diff --git a/docs/generated/reference/output/reference/api-docs/index.html b/docs/generated/reference/output/reference/api-docs/index.html
index 90ac3cd49..5a4ff9791 100755
--- a/docs/generated/reference/output/reference/api-docs/index.html
+++ b/docs/generated/reference/output/reference/api-docs/index.html
@@ -146,6 +146,10 @@ Appears In:
lastFailureTime
Time |
|
+
+notAfter
Time |
+ |
+
diff --git a/pkg/apis/certmanager/v1alpha1/types_certificate.go b/pkg/apis/certmanager/v1alpha1/types_certificate.go
index 67e5fb057..f07b2c454 100644
--- a/pkg/apis/certmanager/v1alpha1/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha1/types_certificate.go
@@ -103,6 +103,7 @@ type ACMECertificateConfig struct {
type CertificateStatus struct {
Conditions []CertificateCondition `json:"conditions,omitempty"`
LastFailureTime *metav1.Time `json:"lastFailureTime,omitempty"`
+ NotAfter *metav1.Time `json:"notAfter,omitempty"`
}
// CertificateCondition contains condition information for an Certificate.
diff --git a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
index 4a26fc512..40fc48dd3 100644
--- a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
@@ -515,6 +515,15 @@ func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) {
(*in).DeepCopyInto(*out)
}
}
+ if in.NotAfter != nil {
+ in, out := &in.NotAfter, &out.NotAfter
+ if *in == nil {
+ *out = nil
+ } else {
+ *out = new(v1.Time)
+ (*in).DeepCopyInto(*out)
+ }
+ }
return
}
diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index b23f86694..3eba6e259 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -191,6 +191,9 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (reque
// end checking if the TLS certificate is valid/needs a re-issue or renew
+ metaNotAfter := metav1.NewTime(cert.NotAfter)
+ crtCopy.Status.NotAfter = &metaNotAfter
+
return false, nil
}
diff --git a/pkg/issuer/acme/issue.go b/pkg/issuer/acme/issue.go
index dd2c25a6f..04250aa8a 100644
--- a/pkg/issuer/acme/issue.go
+++ b/pkg/issuer/acme/issue.go
@@ -182,6 +182,9 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
return a.retryOrder(crt, existingOrder)
}
+ metaExpireTime := metav1.NewTime(x509Cert.NotAfter)
+ crt.Status.NotAfter = &metaExpireTime
+
if a.Context.IssuerOptions.CertificateNeedsRenew(x509Cert) {
// existing order's certificate is near expiry
return a.retryOrder(crt, existingOrder)
diff --git a/pkg/issuer/vault/BUILD.bazel b/pkg/issuer/vault/BUILD.bazel
index 3922554b1..703ee4aec 100644
--- a/pkg/issuer/vault/BUILD.bazel
+++ b/pkg/issuer/vault/BUILD.bazel
@@ -20,6 +20,7 @@ go_library(
"//vendor/github.com/hashicorp/vault/api:go_default_library",
"//vendor/github.com/hashicorp/vault/helper/certutil:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+ "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
],
)
diff --git a/pkg/issuer/vault/issue.go b/pkg/issuer/vault/issue.go
index f15c2352e..afe5fd18b 100644
--- a/pkg/issuer/vault/issue.go
+++ b/pkg/issuer/vault/issue.go
@@ -36,6 +36,7 @@ import (
"github.com/jetstack/cert-manager/pkg/util/kube"
"github.com/jetstack/cert-manager/pkg/util/pki"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
@@ -103,6 +104,9 @@ func (v *Vault) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate
return nil, nil, nil, err
}
+ metaExpireTime := metav1.NewTime(time.Now().Add(defaultCertificateDuration))
+ crt.Status.NotAfter = &metaExpireTime
+
keyBytes, err := pki.EncodePrivateKey(signeeKey)
if err != nil {
return nil, nil, nil, err
diff --git a/pkg/util/pki/BUILD.bazel b/pkg/util/pki/BUILD.bazel
index 5936b0526..abb4f7c39 100644
--- a/pkg/util/pki/BUILD.bazel
+++ b/pkg/util/pki/BUILD.bazel
@@ -12,6 +12,7 @@ go_library(
deps = [
"//pkg/apis/certmanager/v1alpha1:go_default_library",
"//pkg/util/errors:go_default_library",
+ "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
],
)
diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
index 0c059df5b..ee4442da5 100644
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@@ -28,6 +28,7 @@ import (
"time"
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// CommonNameForCertificate returns the common name that should be used for the
@@ -149,6 +150,10 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate)
keyUsages |= x509.KeyUsageCertSign
}
+ expireTime := time.Now().Add(defaultNotAfter)
+ metaExpireTime := metav1.NewTime(expireTime)
+ crt.Status.NotAfter = &metaExpireTime
+
return &x509.Certificate{
Version: 3,
BasicConstraintsValid: true,
@@ -160,7 +165,7 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate)
CommonName: commonName,
},
NotBefore: time.Now(),
- NotAfter: time.Now().Add(defaultNotAfter),
+ NotAfter: expireTime,
// see http://golang.org/pkg/crypto/x509/#KeyUsage
KeyUsage: keyUsages,
DNSNames: dnsNames,
diff --git a/test/util/util.go b/test/util/util.go
index e70b9857c..5b75d86ed 100644
--- a/test/util/util.go
+++ b/test/util/util.go
@@ -283,6 +283,11 @@ func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secre
return false, nil
}
+ if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) {
+ glog.Info("Expected certificate expire date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter)
+ return false, nil
+ }
+
label, ok := secret.Labels[v1alpha1.CertificateNameKey]
if !ok {
return false, fmt.Errorf("Expected secret to have certificate-name label, but had none")