bbd9249198
* Configurable issuer duration and renewBefore [1/3] This is part one of (probably) three parts manually moving the changes from commit 723015174a167d746323f506ab3575cfb243d8bd to the new master. This commit moves the basic functionality of configurable duration while skipping e2e tests and docs. It does not include new work. Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Configurable issuer duration and renewBefore [2/3] This commit moves over most of the e2e testing updates, some things are intentionally left out as they may be obsolete Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Configurable issuer duration and renewBefore [3/3] This commit moves the documentation changes, completely the migration of the original code to the latest master Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning all hack scripts with since the massive bazel update Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add missing boilerplate headers Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun codegen hack Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning update-docs hack Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix failing unit tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix build errors in e2e tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun update-deps Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Don't recreate the CA issuer, it already exists Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Need to create new issuers for the duration and renew time tests because those fields are set in the issuer, so make sure they are named uniquely Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add duration e2e tests for self-signed issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add duration e2e tests for vault w/ custom mount path Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add validation to disallow acme certificates with duration and renewBefore set and update unit tests to verify Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update docs to mention duration/renew for self-signed issuer and fix potential parsing errors with rst formatting Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Self-signed issuer was missing duration validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix a bug causing certificates with a short enough renew-before w.r.t their duration to be renewed instantly and forever Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Print the exact time until renewal Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move duration and renwal validation to the issuer validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests to work with new validation Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add e2e test for the self-signed issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Redo cert duration and renew before to appear as part of the CSR and not the issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Updating tests to match new duration/renewbefore format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests to match new format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update docs to reflect changing the field from issuers to certificates Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove event firing and replace with a TODO as of discussion on PR Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Run hack scripts Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove the sync unit test since without events there is no way to catch the warnings that it was testing Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Use IssuerOptions RenewBeforeExpiryDuration if certificates dont set a renewBefore value for immediate renewal checks Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Delete check on certificate data length in e2e test for certificate duration as there is no reason it should be there Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Update e2e tests since certificate creation will never generate an event Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning hack scripts after big rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix a few problems that slipped through during the rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix an e2e error that resulted from the rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add unit test for the calculateTimeBeforeExpiry function Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Adding back in a bunch of missing error checks Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove unused function Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add missing boilerplate Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove unused constant Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move log constants to function body Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerun hack scripts Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove mistakenly commited file Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove double-import of util package Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix bad function call in e2e vault issuer Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change duration and renewBefore to be pointer fields as they are optional Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Remove wrong vault issuer test that got passed the rebase somehow Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change e2e to use pointer format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move e2e cert tests out of issuer test file Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Move e2e self-signed issuer test to new location Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Make sure to check for nil in GenerateTemplate Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Add more empty checks to be safe Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Rerunning hacks after rebase Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix bad function call in new e2e test Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Try not setting duration and renewbefore on acme e2e tests Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Zero checks should really just be replaced by nil tests, zero should be caught as any other too-small value Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fixed a missing nil check that got away Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Change e2e duration test format to use pointer times to better simulate API calls Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix sync unit test to match e2e test format Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Fix vault e2e test Signed-off-by: Max Ehrlich <max.ehr@gmail.com> * Revert changes to Certificate sync function Signed-off-by: James Munnelly <james@munnelly.eu> * Remove selfsigned e2e issuer.go Signed-off-by: James Munnelly <james@munnelly.eu> * Don't use ACME issuer in duration example and tidy up line endings Signed-off-by: James Munnelly <james@munnelly.eu> * Allow renewBefore to be set on ACME certificates Signed-off-by: James Munnelly <james@munnelly.eu> * Update renewBefore ACME docs. Remove unused fields. Signed-off-by: James Munnelly <james@munnelly.eu> * Rename calculateTimeBeforeExpiry to calculateDurationUntilRenew Signed-off-by: James Munnelly <james@munnelly.eu>
118 lines
3.9 KiB
ReStructuredText
118 lines
3.9 KiB
ReStructuredText
============
|
|
Certificates
|
|
============
|
|
|
|
cert-manager has the concept of 'Certificates' that define a desired X.509
|
|
certificate. A Certificate is a namespaced resource that references an
|
|
Issuer or ClusterIssuer for information on how to obtain the certificate.
|
|
|
|
A simple Certificate could be defined as:
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 17-20
|
|
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: acme-crt
|
|
spec:
|
|
secretName: acme-crt-secret
|
|
dnsNames:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
acme:
|
|
config:
|
|
- ingressClass: nginx
|
|
domains:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
issuerRef:
|
|
name: letsencrypt-prod
|
|
# We can reference ClusterIssuers by changing the kind here.
|
|
# The default value is Issuer (i.e. a locally namespaced Issuer)
|
|
kind: Issuer
|
|
|
|
This Certificate will tell cert-manager to attempt to use the Issuer
|
|
named ``letsencrypt-prod`` to obtain a certificate key pair for the
|
|
``foo.example.com`` and ``bar.example.com`` domains. If successful, the
|
|
resulting key and certificate will be stored in a secret named
|
|
``acme-crt-secret`` with keys of ``tls.key`` and ``tls.crt`` respectively.
|
|
This secret will live in the same namespace as the ``Certificate`` resource.
|
|
|
|
The ``dnsNames`` field specifies a list of `Subject Alternative Names`_ to be
|
|
associated with the certificate. If the ``commonName`` field is omitted, the
|
|
first element in the list will be the common name.
|
|
|
|
The referenced Issuer must exist in the same namespace as the Certificate.
|
|
A Certificate can alternatively reference a ClusterIssuer which is
|
|
non-namespaced.
|
|
|
|
.. _`Subject Alternative Names`: https://en.wikipedia.org/wiki/Subject_Alternative_Name
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
:hidden:
|
|
|
|
certificates/issuer-specific-config/acme
|
|
|
|
***************************************
|
|
Certificate Duration and Renewal Window
|
|
***************************************
|
|
|
|
cert-manager Certificate resources also support custom validity durations and
|
|
renewal windows.
|
|
|
|
**Important**: The backend service implementation can choose to generate a
|
|
certificate with a different validity period than what is requested in the
|
|
issuer.
|
|
|
|
Although the duration and renewal periods are specified on the Certificate
|
|
resources, the corresponding Issuer or ClusterIssuer must support this.
|
|
|
|
The table below shows the support state of the different backend services used
|
|
by issuer types:
|
|
|
|
=========== ============================================================
|
|
Issuer Description
|
|
=========== ============================================================
|
|
ACME Only 'renewBefore' supported
|
|
CA Fully supported
|
|
Vault Fully supported (although the requested duration must be lower
|
|
than the configured Vault role's TTL)
|
|
Self Signed Fully supported
|
|
=========== ============================================================
|
|
|
|
The default duration for all certificates is 90 days and the default renewal
|
|
windows is 30 days. This means that certificates are considered valid for 3
|
|
months and renewal will be attempted within 1 month of expiration.
|
|
|
|
The *duration* and *renewBefore* parameters must be given in the golang `parseDuration string format <https://golang.org/pkg/time/#ParseDuration>`__.
|
|
|
|
Example Usage
|
|
=============
|
|
Here an example of an issuer specifying the duration and renewal window.
|
|
|
|
The certificate from the previous section is extended with a validity period of
|
|
24 hours and to begin trying to renew 12 hours before the certificate
|
|
expiration.
|
|
|
|
.. code-block:: yaml
|
|
:linenos:
|
|
:emphasize-lines: 7,8
|
|
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: example
|
|
spec:
|
|
secretName: example-tls
|
|
duration: 24h
|
|
renewBefore: 12h
|
|
dnsNames:
|
|
- foo.example.com
|
|
- bar.example.com
|
|
issuerRef:
|
|
name: my-internal-ca
|
|
kind: Issuer
|