chore: set cert renewal time to 15 days before expiration (#8567)

* chore: set cert renewal time to 15 days before expiration Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-12-06 15:37:01 +02:00 · 2023-12-06 15:37:01 +02:00 · 955738ce20
commit 955738ce20
parent 411ba1a704
3 changed files with 12 additions and 3 deletions
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@ -67,6 +67,7 @@ func main() {
 		webhookServerPort int
 		maxQueuedEvents   int
 		interval          time.Duration
+		renewBefore       time.Duration
 	)
 	flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -77,6 +78,7 @@ func main() {
 	flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
 	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
 	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
+	flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@ -166,6 +168,7 @@ func main() {
 				tls.CertRenewalInterval,
 				tls.CAValidityDuration,
 				tls.TLSValidityDuration,
+				renewBefore,
 				serverIP,
 				config.KyvernoServiceName(),
 				config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -219,6 +219,7 @@ func main() {
 		webhookServerPort            int
 		backgroundServiceAccountName string
 		maxAPICallResponseLength     int64
+		renewBefore                  time.Duration
 	)
 	flagset := flag.NewFlagSet("kyverno", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
@ -238,6 +239,7 @@ func main() {
 	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
 	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
 	flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 10*1000*1000, "Configure the value of maximum allowed GET response size from API Calls")
+	flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@ -305,6 +307,7 @@ func main() {
 		tls.CertRenewalInterval,
 		tls.CAValidityDuration,
 		tls.TLSValidityDuration,
+		renewBefore,
 		serverIP,
 		config.KyvernoServiceName(),
 		config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@ -50,6 +50,7 @@ type certRenewer struct {
 	certRenewalInterval time.Duration
 	caValidityDuration  time.Duration
 	tlsValidityDuration time.Duration
+	renewBefore         time.Duration

 	// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
 	server     string
@ -65,7 +66,8 @@ func NewCertRenewer(
 	client client,
 	certRenewalInterval,
 	caValidityDuration,
-	tlsValidityDuration time.Duration,
+	tlsValidityDuration,
+	renewBefore time.Duration,
 	server string,
 	commonName string,
 	dnsNames []string,
@ -78,6 +80,7 @@ func NewCertRenewer(
 		certRenewalInterval: certRenewalInterval,
 		caValidityDuration:  caValidityDuration,
 		tlsValidityDuration: tlsValidityDuration,
+		renewBefore:         renewBefore,
 		server:              server,
 		commonName:          commonName,
 		dnsNames:            dnsNames,
@ -95,7 +98,7 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
 	}
 	now := time.Now()
 	certs = removeExpiredCertificates(now, certs...)
-	if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) {
+	if !allCertificatesExpired(now.Add(c.renewBefore), certs...) {
 		return nil
 	}
 	if !isSecretManagedByKyverno(secret) {
@ -139,7 +142,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
 	if cert != nil {
 		valid, err := c.ValidateCert(ctx)
 		if err != nil || !valid {
-		} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
+		} else if !allCertificatesExpired(now.Add(c.renewBefore), cert) {
 			return nil
 		}
 	}