Merge pull request #6552 from allenmunC1/leaf-duration

Add flag and field to customize leaf duration on dynamic certificates

internal/apis/config/webhook/types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package webhook
 
 import (
+	"time"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	logsapi "k8s.io/component-base/logs/api/v1"
 )
@@ -115,6 +117,9 @@ type DynamicServingConfig struct {
 
 	// DNSNames that must be present on serving certificates signed by the CA.
 	DNSNames []string
+
+	// LeafDuration is a customizable duration on serving certificates signed by the CA.
+	LeafDuration time.Duration
 }
 
 // FilesystemServingConfig enables using a certificate and private key found on the local filesystem.

internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go

@@ -22,6 +22,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	time "time"
 	unsafe "unsafe"
 
 	webhook "github.com/cert-manager/cert-manager/internal/apis/config/webhook"
@@ -85,6 +86,7 @@ func autoConvert_v1alpha1_DynamicServingConfig_To_webhook_DynamicServingConfig(i
 	out.SecretNamespace = in.SecretNamespace
 	out.SecretName = in.SecretName
 	out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
+	out.LeafDuration = time.Duration(in.LeafDuration)
 	return nil
 }
 
@@ -97,6 +99,7 @@ func autoConvert_webhook_DynamicServingConfig_To_v1alpha1_DynamicServingConfig(i
 	out.SecretNamespace = in.SecretNamespace
 	out.SecretName = in.SecretName
 	out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames))
+	out.LeafDuration = time.Duration(in.LeafDuration)
 	return nil
 }
 

internal/webhook/webhook.go

@@ -131,6 +131,7 @@ func buildCertificateSource(log logr.Logger, tlsConfig config.TLSConfig, restCfg
 			Authority: &authority.DynamicAuthority{
 				SecretNamespace: tlsConfig.Dynamic.SecretNamespace,
 				SecretName:      tlsConfig.Dynamic.SecretName,
+				LeafDuration:    tlsConfig.Dynamic.LeafDuration,
 				RESTConfig:      restCfg,
 			},
 		}

pkg/apis/config/webhook/v1alpha1/types.go

@@ -17,6 +17,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"time"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	logsapi "k8s.io/component-base/logs/api/v1"
 )
@@ -103,6 +105,9 @@ type DynamicServingConfig struct {
 
 	// DNSNames that must be present on serving certificates signed by the CA.
 	DNSNames []string `json:"dnsNames,omitempty"`
+
+	// LeafDuration is a customizable duration on serving certificates signed by the CA.
+	LeafDuration time.Duration
 }
 
 // FilesystemServingConfig enables using a certificate and private key found on the local filesystem.

pkg/webhook/options/options.go

@@ -64,6 +64,7 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.WebhookConfiguration) {
 	fs.StringVar(&c.TLSConfig.Filesystem.CertFile, "tls-cert-file", c.TLSConfig.Filesystem.CertFile, "path to the file containing the TLS certificate to serve with")
 	fs.StringVar(&c.TLSConfig.Filesystem.KeyFile, "tls-private-key-file", c.TLSConfig.Filesystem.KeyFile, "path to the file containing the TLS private key to serve with")
 
+	fs.DurationVar(&c.TLSConfig.Dynamic.LeafDuration, "dynamic-serving-leaf-duration", c.TLSConfig.Dynamic.LeafDuration, "leaf duration of serving certificates")
 	fs.StringVar(&c.TLSConfig.Dynamic.SecretNamespace, "dynamic-serving-ca-secret-namespace", c.TLSConfig.Dynamic.SecretNamespace, "namespace of the secret used to store the CA that signs serving certificates")
 	fs.StringVar(&c.TLSConfig.Dynamic.SecretName, "dynamic-serving-ca-secret-name", c.TLSConfig.Dynamic.SecretName, "name of the secret used to store the CA that signs serving certificates certificates")
 	fs.StringSliceVar(&c.TLSConfig.Dynamic.DNSNames, "dynamic-serving-dns-names", c.TLSConfig.Dynamic.DNSNames, "DNS names that should be present on certificates generated by the dynamic serving CA")