From 955738ce20534615f3eb2f3b7e07aaca01049d67 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Wed, 6 Dec 2023 15:37:01 +0200
Subject: [PATCH] chore: set cert renewal time to 15 days before expiration
 (#8567)

* chore: set cert renewal time to 15 days before expiration

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 cmd/cleanup-controller/main.go | 3 +++
 cmd/kyverno/main.go            | 3 +++
 pkg/tls/renewer.go             | 9 ++++++---
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go
index d8bf556b60..1d2ad55774 100644
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@@ -67,6 +67,7 @@ func main() {
 		webhookServerPort int
 		maxQueuedEvents   int
 		interval          time.Duration
+		renewBefore       time.Duration
 	)
 	flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@@ -77,6 +78,7 @@ func main() {
 	flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
 	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
 	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
+	flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@@ -166,6 +168,7 @@ func main() {
 				tls.CertRenewalInterval,
 				tls.CAValidityDuration,
 				tls.TLSValidityDuration,
+				renewBefore,
 				serverIP,
 				config.KyvernoServiceName(),
 				config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index d588a68eea..6deb36eb6e 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -219,6 +219,7 @@ func main() {
 		webhookServerPort            int
 		backgroundServiceAccountName string
 		maxAPICallResponseLength     int64
+		renewBefore                  time.Duration
 	)
 	flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@@ -238,6 +239,7 @@ func main() {
 	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
 	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
 	flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls")
+	flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@@ -305,6 +307,7 @@ func main() {
 		tls.CertRenewalInterval,
 		tls.CAValidityDuration,
 		tls.TLSValidityDuration,
+		renewBefore,
 		serverIP,
 		config.KyvernoServiceName(),
 		config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go
index 6be070335a..db4ca1c923 100644
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@@ -50,6 +50,7 @@ type certRenewer struct {
 	certRenewalInterval time.Duration
 	caValidityDuration  time.Duration
 	tlsValidityDuration time.Duration
+	renewBefore         time.Duration
 
 	// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
 	server     string
@@ -65,7 +66,8 @@ func NewCertRenewer(
 	client client,
 	certRenewalInterval,
 	caValidityDuration,
-	tlsValidityDuration time.Duration,
+	tlsValidityDuration,
+	renewBefore time.Duration,
 	server string,
 	commonName string,
 	dnsNames []string,
@@ -78,6 +80,7 @@ func NewCertRenewer(
 		certRenewalInterval: certRenewalInterval,
 		caValidityDuration:  caValidityDuration,
 		tlsValidityDuration: tlsValidityDuration,
+		renewBefore:         renewBefore,
 		server:              server,
 		commonName:          commonName,
 		dnsNames:            dnsNames,
@@ -95,7 +98,7 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
 	}
 	now := time.Now()
 	certs = removeExpiredCertificates(now, certs...)
-	if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) {
+	if !allCertificatesExpired(now.Add(c.renewBefore), certs...) {
 		return nil
 	}
 	if !isSecretManagedByKyverno(secret) {
@@ -139,7 +142,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
 	if cert != nil {
 		valid, err := c.ValidateCert(ctx)
 		if err != nil || !valid {
-		} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
+		} else if !allCertificatesExpired(now.Add(c.renewBefore), cert) {
 			return nil
 		}
 	}