From d384aef7544949712ac078eac8d5f32cad6e2975 Mon Sep 17 00:00:00 2001
From: irbekrm <irbekrm@gmail.com>
Date: Tue, 22 Mar 2022 07:52:16 +0000
Subject: [PATCH] Enforce minimum value of
 experimental.cert-manager.io/request-duration to 600s

To ensure compatibility with CSR's spec.expirationSeconds

Signed-off-by: irbekrm <irbekrm@gmail.com>
---
 pkg/apis/experimental/v1alpha1/types.go       |  9 ++++++
 pkg/client/listers/acme/v1/BUILD.bazel        | 28 +++++++++----------
 pkg/client/listers/certmanager/v1/BUILD.bazel | 28 +++++++++----------
 .../certificatesigningrequests/BUILD.bazel    |  2 ++
 .../certificatesigningrequests/sync.go        | 18 ++++++++++++
 5 files changed, 57 insertions(+), 28 deletions(-)

diff --git a/pkg/apis/experimental/v1alpha1/types.go b/pkg/apis/experimental/v1alpha1/types.go
index bd2b0e47d..3a6a54d7a 100644
--- a/pkg/apis/experimental/v1alpha1/types.go
+++ b/pkg/apis/experimental/v1alpha1/types.go
@@ -16,6 +16,8 @@ limitations under the License.
 
 package v1alpha1
 
+import "time"
+
 // CertificateSigningRequest specific Annotations
 const (
 	// CertificateSigningRequestDurationAnnotationKey is the
@@ -26,6 +28,13 @@ const (
 	// CertificateSigningRequestIsCAAnnotationKey is the annotation key used to
 	// request whether the certificate should be marked as CA.
 	CertificateSigningRequestIsCAAnnotationKey = "experimental.cert-manager.io/request-is-ca"
+
+	// CertificateSigningRequestMinimumDuration is the minimum allowed
+	// duration that can be requested for a CertificateSigningRequest via
+	// the experimental.cert-manager.io/request-duration annotation. This
+	// has to be the same as the minimum allowed value for
+	// spec.expirationSeconds of a CertificateSigningRequest
+	CertificateSigningRequestMinimumDuration = time.Duration(time.Second * 600)
 )
 
 // SelfSigned Issuer specific Annotations
diff --git a/pkg/client/listers/acme/v1/BUILD.bazel b/pkg/client/listers/acme/v1/BUILD.bazel
index d1f985858..17dab28a5 100644
--- a/pkg/client/listers/acme/v1/BUILD.bazel
+++ b/pkg/client/listers/acme/v1/BUILD.bazel
@@ -1,5 +1,19 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
 go_library(
     name = "go_default_library",
     srcs = [
@@ -16,17 +30,3 @@ go_library(
         "@io_k8s_client_go//tools/cache:go_default_library",
     ],
 )
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-    visibility = ["//visibility:public"],
-)
diff --git a/pkg/client/listers/certmanager/v1/BUILD.bazel b/pkg/client/listers/certmanager/v1/BUILD.bazel
index a0b8e8c28..bbb7383e1 100644
--- a/pkg/client/listers/certmanager/v1/BUILD.bazel
+++ b/pkg/client/listers/certmanager/v1/BUILD.bazel
@@ -1,5 +1,19 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
+
 go_library(
     name = "go_default_library",
     srcs = [
@@ -18,17 +32,3 @@ go_library(
         "@io_k8s_client_go//tools/cache:go_default_library",
     ],
 )
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-    visibility = ["//visibility:public"],
-)
diff --git a/pkg/controller/certificatesigningrequests/BUILD.bazel b/pkg/controller/certificatesigningrequests/BUILD.bazel
index 0d0027567..c9c1598ce 100644
--- a/pkg/controller/certificatesigningrequests/BUILD.bazel
+++ b/pkg/controller/certificatesigningrequests/BUILD.bazel
@@ -13,11 +13,13 @@ go_library(
         "//pkg/api/util:go_default_library",
         "//pkg/apis/certmanager:go_default_library",
         "//pkg/apis/certmanager/v1:go_default_library",
+        "//pkg/apis/experimental/v1alpha1:go_default_library",
         "//pkg/apis/meta/v1:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/controller/certificatesigningrequests/util:go_default_library",
         "//pkg/issuer:go_default_library",
         "//pkg/logs:go_default_library",
+        "//pkg/util/pki:go_default_library",
         "@com_github_go_logr_logr//:go_default_library",
         "@io_k8s_api//authorization/v1:go_default_library",
         "@io_k8s_api//certificates/v1:go_default_library",
diff --git a/pkg/controller/certificatesigningrequests/sync.go b/pkg/controller/certificatesigningrequests/sync.go
index f4c042de6..ee5bcd2b0 100644
--- a/pkg/controller/certificatesigningrequests/sync.go
+++ b/pkg/controller/certificatesigningrequests/sync.go
@@ -29,9 +29,11 @@ import (
 	apiutil "github.com/cert-manager/cert-manager/pkg/api/util"
 	"github.com/cert-manager/cert-manager/pkg/apis/certmanager"
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	experimentalapi "github.com/cert-manager/cert-manager/pkg/apis/experimental/v1alpha1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"github.com/cert-manager/cert-manager/pkg/controller/certificatesigningrequests/util"
 	logf "github.com/cert-manager/cert-manager/pkg/logs"
+	"github.com/cert-manager/cert-manager/pkg/util/pki"
 )
 
 func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSigningRequest) error {
@@ -124,6 +126,22 @@ func (c *Controller) Sync(ctx context.Context, csr *certificatesv1.CertificateSi
 		}
 	}
 
+	// Enforce minimum duration of certificate to be 600s to ensure
+	// compatibility with Certificate Signing Requests's
+	// spec.expirationSeconds
+	duration, err := pki.DurationFromCertificateSigningRequest(csr)
+	if err != nil {
+		return err
+	}
+	if duration < experimentalapi.CertificateSigningRequestMinimumDuration {
+		message := fmt.Sprintf("CertificateSigningRequest minimum allowed duration is %s, requested %s", experimentalapi.CertificateSigningRequestMinimumDuration, duration)
+		c.recorder.Event(csr, corev1.EventTypeWarning, "InvalidDuration", message)
+		util.CertificateSigningRequestSetFailed(csr, "InvalidDuration", message)
+		_, err := util.UpdateOrApplyStatus(ctx, c.certClient, csr, certificatesv1.CertificateFailed, c.fieldManager)
+		return err
+
+	}
+
 	// check ready condition
 	if !apiutil.IssuerHasCondition(issuerObj, cmapi.IssuerCondition{
 		Type:   cmapi.IssuerConditionReady,