Merge pull request #884 from stuggi/OSPRH-6749

[tls] use cert duration/renewbefore from issuer annotation
openstack-k8s-operators · May 24, 2024 · 67f1c18 · 67f1c18
2 parents c8ed6e6 + 4a463f9
commit 67f1c18
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 32 deletions.
diff --git a/go.mod b/go.mod
@@ -28,7 +28,6 @@ require (
 	k8s.io/api v0.28.9
 	k8s.io/apimachinery v0.28.9
 	k8s.io/client-go v0.28.9
-	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22
 	sigs.k8s.io/controller-runtime v0.16.5
 )
 
@@ -114,6 +113,7 @@ require (
 	k8s.io/component-base v0.28.9 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240423183400-0849a56e8f22 // indirect
 	sigs.k8s.io/gateway-api v0.8.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect

diff --git a/pkg/deployment/cert.go b/pkg/deployment/cert.go
@@ -27,9 +27,7 @@ import (
 	"golang.org/x/exp/slices"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
@@ -171,7 +169,7 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,
 		}
 
 		certSecret, result, err = GetTLSNodeCert(ctx, helper, instance, certName,
-			issuer.Name, labels, baseName, hosts, ips, service.Spec.TLSCert.KeyUsages)
+			issuer, labels, baseName, hosts, ips, service.Spec.TLSCert.KeyUsages)
 
 		// handle cert request errors
 		if (err != nil) || (result != ctrl.Result{}) {
@@ -219,44 +217,59 @@ func EnsureTLSCerts(ctx context.Context, helper *helper.Helper,
 // GetTLSNodeCert creates or retrieves the cert for a node for a given service
 func GetTLSNodeCert(ctx context.Context, helper *helper.Helper,
 	instance *dataplanev1.OpenStackDataPlaneNodeSet,
-	certName string, issuer string,
+	certName string, issuer *certmgrv1.Issuer,
 	labels map[string]string,
 	commonName string,
 	hostnames []string, ips []string, usages []certmgrv1.KeyUsage,
 ) (*corev1.Secret, ctrl.Result, error) {
-	secretName := "cert-" + certName
-	certSecret, _, err := secret.GetSecret(ctx, helper, secretName, instance.Namespace)
-	var result ctrl.Result
+	// use cert duration and renewBefore from annotations set on issuer
+	// - if no duration annotation is set, use the default from certmanager lib-common module,
+	// - if no renewBefore annotation is set, the cert-manager default is used.
+	durationString := certmanager.CertDefaultDuration
+	if d, ok := issuer.Annotations[certmanager.CertDurationAnnotation]; ok && d != "" {
+		durationString = d
+	}
+	duration, err := time.ParseDuration(durationString)
 	if err != nil {
-		if !k8serrors.IsNotFound(err) {
-			err = fmt.Errorf("error retrieving secret %s - %w", secretName, err)
-			return nil, ctrl.Result{}, err
-		}
-
-		duration := ptr.To(time.Hour * 24 * 365)
-		request := certmanager.CertificateRequest{
-			CommonName:  &commonName,
-			IssuerName:  issuer,
-			CertName:    certName,
-			Duration:    duration,
-			Hostnames:   hostnames,
-			Ips:         ips,
-			Annotations: nil,
-			Labels:      labels,
-			Usages:      usages,
-			Subject: &certmgrv1.X509Subject{
-				// NOTE(owalsh): For libvirt/QEMU this should match issuer CN
-				Organizations: []string{issuer},
-			},
-		}
+		err = fmt.Errorf("error parsing duration annotation %s - %w", certmanager.CertDurationAnnotation, err)
+		return nil, ctrl.Result{}, err
+	}
 
-		certSecret, result, err = certmanager.EnsureCert(ctx, helper, request, instance)
+	var renewBefore *time.Duration
+	if r, ok := issuer.Annotations[certmanager.CertRenewBeforeAnnotation]; ok && r != "" {
+		rb, err := time.ParseDuration(r)
 		if err != nil {
+			err = fmt.Errorf("error parsing renewBefore annotation %s - %w", certmanager.CertRenewBeforeAnnotation, err)
 			return nil, ctrl.Result{}, err
-		} else if (result != ctrl.Result{}) {
-			return nil, result, nil
 		}
+
+		renewBefore = &rb
+	}
+
+	request := certmanager.CertificateRequest{
+		CommonName:  &commonName,
+		IssuerName:  issuer.Name,
+		CertName:    certName,
+		Duration:    &duration,
+		RenewBefore: renewBefore,
+		Hostnames:   hostnames,
+		Ips:         ips,
+		Annotations: nil,
+		Labels:      labels,
+		Usages:      usages,
+		Subject: &certmgrv1.X509Subject{
+			// NOTE(owalsh): For libvirt/QEMU this should match issuer CN
+			Organizations: []string{issuer.Name},
+		},
 	}
+
+	certSecret, result, err := certmanager.EnsureCert(ctx, helper, request, instance)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		return nil, result, nil
+	}
+
 	return certSecret, ctrl.Result{}, nil
 }