diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go index d8bf556b60..1d2ad55774 100644 --- a/cmd/cleanup-controller/main.go +++ b/cmd/cleanup-controller/main.go @@ -67,6 +67,7 @@ func main() { webhookServerPort int maxQueuedEvents int interval time.Duration + renewBefore time.Duration ) flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError) flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") @@ -77,6 +78,7 @@ func main() { flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur") flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") + flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration") // config appConfig := internal.NewConfiguration( internal.WithProfiling(), @@ -166,6 +168,7 @@ func main() { tls.CertRenewalInterval, tls.CAValidityDuration, tls.TLSValidityDuration, + renewBefore, serverIP, config.KyvernoServiceName(), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index d588a68eea..6deb36eb6e 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -219,6 +219,7 @@ func main() { webhookServerPort int backgroundServiceAccountName string maxAPICallResponseLength int64 + renewBefore time.Duration ) flagset := flag.NewFlagSet("kyverno", flag.ExitOnError) flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") @@ -238,6 +239,7 @@ func main() { flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls") + flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration") // config appConfig := internal.NewConfiguration( internal.WithProfiling(), @@ -305,6 +307,7 @@ func main() { tls.CertRenewalInterval, tls.CAValidityDuration, tls.TLSValidityDuration, + renewBefore, serverIP, config.KyvernoServiceName(), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index 6be070335a..db4ca1c923 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -50,6 +50,7 @@ type certRenewer struct { certRenewalInterval time.Duration caValidityDuration time.Duration tlsValidityDuration time.Duration + renewBefore time.Duration // server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster. server string @@ -65,7 +66,8 @@ func NewCertRenewer( client client, certRenewalInterval, caValidityDuration, - tlsValidityDuration time.Duration, + tlsValidityDuration, + renewBefore time.Duration, server string, commonName string, dnsNames []string, @@ -78,6 +80,7 @@ func NewCertRenewer( certRenewalInterval: certRenewalInterval, caValidityDuration: caValidityDuration, tlsValidityDuration: tlsValidityDuration, + renewBefore: renewBefore, server: server, commonName: commonName, dnsNames: dnsNames, @@ -95,7 +98,7 @@ func (c *certRenewer) RenewCA(ctx context.Context) error { } now := time.Now() certs = removeExpiredCertificates(now, certs...) - if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) { + if !allCertificatesExpired(now.Add(c.renewBefore), certs...) { return nil } if !isSecretManagedByKyverno(secret) { @@ -139,7 +142,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error { if cert != nil { valid, err := c.ValidateCert(ctx) if err != nil || !valid { - } else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { + } else if !allCertificatesExpired(now.Add(c.renewBefore), cert) { return nil } }