Merge pull request #4092 from irbekrm/renew_override
Remove the default renewBefore value
This commit is contained in:
jetstack-bot
GitHub
commit
5e2a6883c1
@ -199,7 +199,7 @@ spec:
|
||||
description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
|
||||
type: string
|
||||
renewBefore:
|
||||
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If unset this defaults to 30 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
type: string
|
||||
revisionHistoryLimit:
|
||||
description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
|
||||
@ -497,7 +497,7 @@ spec:
|
||||
description: RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed. If set to Never, a private key will only be generated if one does not already exist in the target `spec.secretName`. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is 'Never' for backward compatibility.
|
||||
type: string
|
||||
renewBefore:
|
||||
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If unset this defaults to 30 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
type: string
|
||||
revisionHistoryLimit:
|
||||
description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
|
||||
@ -802,7 +802,7 @@ spec:
|
||||
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
|
||||
type: integer
|
||||
renewBefore:
|
||||
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If unset this defaults to 30 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
type: string
|
||||
revisionHistoryLimit:
|
||||
description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
|
||||
@ -1107,7 +1107,7 @@ spec:
|
||||
description: Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. No other values are allowed.
|
||||
type: integer
|
||||
renewBefore:
|
||||
description: The amount of time before the currently issued certificate's `notAfter` time that cert-manager will begin to attempt to renew the certificate. If unset this defaults to 30 days. Certificate will be renewed either 2/3 through its duration or `renewBefore` period before its expiry, whichever is later. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
description: How long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration
|
||||
type: string
|
||||
revisionHistoryLimit:
|
||||
description: revisionHistoryLimit is the maximum number of CertificateRequest revisions that are maintained in the Certificate's history. Each revision represents a single `CertificateRequest` created by this Certificate, either when it was created, renewed, or Spec was changed. Revisions will be removed by oldest first if the number of revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. If unset (`nil`), revisions will not be garbage collected. Default value is `nil`.
|
||||
|
||||
@ -28,7 +28,7 @@ const (
|
||||
// minimum certificate duration before certificate expiration
|
||||
MinimumRenewBefore = time.Minute * 5
|
||||
|
||||
// Default duration before certificate expiration if Issuer.spec.renewBefore is not set
|
||||
// Deprecated: the default is now 2/3 of Certificate's duration
|
||||
DefaultRenewBefore = time.Hour * 24 * 30
|
||||
)
|
||||
|
||||
|
||||
@ -105,12 +105,10 @@ type CertificateSpec struct {
|
||||
// +optional
|
||||
Duration *metav1.Duration `json:"duration,omitempty"`
|
||||
|
||||
// The amount of time before the currently issued certificate's `notAfter`
|
||||
// time that cert-manager will begin to attempt to renew the certificate. If
|
||||
// unset this defaults to 30 days. Certificate will be renewed either 2/3
|
||||
// through its duration or `renewBefore` period before its expiry, whichever
|
||||
// is later. Minimum accepted value is 5 minutes. Value must be in units
|
||||
// accepted by Go time.ParseDuration
|
||||
// How long before the currently issued certificate's expiry
|
||||
// cert-manager should renew the certificate. The default is 2/3 of the
|
||||
// issued certificate's duration. Minimum accepted value is 5 minutes.
|
||||
// Value must be in units accepted by Go time.ParseDuration
|
||||
// https://golang.org/pkg/time/#ParseDuration
|
||||
// +optional
|
||||
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
|
||||
|
||||
@ -28,7 +28,7 @@ const (
|
||||
// minimum certificate duration before certificate expiration
|
||||
MinimumRenewBefore = time.Minute * 5
|
||||
|
||||
// Default duration before certificate expiration if Issuer.spec.renewBefore is not set
|
||||
// Deprecated: the default is now 2/3 of Certificate's duration
|
||||
DefaultRenewBefore = time.Hour * 24 * 30
|
||||
)
|
||||
|
||||
|
||||
@ -105,12 +105,10 @@ type CertificateSpec struct {
|
||||
// +optional
|
||||
Duration *metav1.Duration `json:"duration,omitempty"`
|
||||
|
||||
// The amount of time before the currently issued certificate's `notAfter`
|
||||
// time that cert-manager will begin to attempt to renew the certificate. If
|
||||
// unset this defaults to 30 days. Certificate will be renewed either 2/3
|
||||
// through its duration or `renewBefore` period before its expiry, whichever
|
||||
// is later. Minimum accepted value is 5 minutes. Value must be in units
|
||||
// accepted by Go time.ParseDuration
|
||||
// How long before the currently issued certificate's expiry
|
||||
// cert-manager should renew the certificate. The default is 2/3 of the
|
||||
// issued certificate's duration. Minimum accepted value is 5 minutes.
|
||||
// Value must be in units accepted by Go time.ParseDuration
|
||||
// https://golang.org/pkg/time/#ParseDuration
|
||||
// +optional
|
||||
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
|
||||
|
||||
@ -28,7 +28,7 @@ const (
|
||||
// minimum certificate duration before certificate expiration
|
||||
MinimumRenewBefore = time.Minute * 5
|
||||
|
||||
// Default duration before certificate expiration if Issuer.spec.renewBefore is not set
|
||||
// Deprecated: the default is now 2/3 of Certificate's duration
|
||||
DefaultRenewBefore = time.Hour * 24 * 30
|
||||
)
|
||||
|
||||
|
||||
@ -103,12 +103,10 @@ type CertificateSpec struct {
|
||||
// +optional
|
||||
Duration *metav1.Duration `json:"duration,omitempty"`
|
||||
|
||||
// The amount of time before the currently issued certificate's `notAfter`
|
||||
// time that cert-manager will begin to attempt to renew the certificate. If
|
||||
// unset this defaults to 30 days. Certificate will be renewed either 2/3
|
||||
// through its duration or `renewBefore` period before its expiry, whichever
|
||||
// is later. Minimum accepted value is 5 minutes. Value must be in units
|
||||
// accepted by Go time.ParseDuration
|
||||
// How long before the currently issued certificate's expiry
|
||||
// cert-manager should renew the certificate. The default is 2/3 of the
|
||||
// issued certificate's duration. Minimum accepted value is 5 minutes.
|
||||
// Value must be in units accepted by Go time.ParseDuration
|
||||
// https://golang.org/pkg/time/#ParseDuration
|
||||
// +optional
|
||||
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
|
||||
|
||||
@ -28,7 +28,7 @@ const (
|
||||
// minimum certificate duration before certificate expiration
|
||||
MinimumRenewBefore = time.Minute * 5
|
||||
|
||||
// Default duration before certificate expiration if Issuer.spec.renewBefore is not set
|
||||
// Deprecated: the default is now 2/3 of Certificate's duration
|
||||
DefaultRenewBefore = time.Hour * 24 * 30
|
||||
)
|
||||
|
||||
|
||||
@ -104,12 +104,10 @@ type CertificateSpec struct {
|
||||
// +optional
|
||||
Duration *metav1.Duration `json:"duration,omitempty"`
|
||||
|
||||
// The amount of time before the currently issued certificate's `notAfter`
|
||||
// time that cert-manager will begin to attempt to renew the certificate. If
|
||||
// unset this defaults to 30 days. Certificate will be renewed either 2/3
|
||||
// through its duration or `renewBefore` period before its expiry, whichever
|
||||
// is later. Minimum accepted value is 5 minutes. Value must be in units
|
||||
// accepted by Go time.ParseDuration
|
||||
// How long before the currently issued certificate's expiry
|
||||
// cert-manager should renew the certificate. The default is 2/3 of the
|
||||
// issued certificate's duration. Minimum accepted value is 5 minutes.
|
||||
// Value must be in units accepted by Go time.ParseDuration
|
||||
// https://golang.org/pkg/time/#ParseDuration
|
||||
// +optional
|
||||
RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
|
||||
|
||||
@ -242,7 +242,7 @@ func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.Rate
|
||||
ctx.KubeSharedInformerFactory,
|
||||
ctx.SharedInformerFactory,
|
||||
NewReadinessPolicyChain(ctx.Clock),
|
||||
certificates.RenewalTimeWrapper(cmapi.DefaultRenewBefore),
|
||||
certificates.RenewalTime,
|
||||
policyEvaluator,
|
||||
)
|
||||
c.controller = ctrl
|
||||
|
||||
@ -70,7 +70,7 @@ func (c Chain) Evaluate(input Input) (string, string, bool) {
|
||||
return "", "", false
|
||||
}
|
||||
|
||||
func NewTriggerPolicyChain(c clock.Clock, defaultRenewBeforeExpiryDuration time.Duration) Chain {
|
||||
func NewTriggerPolicyChain(c clock.Clock) Chain {
|
||||
return Chain{
|
||||
SecretDoesNotExist,
|
||||
SecretIsMissingData,
|
||||
@ -78,7 +78,7 @@ func NewTriggerPolicyChain(c clock.Clock, defaultRenewBeforeExpiryDuration time.
|
||||
SecretPrivateKeyMatchesSpec,
|
||||
SecretIssuerAnnotationsNotUpToDate,
|
||||
CurrentCertificateRequestNotValidForSpec,
|
||||
CurrentCertificateNearingExpiry(c, defaultRenewBeforeExpiryDuration),
|
||||
CurrentCertificateNearingExpiry(c),
|
||||
}
|
||||
}
|
||||
|
||||
@ -195,7 +195,7 @@ func currentSecretValidForSpec(input Input) (string, string, bool) {
|
||||
// CurrentCertificateNearingExpiry returns a policy function that can be used to
|
||||
// check whether an X.509 cert currently issued for a Certificate should be
|
||||
// renewed.
|
||||
func CurrentCertificateNearingExpiry(c clock.Clock, defaultRenewBeforeExpiryDuration time.Duration) Func {
|
||||
func CurrentCertificateNearingExpiry(c clock.Clock) Func {
|
||||
|
||||
return func(input Input) (string, string, bool) {
|
||||
|
||||
@ -213,8 +213,7 @@ func CurrentCertificateNearingExpiry(c clock.Clock, defaultRenewBeforeExpiryDura
|
||||
notBefore := metav1.NewTime(x509cert.NotBefore)
|
||||
notAfter := metav1.NewTime(x509cert.NotAfter)
|
||||
crt := input.Certificate
|
||||
renewalTimeCalculator := certificates.RenewalTimeWrapper(defaultRenewBeforeExpiryDuration)
|
||||
renewalTime := renewalTimeCalculator(notBefore.Time, notAfter.Time, crt.Spec.RenewBefore)
|
||||
renewalTime := certificates.RenewalTime(notBefore.Time, notAfter.Time, crt.Spec.RenewBefore)
|
||||
|
||||
renewIn := renewalTime.Time.Sub(c.Now())
|
||||
if renewIn > 0 {
|
||||
|
||||
@ -485,9 +485,7 @@ func TestDefaultPolicyChain(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}
|
||||
// we don't really test default renewal time here, it's just passed through
|
||||
someDefaultRenewalTime := time.Hour * 5
|
||||
policyChain := NewTriggerPolicyChain(clock, someDefaultRenewalTime)
|
||||
policyChain := NewTriggerPolicyChain(clock)
|
||||
for name, test := range tests {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
reason, message, reissue := policyChain.Evaluate(Input{
|
||||
|
||||
@ -281,7 +281,7 @@ func (c *controllerWrapper) Register(ctx *controllerpkg.Context) (workqueue.Rate
|
||||
ctx.SharedInformerFactory,
|
||||
ctx.Recorder,
|
||||
ctx.Clock,
|
||||
policies.NewTriggerPolicyChain(ctx.Clock, cmapi.DefaultRenewBefore).Evaluate,
|
||||
policies.NewTriggerPolicyChain(ctx.Clock).Evaluate,
|
||||
)
|
||||
c.controller = ctrl
|
||||
|
||||
|
||||
@ -268,24 +268,27 @@ func GenerateLocallySignedTemporaryCertificate(crt *cmapi.Certificate, pkData []
|
||||
//RenewalTimeFunc is a custom function type for calculating renewal time of a certificate.
|
||||
type RenewalTimeFunc func(time.Time, time.Time, *metav1.Duration) *metav1.Time
|
||||
|
||||
// RenewalTimeWrapper returns RenewalTimeFunc implementation
|
||||
func RenewalTimeWrapper(defaultRenewBeforeExpiryDuration time.Duration) RenewalTimeFunc {
|
||||
return func(notBefore, notAfter time.Time, renewBeforeHint *metav1.Duration) *metav1.Time {
|
||||
// RenewalTime calculates renewal time for a certificate. Default renewal time
|
||||
// is 2/3 through certificate's lifetime. If user has configured
|
||||
// spec.renewBefore, renewal time will be renewBefore period before expiry
|
||||
// (unless that is after the expiry).
|
||||
func RenewalTime(notBefore, notAfter time.Time, renewBeforeOverride *metav1.Duration) *metav1.Time {
|
||||
|
||||
// 1. Calculate how long before expiry a cert should be renewed
|
||||
renewBefore := defaultRenewBeforeExpiryDuration
|
||||
if renewBeforeHint != nil {
|
||||
renewBefore = renewBeforeHint.Duration
|
||||
}
|
||||
actualDuration := notAfter.Sub(notBefore)
|
||||
// renewBefore = min(renewBefore, actualDuration/3)
|
||||
if renewBefore >= (actualDuration / 3) {
|
||||
renewBefore = actualDuration / 3
|
||||
}
|
||||
// 1. Calculate how long before expiry a cert should be renewed
|
||||
|
||||
// 2. Calculate when a cert should be renewed
|
||||
rt := metav1.NewTime(notAfter.Add(-1 * renewBefore))
|
||||
return &rt
|
||||
actualDuration := notAfter.Sub(notBefore)
|
||||
|
||||
renewBefore := actualDuration / 3
|
||||
|
||||
// If spec.renewBefore was set (and is less than duration)
|
||||
// respect that. We don't want to prevent users from renewing
|
||||
// longer lived certs more frequently.
|
||||
if renewBeforeOverride != nil && renewBeforeOverride.Duration < actualDuration {
|
||||
renewBefore = renewBeforeOverride.Duration
|
||||
}
|
||||
|
||||
// 2. Calculate when a cert should be renewed
|
||||
|
||||
rt := metav1.NewTime(notAfter.Add(-1 * renewBefore))
|
||||
return &rt
|
||||
}
|
||||
|
||||
@ -283,80 +283,58 @@ func selfSignCertificate(t *testing.T, spec cmapi.CertificateSpec) []byte {
|
||||
return pemData
|
||||
}
|
||||
|
||||
func TestRenewalTimeWrapper(t *testing.T) {
|
||||
func TestRenewalTime(t *testing.T) {
|
||||
type scenario struct {
|
||||
notBefore time.Time
|
||||
notAfter time.Time
|
||||
renewBeforeHint *metav1.Duration
|
||||
defaultRenewBefore time.Duration
|
||||
renewBeforeOverride *metav1.Duration
|
||||
expectedRenewalTime *metav1.Time
|
||||
}
|
||||
now := time.Now()
|
||||
tests := map[string]scenario{
|
||||
"no renewBeforeHint, defaultRenewBefore < (cert duration / 3)": {
|
||||
"short lived cert, spec.renewBefore is not set": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: nil,
|
||||
defaultRenewBefore: time.Hour,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 23)},
|
||||
notAfter: now.Add(time.Hour * 3),
|
||||
renewBeforeOverride: nil,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 2)},
|
||||
},
|
||||
"renewBeforeHint < (cert duration / 3)": {
|
||||
"long lived cert, spec.renewBefore is not set": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 2},
|
||||
defaultRenewBefore: time.Hour,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 22)},
|
||||
notAfter: now.Add(time.Hour * 4380), // 6 months
|
||||
renewBeforeOverride: nil,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 2920)}, // renew in 4 months
|
||||
},
|
||||
"no renewBeforeHint, defaultRenewBefore > (cert duration / 3)": {
|
||||
"spec.renewBefore is set": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: nil,
|
||||
defaultRenewBefore: time.Hour * 24 * 7,
|
||||
renewBeforeOverride: &metav1.Duration{Duration: time.Hour * 20},
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 4)},
|
||||
},
|
||||
"long lived cert, spec.renewBefore is set to renew every day": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 730), // 1 month
|
||||
renewBeforeOverride: &metav1.Duration{Duration: time.Hour * 706}, // 1 month - 1 day
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 24)},
|
||||
},
|
||||
"spec.renewBefore is set, but would result in renewal time after expiry": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeOverride: &metav1.Duration{Duration: time.Hour * 25},
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
||||
},
|
||||
"renewBeforeHint > (cert duration / 3)": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24 * 7},
|
||||
defaultRenewBefore: time.Hour,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
||||
},
|
||||
"no renewBeforeHint, defaultRenewBefore == cert duration": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: nil,
|
||||
defaultRenewBefore: time.Hour * 24,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
||||
},
|
||||
"renewBeforeHint == cert duration": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour * 24),
|
||||
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24},
|
||||
defaultRenewBefore: time.Hour,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour * 16)},
|
||||
},
|
||||
|
||||
// The following two test cases would catch the bug reported in
|
||||
// https://github.com/jetstack/cert-manager/issues/3897
|
||||
"cert duration very slightly more than defaultRenewBefore": {
|
||||
// This test case is here to show the scenario where users set
|
||||
// renewBefore to very slightly less than actual duration. This
|
||||
// will result in cert being renewed 'continuously'.
|
||||
"spec.renewBefore is set to a value slightly less than cert's duration": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour*24 + time.Minute*3),
|
||||
renewBeforeHint: nil,
|
||||
defaultRenewBefore: time.Hour * 24,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour*16 + time.Minute*2)},
|
||||
},
|
||||
"cert duration very slightly more than renewBeforeHint": {
|
||||
notBefore: now,
|
||||
notAfter: now.Add(time.Hour*24 + time.Minute*3),
|
||||
renewBeforeHint: &metav1.Duration{Duration: time.Hour * 24},
|
||||
defaultRenewBefore: time.Hour,
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Hour*16 + time.Minute*2)},
|
||||
renewBeforeOverride: &metav1.Duration{Duration: time.Hour * 24},
|
||||
expectedRenewalTime: &metav1.Time{Time: now.Add(time.Minute * 3)}, // renew in 3 minutes
|
||||
},
|
||||
}
|
||||
for n, s := range tests {
|
||||
t.Run(n, func(t *testing.T) {
|
||||
f := RenewalTimeWrapper(s.defaultRenewBefore)
|
||||
renewalTime := f(s.notBefore, s.notAfter, s.renewBeforeHint)
|
||||
renewalTime := RenewalTime(s.notBefore, s.notAfter, s.renewBeforeOverride)
|
||||
assert.Equal(t, s.expectedRenewalTime, renewalTime, fmt.Sprintf("Expected renewal time: %v got: %v", s.expectedRenewalTime, renewalTime))
|
||||
|
||||
})
|
||||
|
||||
@ -41,9 +41,6 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
|
||||
if s.Spec.Duration == nil {
|
||||
s.Spec.Duration = &metav1.Duration{Duration: v1.DefaultCertificateDuration}
|
||||
}
|
||||
if s.Spec.RenewBefore == nil {
|
||||
s.Spec.RenewBefore = &metav1.Duration{Duration: v1.DefaultRenewBefore}
|
||||
}
|
||||
},
|
||||
func(s *certmanager.CertificateRequest, c fuzz.Continue) {
|
||||
c.FuzzNoCustom(s) // fuzz self without calling this function again
|
||||
|
||||
@ -167,18 +167,16 @@ func ValidateDuration(crt *internalcmapi.CertificateSpec, fldPath *field.Path) f
|
||||
el := field.ErrorList{}
|
||||
|
||||
duration := util.DefaultCertDuration(crt.Duration)
|
||||
renewBefore := cmapi.DefaultRenewBefore
|
||||
if crt.RenewBefore != nil {
|
||||
renewBefore = crt.RenewBefore.Duration
|
||||
}
|
||||
if duration < cmapi.MinimumCertificateDuration {
|
||||
el = append(el, field.Invalid(fldPath.Child("duration"), duration, fmt.Sprintf("certificate duration must be greater than %s", cmapi.MinimumCertificateDuration)))
|
||||
}
|
||||
if renewBefore < cmapi.MinimumRenewBefore {
|
||||
el = append(el, field.Invalid(fldPath.Child("renewBefore"), renewBefore, fmt.Sprintf("certificate renewBefore must be greater than %s", cmapi.MinimumRenewBefore)))
|
||||
// If spec.renewBefore is set, check that it is not less than the minimum.
|
||||
if crt.RenewBefore != nil && crt.RenewBefore.Duration < cmapi.MinimumRenewBefore {
|
||||
el = append(el, field.Invalid(fldPath.Child("renewBefore"), crt.RenewBefore.Duration, fmt.Sprintf("certificate renewBefore must be greater than %s", cmapi.MinimumRenewBefore)))
|
||||
}
|
||||
if duration <= renewBefore {
|
||||
el = append(el, field.Invalid(fldPath.Child("renewBefore"), renewBefore, fmt.Sprintf("certificate duration %s must be greater than renewBefore %s", duration, renewBefore)))
|
||||
// If spec.renewBefore is set, it must be less than the duration.
|
||||
if crt.RenewBefore != nil && crt.RenewBefore.Duration >= duration {
|
||||
el = append(el, field.Invalid(fldPath.Child("renewBefore"), crt.RenewBefore.Duration, fmt.Sprintf("certificate duration %s must be greater than renewBefore %s", duration, crt.RenewBefore.Duration)))
|
||||
}
|
||||
return el
|
||||
}
|
||||
|
||||
@ -721,17 +721,6 @@ func TestValidateDuration(t *testing.T) {
|
||||
},
|
||||
errs: []*field.Error{field.Invalid(fldPath.Child("renewBefore"), usefulDurations["ten years"].Duration, fmt.Sprintf("certificate duration %s must be greater than renewBefore %s", cmapi.DefaultCertificateDuration, usefulDurations["ten years"].Duration))},
|
||||
},
|
||||
"default renewBefore is bigger than the set duration": {
|
||||
cfg: &internalcmapi.Certificate{
|
||||
Spec: internalcmapi.CertificateSpec{
|
||||
Duration: usefulDurations["one hour"],
|
||||
CommonName: "testcn",
|
||||
SecretName: "abc",
|
||||
IssuerRef: validIssuerRef,
|
||||
},
|
||||
},
|
||||
errs: []*field.Error{field.Invalid(fldPath.Child("renewBefore"), cmapi.DefaultRenewBefore, fmt.Sprintf("certificate duration %s must be greater than renewBefore %s", usefulDurations["one hour"].Duration, cmapi.DefaultRenewBefore))},
|
||||
},
|
||||
"renewBefore is bigger than the duration": {
|
||||
cfg: &internalcmapi.Certificate{
|
||||
Spec: internalcmapi.CertificateSpec{
|
||||
|
||||
@ -37,7 +37,6 @@ import (
|
||||
logf "github.com/jetstack/cert-manager/pkg/logs"
|
||||
"github.com/jetstack/cert-manager/pkg/metrics"
|
||||
"github.com/jetstack/cert-manager/pkg/util/pki"
|
||||
utilpki "github.com/jetstack/cert-manager/pkg/util/pki"
|
||||
"github.com/jetstack/cert-manager/test/integration/framework"
|
||||
)
|
||||
|
||||
@ -65,9 +64,7 @@ func TestTriggerController(t *testing.T) {
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// default certificate renewBefore period
|
||||
defaultRenewBefore := time.Hour * 24
|
||||
shouldReissue := policies.NewTriggerPolicyChain(fakeClock, defaultRenewBefore).Evaluate
|
||||
shouldReissue := policies.NewTriggerPolicyChain(fakeClock).Evaluate
|
||||
ctrl, queue, mustSync := trigger.NewController(logf.Log, cmCl, factory, cmFactory, framework.NewEventRecorder(t), fakeClock, shouldReissue)
|
||||
c := controllerpkg.NewController(
|
||||
context.Background(),
|
||||
@ -121,14 +118,11 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) {
|
||||
ctx, cancel := context.WithTimeout(context.TODO(), time.Second*20)
|
||||
defer cancel()
|
||||
|
||||
// default certificate renewBefore period
|
||||
defaultRenewBefore := time.Hour * 24
|
||||
|
||||
fakeClock := &fakeclock.FakeClock{}
|
||||
// Only use the 'current certificate nearing expiry' policy chain during the
|
||||
// test as we want to test the very specific cases of triggering/not
|
||||
// triggering depending on whether a renewal is required.
|
||||
shoudReissue := policies.Chain{policies.CurrentCertificateNearingExpiry(fakeClock, defaultRenewBefore)}.Evaluate
|
||||
shoudReissue := policies.Chain{policies.CurrentCertificateNearingExpiry(fakeClock)}.Evaluate
|
||||
// Build, instantiate and run the trigger controller.
|
||||
kubeClient, factory, cmCl, cmFactory := framework.NewClients(t, config)
|
||||
|
||||
@ -160,11 +154,11 @@ func TestTriggerController_RenewNearExpiry(t *testing.T) {
|
||||
}
|
||||
|
||||
// Create a private key for X.509 cert
|
||||
sk, err := utilpki.GenerateRSAPrivateKey(2048)
|
||||
sk, err := pki.GenerateRSAPrivateKey(2048)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
skBytes := utilpki.EncodePKCS1PrivateKey(sk)
|
||||
skBytes := pki.EncodePKCS1PrivateKey(sk)
|
||||
// Create an X.509 cert
|
||||
x509CertBytes := selfSignCertificateWithNotBeforeAfter(t, skBytes, cert, notBefore.Time, notAfter.Time)
|
||||
// Create a Secret with the X.509 cert
|
||||
|
||||
Loading…
Reference in New Issue
Block a user