1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00

chore: set cert renewal time to 15 days before expiration (#8567)

* chore: set cert renewal time to 15 days before expiration

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-12-06 15:37:01 +02:00 committed by GitHub
parent 411ba1a704
commit 955738ce20
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 3 deletions

View file

@ -67,6 +67,7 @@ func main() {
webhookServerPort int webhookServerPort int
maxQueuedEvents int maxQueuedEvents int
interval time.Duration interval time.Duration
renewBefore time.Duration
) )
flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError) flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -77,6 +78,7 @@ func main() {
flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur") flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
// config // config
appConfig := internal.NewConfiguration( appConfig := internal.NewConfiguration(
internal.WithProfiling(), internal.WithProfiling(),
@ -166,6 +168,7 @@ func main() {
tls.CertRenewalInterval, tls.CertRenewalInterval,
tls.CAValidityDuration, tls.CAValidityDuration,
tls.TLSValidityDuration, tls.TLSValidityDuration,
renewBefore,
serverIP, serverIP,
config.KyvernoServiceName(), config.KyvernoServiceName(),
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),

View file

@ -219,6 +219,7 @@ func main() {
webhookServerPort int webhookServerPort int
backgroundServiceAccountName string backgroundServiceAccountName string
maxAPICallResponseLength int64 maxAPICallResponseLength int64
renewBefore time.Duration
) )
flagset := flag.NewFlagSet("kyverno", flag.ExitOnError) flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -238,6 +239,7 @@ func main() {
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.") flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.") flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls") flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls")
flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
// config // config
appConfig := internal.NewConfiguration( appConfig := internal.NewConfiguration(
internal.WithProfiling(), internal.WithProfiling(),
@ -305,6 +307,7 @@ func main() {
tls.CertRenewalInterval, tls.CertRenewalInterval,
tls.CAValidityDuration, tls.CAValidityDuration,
tls.TLSValidityDuration, tls.TLSValidityDuration,
renewBefore,
serverIP, serverIP,
config.KyvernoServiceName(), config.KyvernoServiceName(),
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),

View file

@ -50,6 +50,7 @@ type certRenewer struct {
certRenewalInterval time.Duration certRenewalInterval time.Duration
caValidityDuration time.Duration caValidityDuration time.Duration
tlsValidityDuration time.Duration tlsValidityDuration time.Duration
renewBefore time.Duration
// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster. // server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
server string server string
@ -65,7 +66,8 @@ func NewCertRenewer(
client client, client client,
certRenewalInterval, certRenewalInterval,
caValidityDuration, caValidityDuration,
tlsValidityDuration time.Duration, tlsValidityDuration,
renewBefore time.Duration,
server string, server string,
commonName string, commonName string,
dnsNames []string, dnsNames []string,
@ -78,6 +80,7 @@ func NewCertRenewer(
certRenewalInterval: certRenewalInterval, certRenewalInterval: certRenewalInterval,
caValidityDuration: caValidityDuration, caValidityDuration: caValidityDuration,
tlsValidityDuration: tlsValidityDuration, tlsValidityDuration: tlsValidityDuration,
renewBefore: renewBefore,
server: server, server: server,
commonName: commonName, commonName: commonName,
dnsNames: dnsNames, dnsNames: dnsNames,
@ -95,7 +98,7 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
} }
now := time.Now() now := time.Now()
certs = removeExpiredCertificates(now, certs...) certs = removeExpiredCertificates(now, certs...)
if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) { if !allCertificatesExpired(now.Add(c.renewBefore), certs...) {
return nil return nil
} }
if !isSecretManagedByKyverno(secret) { if !isSecretManagedByKyverno(secret) {
@ -139,7 +142,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
if cert != nil { if cert != nil {
valid, err := c.ValidateCert(ctx) valid, err := c.ValidateCert(ctx)
if err != nil || !valid { if err != nil || !valid {
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { } else if !allCertificatesExpired(now.Add(c.renewBefore), cert) {
return nil return nil
} }
} }