v1beta1Condition:        nil,
+			certificatesExpiryDays:  30,
+			expectedEventCount:      1,
+			expectedEventReason:     "CertificatesExpired",
+			expectedMachinesInEvent: []string{"machine-1", "machine-2"},
+		},
+		{
+			name: "should emit both events when some certificates are expiring and some have expired",
+			machinesUpToDateResults: map[string]internal.UpToDateResult{
+				"machine-1": {
+					ConditionMessages: []string{
+						"Certificates will expire soon",
+					},
+				},
+				"machine-2": {
+					ConditionMessages: []string{
+						"KubeadmControlPlane spec.rolloutAfter expired",
+					},
+				},
+			},
+			rollingOutCondition:     nil,
+			v1beta1Condition:        nil,
+			certificatesExpiryDays:  30,
+			expectedEventCount:      2,
+			expectedEventReason:     "CertificatesExpiring", // First event reason
+			expectedMachinesInEvent: []string{"machine-1", "machine-2"},
+			expectedDaysInEvent:     30,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			// Create a fake event recorder
+			fakeRecorder := record.NewFakeRecorder(10)
+
+			// Create KCP with certificate expiry days
+			kcp := &controlplanev1.KubeadmControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-kcp",
+					Namespace: metav1.NamespaceDefault,
+				},
+				Spec: controlplanev1.KubeadmControlPlaneSpec{
+					Rollout: controlplanev1.KubeadmControlPlaneRolloutSpec{
+						Before: controlplanev1.KubeadmControlPlaneRolloutBeforeSpec{
+							CertificatesExpiryDays: tt.certificatesExpiryDays,
+						},
+					},
+				},
+			}
+
+			if tt.rollingOutCondition != nil {
+				kcp.Status.Conditions = []metav1.Condition{*tt.rollingOutCondition}
+			}
+			if tt.v1beta1Condition != nil {
+				kcp.SetV1Beta1Conditions([]clusterv1.Condition{*tt.v1beta1Condition})
+			}
+
+			// Create control plane
+			controlPlane := &internal.ControlPlane{
+				KCP: kcp,
+			}
+
+			// Create reconciler with fake recorder
+			r := &KubeadmControlPlaneReconciler{
+				recorder: fakeRecorder,
+			}
+
+			// Call the function
+			r.emitCertificateRenewalTriggeredEvent(context.Background(), controlPlane, tt.machinesUpToDateResults)
+
+			// Verify events
+			events := []string{}
+			close(fakeRecorder.Events)
+			for event := range fakeRecorder.Events {
+				events = append(events, event)
+			}
+
+			g.Expect(events).To(HaveLen(tt.expectedEventCount))
+			if tt.expectedEventCount > 0 {
+				// Verify event reason
+				g.Expect(events[0]).To(ContainSubstring(tt.expectedEventReason))
+
+				// For CertificatesExpiring events, verify days threshold
+				if tt.expectedEventReason == "CertificatesExpiring" {
+					g.Expect(events[0]).To(ContainSubstring("certificates expiring within"))
+					g.Expect(events[0]).To(ContainSubstring(fmt.Sprintf("%d days", tt.expectedDaysInEvent)))
+				}
+
+				// For CertificatesExpired events, verify expired message
+				if tt.expectedEventReason == "CertificatesExpired" {
+					g.Expect(events[0]).To(ContainSubstring("expired certificates"))
+				}
+
+				// Verify machines are mentioned in events
+				allEvents := strings.Join(events, " ")
+				for _, machine := range tt.expectedMachinesInEvent {
+					g.Expect(allEvents).To(ContainSubstring(machine))
+				}
+			}
+		})
+	}
+}