diff --git a/applyconfigurations/certificates/v1/certificatesigningrequestspec.go b/applyconfigurations/certificates/v1/certificatesigningrequestspec.go index 7c4d2c98..81ca214a 100644 --- a/applyconfigurations/certificates/v1/certificatesigningrequestspec.go +++ b/applyconfigurations/certificates/v1/certificatesigningrequestspec.go @@ -25,13 +25,14 @@ import ( // CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use // with apply. type CertificateSigningRequestSpecApplyConfiguration struct { - Request []byte `json:"request,omitempty"` - SignerName *string `json:"signerName,omitempty"` - Usages []v1.KeyUsage `json:"usages,omitempty"` - Username *string `json:"username,omitempty"` - UID *string `json:"uid,omitempty"` - Groups []string `json:"groups,omitempty"` - Extra map[string]v1.ExtraValue `json:"extra,omitempty"` + Request []byte `json:"request,omitempty"` + SignerName *string `json:"signerName,omitempty"` + ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"` + Usages []v1.KeyUsage `json:"usages,omitempty"` + Username *string `json:"username,omitempty"` + UID *string `json:"uid,omitempty"` + Groups []string `json:"groups,omitempty"` + Extra map[string]v1.ExtraValue `json:"extra,omitempty"` } // CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with @@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s return b } +// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExpirationSeconds field is set to the value of the last call. +func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration { + b.ExpirationSeconds = &value + return b +} + // WithUsages adds the given value to the Usages field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Usages field. diff --git a/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go b/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go index 73ea58e5..9554b1f4 100644 --- a/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go +++ b/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go @@ -25,13 +25,14 @@ import ( // CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use // with apply. type CertificateSigningRequestSpecApplyConfiguration struct { - Request []byte `json:"request,omitempty"` - SignerName *string `json:"signerName,omitempty"` - Usages []v1beta1.KeyUsage `json:"usages,omitempty"` - Username *string `json:"username,omitempty"` - UID *string `json:"uid,omitempty"` - Groups []string `json:"groups,omitempty"` - Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"` + Request []byte `json:"request,omitempty"` + SignerName *string `json:"signerName,omitempty"` + ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"` + Usages []v1beta1.KeyUsage `json:"usages,omitempty"` + Username *string `json:"username,omitempty"` + UID *string `json:"uid,omitempty"` + Groups []string `json:"groups,omitempty"` + Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"` } // CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with @@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s return b } +// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExpirationSeconds field is set to the value of the last call. +func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration { + b.ExpirationSeconds = &value + return b +} + // WithUsages adds the given value to the Usages field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Usages field. diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index acd9061e..10914dd8 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -2843,6 +2843,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.api.certificates.v1.CertificateSigningRequestSpec map: fields: + - name: expirationSeconds + type: + scalar: numeric - name: extra type: map: @@ -2939,6 +2942,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec map: fields: + - name: expirationSeconds + type: + scalar: numeric - name: extra type: map: diff --git a/go.mod b/go.mod index 71faf5f0..a0a427d8 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba google.golang.org/protobuf v1.26.0 - k8s.io/api v0.0.0-20210701054328-f75dde501d56 + k8s.io/api v0.0.0-20210702094336-49e8721f8489 k8s.io/apimachinery v0.0.0-20210701054147-830375057167 k8s.io/klog/v2 v2.9.0 k8s.io/utils v0.0.0-20210521133846-da695404a2bc @@ -39,6 +39,6 @@ require ( ) replace ( - k8s.io/api => k8s.io/api v0.0.0-20210701054328-f75dde501d56 + k8s.io/api => k8s.io/api v0.0.0-20210702094336-49e8721f8489 k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20210701054147-830375057167 ) diff --git a/go.sum b/go.sum index 1d542a9f..85cd4096 100644 --- a/go.sum +++ b/go.sum @@ -444,8 +444,8 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.0.0-20210701054328-f75dde501d56 h1:D7+RjL9qHD5SvrWwSnT0NugysPfJAopsJphgGxpp+kU= -k8s.io/api v0.0.0-20210701054328-f75dde501d56/go.mod h1:zoURDvOPW5UMFZr2YUU/sStjYnWSPt+x+MM4R94ATgQ= +k8s.io/api v0.0.0-20210702094336-49e8721f8489 h1:R+giJyPdlHfUvmzHBQ6tm2tlmxcZ2NWgkGSxLbQZ/ZM= +k8s.io/api v0.0.0-20210702094336-49e8721f8489/go.mod h1:zoURDvOPW5UMFZr2YUU/sStjYnWSPt+x+MM4R94ATgQ= k8s.io/apimachinery v0.0.0-20210701054147-830375057167 h1:fob/j8+uMBIVvyo+9bG7GvjFSj0LX3RNuSXW+RcUrwo= k8s.io/apimachinery v0.0.0-20210701054147-830375057167/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= diff --git a/util/certificate/certificate_manager.go b/util/certificate/certificate_manager.go index 26a01a1d..dee21cf3 100644 --- a/util/certificate/certificate_manager.go +++ b/util/certificate/certificate_manager.go @@ -88,6 +88,11 @@ type Config struct { // SignerName is the name of the certificate signer that should sign certificates // generated by the manager. SignerName string + // RequestedCertificateLifetime is the requested lifetime length for certificates generated by the manager. + // Optional. + // This will set the spec.expirationSeconds field on the CSR. Controlling the lifetime of + // the issued certificate is not guaranteed as the signer may choose to ignore the request. + RequestedCertificateLifetime *time.Duration // Usages is the types of usages that certificates generated by the manager // can be used for. Usages []certificates.KeyUsage @@ -184,10 +189,11 @@ type manager struct { lastRequestCancel context.CancelFunc lastRequest *x509.CertificateRequest - dynamicTemplate bool - signerName string - usages []certificates.KeyUsage - forceRotation bool + dynamicTemplate bool + signerName string + requestedCertificateLifetime *time.Duration + usages []certificates.KeyUsage + forceRotation bool certStore Store @@ -230,18 +236,19 @@ func NewManager(config *Config) (Manager, error) { } m := manager{ - stopCh: make(chan struct{}), - clientsetFn: config.ClientsetFn, - getTemplate: getTemplate, - dynamicTemplate: config.GetTemplate != nil, - signerName: config.SignerName, - usages: config.Usages, - certStore: config.CertificateStore, - cert: cert, - forceRotation: forceRotation, - certificateRotation: config.CertificateRotation, - certificateRenewFailure: config.CertificateRenewFailure, - now: time.Now, + stopCh: make(chan struct{}), + clientsetFn: config.ClientsetFn, + getTemplate: getTemplate, + dynamicTemplate: config.GetTemplate != nil, + signerName: config.SignerName, + requestedCertificateLifetime: config.RequestedCertificateLifetime, + usages: config.Usages, + certStore: config.CertificateStore, + cert: cert, + forceRotation: forceRotation, + certificateRotation: config.CertificateRotation, + certificateRenewFailure: config.CertificateRenewFailure, + now: time.Now, } name := config.Name @@ -459,7 +466,7 @@ func (m *manager) rotateCerts() (bool, error) { // Call the Certificate Signing Request API to get a certificate for the // new private key. - reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.usages, privateKey) + reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey) if err != nil { utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err)) if m.certificateRenewFailure != nil { diff --git a/util/certificate/csr/csr.go b/util/certificate/csr/csr.go index ec117663..0017007a 100644 --- a/util/certificate/csr/csr.go +++ b/util/certificate/csr/csr.go @@ -25,8 +25,6 @@ import ( "reflect" "time" - "k8s.io/klog/v2" - certificatesv1 "k8s.io/api/certificates/v1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1" "k8s.io/apimachinery/pkg/api/errors" @@ -41,12 +39,16 @@ import ( "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" certutil "k8s.io/client-go/util/cert" + "k8s.io/klog/v2" + "k8s.io/utils/pointer" ) // RequestCertificate will either use an existing (if this process has run // before but not to completion) or create a certificate signing request using the -// PEM encoded CSR and send it to API server. -func RequestCertificate(client clientset.Interface, csrData []byte, name string, signerName string, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) { +// PEM encoded CSR and send it to API server. An optional requestedDuration may be passed +// to set the spec.expirationSeconds field on the CSR to control the lifetime of the issued +// certificate. This is not guaranteed as the signer may choose to ignore the request. +func RequestCertificate(client clientset.Interface, csrData []byte, name, signerName string, requestedDuration *time.Duration, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) { csr := &certificatesv1.CertificateSigningRequest{ // Username, UID, Groups will be injected by API server. TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"}, @@ -62,6 +64,9 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string, if len(csr.Name) == 0 { csr.GenerateName = "csr-" } + if requestedDuration != nil { + csr.Spec.ExpirationSeconds = DurationToExpirationSeconds(*requestedDuration) + } reqName, reqUID, err = create(client, csr) switch { @@ -85,6 +90,14 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string, } } +func DurationToExpirationSeconds(duration time.Duration) *int32 { + return pointer.Int32(int32(duration / time.Second)) +} + +func ExpirationSecondsToDuration(expirationSeconds int32) time.Duration { + return time.Duration(expirationSeconds) * time.Second +} + func get(client clientset.Interface, name string) (*certificatesv1.CertificateSigningRequest, error) { v1req, v1err := client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}) if v1err == nil || !apierrors.IsNotFound(v1err) {