diff --git a/internal/apis/config/webhook/types.go b/internal/apis/config/webhook/types.go index 07fa7aed7..08b7e549a 100644 --- a/internal/apis/config/webhook/types.go +++ b/internal/apis/config/webhook/types.go @@ -17,6 +17,8 @@ limitations under the License. package webhook import ( + "time" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" logsapi "k8s.io/component-base/logs/api/v1" ) @@ -115,6 +117,9 @@ type DynamicServingConfig struct { // DNSNames that must be present on serving certificates signed by the CA. DNSNames []string + + // LeafDuration is a customizable duration on serving certificates signed by the CA. + LeafDuration time.Duration } // FilesystemServingConfig enables using a certificate and private key found on the local filesystem. diff --git a/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go b/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go index 0991c333a..3acf8870d 100644 --- a/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go +++ b/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go @@ -22,6 +22,7 @@ limitations under the License. package v1alpha1 import ( + time "time" unsafe "unsafe" webhook "github.com/cert-manager/cert-manager/internal/apis/config/webhook" @@ -85,6 +86,7 @@ func autoConvert_v1alpha1_DynamicServingConfig_To_webhook_DynamicServingConfig(i out.SecretNamespace = in.SecretNamespace out.SecretName = in.SecretName out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames)) + out.LeafDuration = time.Duration(in.LeafDuration) return nil } @@ -97,6 +99,7 @@ func autoConvert_webhook_DynamicServingConfig_To_v1alpha1_DynamicServingConfig(i out.SecretNamespace = in.SecretNamespace out.SecretName = in.SecretName out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames)) + out.LeafDuration = time.Duration(in.LeafDuration) return nil } diff --git a/internal/webhook/webhook.go b/internal/webhook/webhook.go index 1983a10dd..c7fb8207c 100644 --- a/internal/webhook/webhook.go +++ b/internal/webhook/webhook.go @@ -131,6 +131,7 @@ func buildCertificateSource(log logr.Logger, tlsConfig config.TLSConfig, restCfg Authority: &authority.DynamicAuthority{ SecretNamespace: tlsConfig.Dynamic.SecretNamespace, SecretName: tlsConfig.Dynamic.SecretName, + LeafDuration: tlsConfig.Dynamic.LeafDuration, RESTConfig: restCfg, }, } diff --git a/pkg/apis/config/webhook/v1alpha1/types.go b/pkg/apis/config/webhook/v1alpha1/types.go index 4b5320f7d..60b85edd2 100644 --- a/pkg/apis/config/webhook/v1alpha1/types.go +++ b/pkg/apis/config/webhook/v1alpha1/types.go @@ -17,6 +17,8 @@ limitations under the License. package v1alpha1 import ( + "time" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" logsapi "k8s.io/component-base/logs/api/v1" ) @@ -103,6 +105,9 @@ type DynamicServingConfig struct { // DNSNames that must be present on serving certificates signed by the CA. DNSNames []string `json:"dnsNames,omitempty"` + + // LeafDuration is a customizable duration on serving certificates signed by the CA. + LeafDuration time.Duration } // FilesystemServingConfig enables using a certificate and private key found on the local filesystem. diff --git a/pkg/webhook/options/options.go b/pkg/webhook/options/options.go index e2fd19ac7..2a4c76fbc 100644 --- a/pkg/webhook/options/options.go +++ b/pkg/webhook/options/options.go @@ -64,6 +64,7 @@ func AddConfigFlags(fs *pflag.FlagSet, c *config.WebhookConfiguration) { fs.StringVar(&c.TLSConfig.Filesystem.CertFile, "tls-cert-file", c.TLSConfig.Filesystem.CertFile, "path to the file containing the TLS certificate to serve with") fs.StringVar(&c.TLSConfig.Filesystem.KeyFile, "tls-private-key-file", c.TLSConfig.Filesystem.KeyFile, "path to the file containing the TLS private key to serve with") + fs.DurationVar(&c.TLSConfig.Dynamic.LeafDuration, "dynamic-serving-leaf-duration", c.TLSConfig.Dynamic.LeafDuration, "leaf duration of serving certificates") fs.StringVar(&c.TLSConfig.Dynamic.SecretNamespace, "dynamic-serving-ca-secret-namespace", c.TLSConfig.Dynamic.SecretNamespace, "namespace of the secret used to store the CA that signs serving certificates") fs.StringVar(&c.TLSConfig.Dynamic.SecretName, "dynamic-serving-ca-secret-name", c.TLSConfig.Dynamic.SecretName, "name of the secret used to store the CA that signs serving certificates certificates") fs.StringSliceVar(&c.TLSConfig.Dynamic.DNSNames, "dynamic-serving-dns-names", c.TLSConfig.Dynamic.DNSNames, "DNS names that should be present on certificates generated by the dynamic serving CA")