certrotation: require UserInfo on PeerRotation, add tests

[sanchezl]

Summary

Follow-up to #2145 addressing deferred review comments:

• Require UserInfo unconditionally on PeerRotation — previously only validated when ConfigurablePKI was enabled. A caller converting ServingRotation → PeerRotation without setting UserInfo would silently work on the legacy path but fail when ConfigurablePKI is enabled. On the legacy path, also validates that UserInfo.Name matches the sorted first hostname (used as CN by MakeServerCertForDuration).
• Add PeerRotation NewCertificate tests — covers both happy paths (legacy RSA, ECDSA with ConfigurablePKI) and error paths (nil UserInfo, mismatched UserInfo name). Verifies dual ExtKeyUsage, Subject encoding, and hostname SANs.
• Use t.Context() in certrotation tests — replaces context.Background()/context.TODO() across all test files.

Test plan

• go test ./pkg/operator/certrotation/... passes
• Verify CEO's PeerRotation usage still compiles (already sets UserInfo)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3d284392-689a-43a2-bd9b-838f92982ba0

📥 Commits

Reviewing files that changed from the base of the PR and between 9d7c515 and 27f907d.

📒 Files selected for processing (1)

• pkg/operator/certrotation/target_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/certrotation/target_test.go

---

Walkthrough

Switched tests to use per-test contexts (t.Context()), removed unused context imports, reworked key-generation branching in certificate rotation methods to prefer duration-based helpers when keyGen==nil and configurable-PKI constructors otherwise, moved PeerRotation UserInfo checks, and added PeerRotation unit tests.

Changes

Cohort / File(s)	Summary
Test context updates pkg/operator/certrotation/cabundle_test.go, pkg/operator/certrotation/client_cert_rotation_controller_test.go, pkg/operator/certrotation/signer_test.go, pkg/operator/certrotation/target_test.go	Replaced context.TODO() / context.Background() with t.Context() in tests and removed now-unused context imports.
Certificate-generation branching pkg/operator/certrotation/target.go	Reordered keyGen branches: keyGen == nil now uses duration-based helpers (Make*ForDuration / MakeCAConfigForDuration); keyGen != nil uses configurable-PKI constructors (New*Certificate / NewSigningCertificate) with lifetime and extensions. Moved PeerRotation UserInfo requirement outside the keyGen branch and added legacy CN validation (sorted hostnames).
PeerRotation tests & coverage pkg/operator/certrotation/target_test.go	Added TestPeerRotation_NewCertificate_WithKeyPairGenerator and extended key-algorithm coverage for client/serving rotation tests; validates public-key algorithm selection, UserInfo error cases, legacy CN conflict behavior, SAN/DNS contents, CN/organization fields, and both ClientAuth/ServerAuth extended usages.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sanchezl]

/cc @rh-roman

[rh-roman]

Mostly cosmetic changes, the PR looks good!

[rh-roman]

What do you think of flipping the keyGen check and putting legacy code inside. Then happy path will be the default return and removing the legacy path will be a smaller diff (eventually).

[rh-roman]

This project imports testify, you could shorten the test to

Suggested change

	if tc.wantErr != "" {
	if err == nil {
	t.Fatalf("expected error containing %q, got nil", tc.wantErr)
	}
	if !strings.Contains(err.Error(), tc.wantErr) {
	t.Fatalf("expected error containing %q, got %q", tc.wantErr, err.Error())
	}
	return
	}
	if tc.wantErr != "" {
	if assert.Error(t, err) {
	assert.ErrorContains(t, err, tc.wantErrText)
	}
	return
	}

[rh-roman]

If you pull these out into a helper you can also add them to Client and Serving tests, which don't already have them.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/operator/certrotation/target_test.go (1)

898-901: Strengthen SAN assertions to validate requested hostnames/IPs explicitly.

len(cert.DNSNames) > 0 can pass even when some required SAN entries are missing (especially IP SANs). Assert each tc.hostnames entry exists in DNS SANs or IP SANs.

Proposed test hardening

 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"net"
 	"slices"
 	"strings"
 	"testing"
 	"time"
@@
-			// Verify hostnames in SANs
-			if len(cert.DNSNames) == 0 {
-				t.Error("expected DNS SANs")
-			}
+			// Verify all requested hostnames/IPs are present in SANs
+			for _, h := range tc.hostnames {
+				if ip := net.ParseIP(h); ip != nil {
+					found := false
+					for _, certIP := range cert.IPAddresses {
+						if certIP.Equal(ip) {
+							found = true
+							break
+						}
+					}
+					if !found {
+						t.Errorf("missing IP SAN %q", h)
+					}
+					continue
+				}
+				if !slices.Contains(cert.DNSNames, h) {
+					t.Errorf("missing DNS SAN %q", h)
+				}
+			}

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/operator/certrotation/target_test.go` around lines 898 - 901, The test
currently only asserts that cert.DNSNames is non-empty which can miss missing
SAN entries; update the test to iterate over each tc.hostnames entry and assert
it appears either in cert.DNSNames or in cert.IPAddresses (by comparing the
string form of net.IP entries or parsing tc.hostnames with net.ParseIP), and
fail with a clear t.Errorf when a specific hostname/IP from tc.hostnames is not
found; reference cert.DNSNames, cert.IPAddresses and tc.hostnames in the check
and use net.ParseIP to distinguish IP vs DNS entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/operator/certrotation/target_test.go`:
- Around line 898-901: The test currently only asserts that cert.DNSNames is
non-empty which can miss missing SAN entries; update the test to iterate over
each tc.hostnames entry and assert it appears either in cert.DNSNames or in
cert.IPAddresses (by comparing the string form of net.IP entries or parsing
tc.hostnames with net.ParseIP), and fail with a clear t.Errorf when a specific
hostname/IP from tc.hostnames is not found; reference cert.DNSNames,
cert.IPAddresses and tc.hostnames in the check and use net.ParseIP to
distinguish IP vs DNS entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5813a957-0892-433a-9c50-14d563ed9a22

📥 Commits

Reviewing files that changed from the base of the PR and between 08ccb6a and 9d7c515.

📒 Files selected for processing (1)

• pkg/operator/certrotation/target_test.go

[openshift-ci]

@sanchezl: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rh-roman]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rh-roman, sanchezl
Once this PR has been reviewed and has the lgtm label, please assign jsafrane for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• pkg/operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment