Enforce minimum value of experimental.cert-manager.io/request-duration to 600s

To ensure compatibility with CSR's spec.expirationSeconds

Signed-off-by: irbekrm <irbekrm@gmail.com>

pkg/apis/experimental/v1alpha1/types.go

@@ -16,6 +16,8 @@ limitations under the License.
 
 package v1alpha1
 
+import "time"
+
 // CertificateSigningRequest specific Annotations
 const (
 	// CertificateSigningRequestDurationAnnotationKey is the
@@ -26,6 +28,13 @@ const (
 	// CertificateSigningRequestIsCAAnnotationKey is the annotation key used to
 	// request whether the certificate should be marked as CA.
 	CertificateSigningRequestIsCAAnnotationKey = "experimental.cert-manager.io/request-is-ca"
+
+	// CertificateSigningRequestMinimumDuration is the minimum allowed
+	// duration that can be requested for a CertificateSigningRequest via
+	// the experimental.cert-manager.io/request-duration annotation. This
+	// has to be the same as the minimum allowed value for
+	// spec.expirationSeconds of a CertificateSigningRequest
+	CertificateSigningRequestMinimumDuration = time.Duration(time.Second * 600)
 )
 
 // SelfSigned Issuer specific Annotations

pkg/client/listers/acme/v1/BUILD.bazel

@@ -1,5 +1,19 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
 go_library(
     name = "go_default_library",
     srcs = [
@@ -16,17 +30,3 @@ go_library(
         "@io_k8s_client_go//tools/cache:go_default_library",
     ],
 )
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-    visibility = ["//visibility:public"],
-)

pkg/client/listers/certmanager/v1/BUILD.bazel

@@ -1,5 +1,19 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
 go_library(
     name = "go_default_library",
     srcs = [
@@ -18,17 +32,3 @@ go_library(
         "@io_k8s_client_go//tools/cache:go_default_library",
     ],
 )
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-    visibility = ["//visibility:public"],
-)

pkg/controller/certificatesigningrequests/BUILD.bazel

@@ -13,11 +13,13 @@ go_library(
         "//pkg/api/util:go_default_library",
         "//pkg/apis/certmanager:go_default_library",
         "//pkg/apis/certmanager/v1:go_default_library",
+        "//pkg/apis/experimental/v1alpha1:go_default_library",
         "//pkg/apis/meta/v1:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/controller/certificatesigningrequests/util:go_default_library",
         "//pkg/issuer:go_default_library",
         "//pkg/logs:go_default_library",
+        "//pkg/util/pki:go_default_library",
         "@com_github_go_logr_logr//:go_default_library",
         "@io_k8s_api//authorization/v1:go_default_library",
         "@io_k8s_api//certificates/v1:go_default_library",

pkg/controller/certificatesigningrequests/sync.go

@@ -29,9 +29,11 @@ import (
 	apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
 	"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	experimentalapi "github.com/cert-manager/cert-manager/pkg/apis/experimental/v1alpha1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/cert-manager/cert-manager/pkg/controller/certificatesigningrequests/util"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
+	"github.com/cert-manager/cert-manager/pkg/util/pki"
 )
 
 func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSigningRequest) error {
@@ -124,6 +126,22 @@ func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSi
 		}
 	}
 
+	// Enforce minimum duration of certificate to be 600s to ensure
+	// compatibility with Certificate Signing Requests's
+	// spec.expirationSeconds
+	duration, err := pki.DurationFromCertificateSigningRequest(csr)
+	if err != nil {
+		return err
+	}
+	if duration < experimentalapi.CertificateSigningRequestMinimumDuration {
+		message := fmt.Sprintf("CertificateSigningRequest minimum allowed duration is %s, requested %s", experimentalapi.CertificateSigningRequestMinimumDuration, duration)
+		c.recorder.Event(csr, corev1.EventTypeWarning, "InvalidDuration", message)
+		util.CertificateSigningRequestSetFailed(csr, "InvalidDuration", message)
+		_, err := util.UpdateOrApplyStatus(ctx, c.certClient, csr, certificatesv1.CertificateFailed, c.fieldManager)
+		return err
+
+	}
+
 	// check ready condition
 	if !apiutil.IssuerHasCondition(issuerObj, cmapi.IssuerCondition{
 		Type:   cmapi.IssuerConditionReady,