From fa0bc9998e4bbf1abd637c2cd898fd0acf2a9f4e Mon Sep 17 00:00:00 2001
From: James Munnelly <james.munnelly@jetstack.io>
Date: Wed, 8 Aug 2018 12:32:56 +0100
Subject: [PATCH] Add RenewBeforeDuration option to controller context

---
 cmd/controller/app/controller.go      |  1 +
 cmd/controller/app/options/options.go |  7 +++++++
 pkg/controller/certificates/sync.go   | 22 ++--------------------
 pkg/controller/context.go             |  7 +++++++
 pkg/controller/helper.go              | 15 +++++++++++++++
 5 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/cmd/controller/app/controller.go b/cmd/controller/app/controller.go
index 99c2ee68b..2984c8de0 100644
--- a/cmd/controller/app/controller.go
+++ b/cmd/controller/app/controller.go
@@ -135,6 +135,7 @@ func buildControllerContext(opts *options.ControllerOptions) (*controller.Contex
 			ClusterIssuerAmbientCredentials: opts.ClusterIssuerAmbientCredentials,
 			IssuerAmbientCredentials:        opts.IssuerAmbientCredentials,
 			ClusterResourceNamespace:        opts.ClusterResourceNamespace,
+			RenewBeforeExpiryDuration:       opts.RenewBeforeExpiryDuration,
 		},
 		IngressShimOptions: controller.IngressShimOptions{
 			DefaultIssuerName:                  opts.DefaultIssuerName,
diff --git a/cmd/controller/app/options/options.go b/cmd/controller/app/options/options.go
index 547795cfa..ff514ea29 100644
--- a/cmd/controller/app/options/options.go
+++ b/cmd/controller/app/options/options.go
@@ -31,6 +31,7 @@ type ControllerOptions struct {
 
 	ClusterIssuerAmbientCredentials bool
 	IssuerAmbientCredentials        bool
+	RenewBeforeExpiryDuration       time.Duration
 
 	// Default issuer/certificates details consumed by ingress-shim
 	DefaultIssuerName                  string
@@ -54,6 +55,7 @@ const (
 
 	defaultClusterIssuerAmbientCredentials = true
 	defaultIssuerAmbientCredentials        = false
+	defaultRenewBeforeExpiryDuration       = time.Hour * 24 * 30
 
 	defaultTLSACMEIssuerName           = ""
 	defaultTLSACMEIssuerKind           = "Issuer"
@@ -84,6 +86,7 @@ func NewControllerOptions() *ControllerOptions {
 		EnabledControllers:                 defaultEnabledControllers,
 		ClusterIssuerAmbientCredentials:    defaultClusterIssuerAmbientCredentials,
 		IssuerAmbientCredentials:           defaultIssuerAmbientCredentials,
+		RenewBeforeExpiryDuration:          defaultRenewBeforeExpiryDuration,
 		DefaultIssuerName:                  defaultTLSACMEIssuerName,
 		DefaultIssuerKind:                  defaultTLSACMEIssuerKind,
 		DefaultACMEIssuerChallengeType:     defaultACMEIssuerChallengeType,
@@ -133,6 +136,10 @@ func (s *ControllerOptions) AddFlags(fs *pflag.FlagSet) {
 		"Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. "+
 		"When this flag is enabled, the following sources for credentials are also used: "+
 		"AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.")
+	fs.DurationVar(&s.RenewBeforeExpiryDuration, "renew-before-expiry-duration", defaultRenewBeforeExpiryDuration, ""+
+		"The default 'renew before expiry' time for Certificates. "+
+		"Once a certificate is within this duration until expiry, a new Certificate "+
+		"will be attempted to be issued.")
 
 	fs.StringVar(&s.DefaultIssuerName, "default-issuer-name", defaultTLSACMEIssuerName, ""+
 		"Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.")
diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
index d9970ffa8..1eb7b8b18 100644
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@@ -2,7 +2,6 @@ package certificates
 
 import (
 	"context"
-	"crypto/x509"
 	"fmt"
 	"reflect"
 	"strings"
@@ -24,8 +23,6 @@ import (
 	"github.com/jetstack/cert-manager/pkg/util/pki"
 )
 
-const renewBefore = time.Hour * 24 * 30
-
 const (
 	errorIssuerNotFound    = "IssuerNotFound"
 	errorIssuerNotReady    = "IssuerNotReady"
@@ -147,13 +144,8 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e
 		return c.issue(ctx, i, crtCopy)
 	}
 
-	// calculate the amount of time until expiry
-	durationUntilExpiry := cert.NotAfter.Sub(time.Now())
-	// calculate how long until we should start attempting to renew the
-	// certificate
-	renewIn := durationUntilExpiry - renewBefore
 	// if we should being attempting to renew now, then trigger a renewal
-	if renewIn <= 0 {
+	if c.Context.IssuerOptions.CertificateNeedsRenew(cert) {
 		return c.renew(ctx, i, crtCopy)
 	}
 
@@ -175,16 +167,6 @@ func (c *Controller) getGenericIssuer(crt *v1alpha1.Certificate) (v1alpha1.Gener
 	}
 }
 
-func needsRenew(cert *x509.Certificate) bool {
-	durationUntilExpiry := cert.NotAfter.Sub(time.Now())
-	renewIn := durationUntilExpiry - renewBefore
-	// step three: check if referenced secret is valid (after start & before expiry)
-	if renewIn <= 0 {
-		return true
-	}
-	return false
-}
-
 func (c *Controller) scheduleRenewal(crt *v1alpha1.Certificate) {
 	key, err := keyFunc(crt)
 
@@ -201,7 +183,7 @@ func (c *Controller) scheduleRenewal(crt *v1alpha1.Certificate) {
 	}
 
 	durationUntilExpiry := cert.NotAfter.Sub(time.Now())
-	renewIn := durationUntilExpiry - renewBefore
+	renewIn := durationUntilExpiry - c.Context.IssuerOptions.RenewBeforeExpiryDuration
 
 	c.scheduledWorkQueue.Add(key, renewIn)
 
diff --git a/pkg/controller/context.go b/pkg/controller/context.go
index 12898ce65..c2b7148f7 100644
--- a/pkg/controller/context.go
+++ b/pkg/controller/context.go
@@ -1,6 +1,8 @@
 package controller
 
 import (
+	"time"
+
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
@@ -50,6 +52,11 @@ type IssuerOptions struct {
 	// IssuerAmbientCredentials controls whether an issuer should pick up ambient
 	// credentials, such as those from metadata services, to construct clients.
 	IssuerAmbientCredentials bool
+
+	// RenewBeforeExpiryDuration is the default 'renew before expiry' time for Certificates.
+	// Once a certificate is within this duration until expiry, a new Certificate
+	// will be attempted to be issued.
+	RenewBeforeExpiryDuration time.Duration
 }
 
 type ACMEOptions struct {
diff --git a/pkg/controller/helper.go b/pkg/controller/helper.go
index 2ccbf4bc0..e97256fb6 100644
--- a/pkg/controller/helper.go
+++ b/pkg/controller/helper.go
@@ -1,7 +1,9 @@
 package controller
 
 import (
+	"crypto/x509"
 	"fmt"
+	"time"
 
 	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 	cmlisters "github.com/jetstack/cert-manager/pkg/client/listers/certmanager/v1alpha1"
@@ -65,3 +67,16 @@ func (o IssuerOptions) CanUseAmbientCredentials(iss cmapi.GenericIssuer) bool {
 	}
 	return false
 }
+
+func (o IssuerOptions) CertificateNeedsRenew(cert *x509.Certificate) bool {
+	// calculate the amount of time until expiry
+	durationUntilExpiry := cert.NotAfter.Sub(time.Now())
+	// calculate how long until we should start attempting to renew the
+	// certificate
+	renewIn := durationUntilExpiry - o.RenewBeforeExpiryDuration
+	// if we should being attempting to renew now, then trigger a renewal
+	if renewIn <= 0 {
+		return true
+	}
+	return false
+}