mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
chore: set cert renewal time to 15 days before expiration (#8567)
* chore: set cert renewal time to 15 days before expiration Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
411ba1a704
commit
955738ce20
3 changed files with 12 additions and 3 deletions
|
@ -67,6 +67,7 @@ func main() {
|
||||||
webhookServerPort int
|
webhookServerPort int
|
||||||
maxQueuedEvents int
|
maxQueuedEvents int
|
||||||
interval time.Duration
|
interval time.Duration
|
||||||
|
renewBefore time.Duration
|
||||||
)
|
)
|
||||||
flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
|
flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
|
||||||
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
||||||
|
@ -77,6 +78,7 @@ func main() {
|
||||||
flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
|
flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
|
||||||
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
||||||
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
||||||
|
flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
|
||||||
// config
|
// config
|
||||||
appConfig := internal.NewConfiguration(
|
appConfig := internal.NewConfiguration(
|
||||||
internal.WithProfiling(),
|
internal.WithProfiling(),
|
||||||
|
@ -166,6 +168,7 @@ func main() {
|
||||||
tls.CertRenewalInterval,
|
tls.CertRenewalInterval,
|
||||||
tls.CAValidityDuration,
|
tls.CAValidityDuration,
|
||||||
tls.TLSValidityDuration,
|
tls.TLSValidityDuration,
|
||||||
|
renewBefore,
|
||||||
serverIP,
|
serverIP,
|
||||||
config.KyvernoServiceName(),
|
config.KyvernoServiceName(),
|
||||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||||
|
|
|
@ -219,6 +219,7 @@ func main() {
|
||||||
webhookServerPort int
|
webhookServerPort int
|
||||||
backgroundServiceAccountName string
|
backgroundServiceAccountName string
|
||||||
maxAPICallResponseLength int64
|
maxAPICallResponseLength int64
|
||||||
|
renewBefore time.Duration
|
||||||
)
|
)
|
||||||
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
|
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
|
||||||
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
|
||||||
|
@ -238,6 +239,7 @@ func main() {
|
||||||
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
||||||
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
||||||
flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls")
|
flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls")
|
||||||
|
flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
|
||||||
// config
|
// config
|
||||||
appConfig := internal.NewConfiguration(
|
appConfig := internal.NewConfiguration(
|
||||||
internal.WithProfiling(),
|
internal.WithProfiling(),
|
||||||
|
@ -305,6 +307,7 @@ func main() {
|
||||||
tls.CertRenewalInterval,
|
tls.CertRenewalInterval,
|
||||||
tls.CAValidityDuration,
|
tls.CAValidityDuration,
|
||||||
tls.TLSValidityDuration,
|
tls.TLSValidityDuration,
|
||||||
|
renewBefore,
|
||||||
serverIP,
|
serverIP,
|
||||||
config.KyvernoServiceName(),
|
config.KyvernoServiceName(),
|
||||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||||
|
|
|
@ -50,6 +50,7 @@ type certRenewer struct {
|
||||||
certRenewalInterval time.Duration
|
certRenewalInterval time.Duration
|
||||||
caValidityDuration time.Duration
|
caValidityDuration time.Duration
|
||||||
tlsValidityDuration time.Duration
|
tlsValidityDuration time.Duration
|
||||||
|
renewBefore time.Duration
|
||||||
|
|
||||||
// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
|
// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
|
||||||
server string
|
server string
|
||||||
|
@ -65,7 +66,8 @@ func NewCertRenewer(
|
||||||
client client,
|
client client,
|
||||||
certRenewalInterval,
|
certRenewalInterval,
|
||||||
caValidityDuration,
|
caValidityDuration,
|
||||||
tlsValidityDuration time.Duration,
|
tlsValidityDuration,
|
||||||
|
renewBefore time.Duration,
|
||||||
server string,
|
server string,
|
||||||
commonName string,
|
commonName string,
|
||||||
dnsNames []string,
|
dnsNames []string,
|
||||||
|
@ -78,6 +80,7 @@ func NewCertRenewer(
|
||||||
certRenewalInterval: certRenewalInterval,
|
certRenewalInterval: certRenewalInterval,
|
||||||
caValidityDuration: caValidityDuration,
|
caValidityDuration: caValidityDuration,
|
||||||
tlsValidityDuration: tlsValidityDuration,
|
tlsValidityDuration: tlsValidityDuration,
|
||||||
|
renewBefore: renewBefore,
|
||||||
server: server,
|
server: server,
|
||||||
commonName: commonName,
|
commonName: commonName,
|
||||||
dnsNames: dnsNames,
|
dnsNames: dnsNames,
|
||||||
|
@ -95,7 +98,7 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
|
||||||
}
|
}
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
certs = removeExpiredCertificates(now, certs...)
|
certs = removeExpiredCertificates(now, certs...)
|
||||||
if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) {
|
if !allCertificatesExpired(now.Add(c.renewBefore), certs...) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if !isSecretManagedByKyverno(secret) {
|
if !isSecretManagedByKyverno(secret) {
|
||||||
|
@ -139,7 +142,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
|
||||||
if cert != nil {
|
if cert != nil {
|
||||||
valid, err := c.ValidateCert(ctx)
|
valid, err := c.ValidateCert(ctx)
|
||||||
if err != nil || !valid {
|
if err != nil || !valid {
|
||||||
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
|
} else if !allCertificatesExpired(now.Add(c.renewBefore), cert) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue