changes to add a NotAfter field to the cert status

Signed-off-by: Gus Parvin <gparvin@us.ibm.com>
2018-11-13 16:16:29 +00:00 · 2018-11-13 16:16:29 +00:00 · 7e33256b68
commit 7e33256b68
parent 3ce276d5e8
10 changed files with 37 additions and 1 deletions
--- a/docs/generated/reference/output/reference/api-docs/index.html
+++ b/docs/generated/reference/output/reference/api-docs/index.html
@ -146,6 +146,10 @@ Appears In:
 <td><code>lastFailureTime</code><br /> <em><a href="#time-v1">Time</a></em></td>
 <td></td>
 </tr>
+<tr>
+<td><code>notAfter</code><br /> <em><a href="#time-v1">Time</a></em></td>
+<td></td>
+</tr>
 </tbody>
 </table>
 <hr>
--- a/pkg/apis/certmanager/v1alpha1/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha1/types_certificate.go
@ -103,6 +103,7 @@ type ACMECertificateConfig struct {
 type CertificateStatus struct {
 	Conditions      []CertificateCondition `json:"conditions,omitempty"`
 	LastFailureTime *metav1.Time           `json:"lastFailureTime,omitempty"`
+	NotAfter        *metav1.Time           `json:"notAfter,omitempty"`
 }

 // CertificateCondition contains condition information for an Certificate.
--- a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
@ -515,6 +515,15 @@ func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) {
 			(*in).DeepCopyInto(*out)
 		}
 	}
+	if in.NotAfter != nil {
+		in, out := &in.NotAfter, &out.NotAfter
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }

--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@ -191,6 +191,9 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (reque

 	// end checking if the TLS certificate is valid/needs a re-issue or renew

+	metaNotAfter := metav1.NewTime(cert.NotAfter)
+	crtCopy.Status.NotAfter = &metaNotAfter
+
 	return false, nil
 }

--- a/pkg/issuer/acme/issue.go
+++ b/pkg/issuer/acme/issue.go
@ -182,6 +182,9 @@ func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) (issuer.Iss
 		return a.retryOrder(crt, existingOrder)
 	}

+	metaExpireTime := metav1.NewTime(x509Cert.NotAfter)
+	crt.Status.NotAfter = &metaExpireTime
+
 	if a.Context.IssuerOptions.CertificateNeedsRenew(x509Cert) {
 		// existing order's certificate is near expiry
 		return a.retryOrder(crt, existingOrder)
--- a/pkg/issuer/vault/BUILD.bazel
+++ b/pkg/issuer/vault/BUILD.bazel
@ -20,6 +20,7 @@ go_library(
        "//vendor/github.com/hashicorp/vault/api:go_default_library",
        "//vendor/github.com/hashicorp/vault/helper/certutil:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
        "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",
    ],
 )
--- a/pkg/issuer/vault/issue.go
+++ b/pkg/issuer/vault/issue.go
@ -36,6 +36,7 @@ import (
 	"github.com/jetstack/cert-manager/pkg/util/kube"
 	"github.com/jetstack/cert-manager/pkg/util/pki"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 const (
@ -103,6 +104,9 @@ func (v *Vault) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate
 		return nil, nil, nil, err
 	}

+	metaExpireTime := metav1.NewTime(time.Now().Add(defaultCertificateDuration))
+	crt.Status.NotAfter = &metaExpireTime
+
 	keyBytes, err := pki.EncodePrivateKey(signeeKey)
 	if err != nil {
 		return nil, nil, nil, err
--- a/pkg/util/pki/BUILD.bazel
+++ b/pkg/util/pki/BUILD.bazel
@ -12,6 +12,7 @@ go_library(
    deps = [
        "//pkg/apis/certmanager/v1alpha1:go_default_library",
        "//pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
    ],
 )

--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@ -28,6 +28,7 @@ import (
 	"time"

 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

 // CommonNameForCertificate returns the common name that should be used for the
@ -149,6 +150,10 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate)
 		keyUsages |= x509.KeyUsageCertSign
 	}

+	expireTime := time.Now().Add(defaultNotAfter)
+	metaExpireTime := metav1.NewTime(expireTime)
+	crt.Status.NotAfter = &metaExpireTime
+
 	return &x509.Certificate{
 		Version:               3,
 		BasicConstraintsValid: true,
@ -160,7 +165,7 @@ func GenerateTemplate(issuer v1alpha1.GenericIssuer, crt *v1alpha1.Certificate)
 			CommonName:   commonName,
 		},
 		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(defaultNotAfter),
+		NotAfter:  expireTime,
 		// see http://golang.org/pkg/crypto/x509/#KeyUsage
 		KeyUsage: keyUsages,
 		DNSNames: dnsNames,
--- a/test/util/util.go
+++ b/test/util/util.go
@ -283,6 +283,11 @@ func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secre
 				return false, nil
 			}

+			if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) {
+				glog.Info("Expected certificate expire date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter)
+				return false, nil
+			}
+
 			label, ok := secret.Labels[v1alpha1.CertificateNameKey]
 			if !ok {
 				return false, fmt.Errorf("Expected secret to have certificate-name label, but had none")