Promote CertificateSigningRequest's Spec.ExpirationSeconds field to GA

Remove the comment "As of v1.22, this field is beta and is controlled via the CSRDuration feature gate" from the expirationSeconds field's godoc. Mark the "CSRDuration" feature gate as GA in 1.24, lock its value to "true", and remove the various logic which handled when the gate was "false". Update conformance test to check that the CertificateSigningRequest's Spec.ExpirationSeconds field is stored, but do not check if the field is honored since this functionality is optional.
2025-09-22 02:18:51 +00:00 · 2022-03-17 15:11:37 -07:00
parent 56062f7f4f
commit e29ac0f8be
18 changed files with 31 additions and 133 deletions
--- a/pkg/controller/certificates/signer/signer.go
+++ b/pkg/controller/certificates/signer/signer.go
@@ -30,14 +30,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	certificatesinformers "k8s.io/client-go/informers/certificates/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/util/certificate/csr"
 	capihelper "k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/controller/certificates"
 	"k8s.io/kubernetes/pkg/controller/certificates/authority"
-	"k8s.io/kubernetes/pkg/features"
 )

 type CSRSigningController struct {
@@ -207,10 +205,6 @@ func (s *signer) sign(x509cr *x509.CertificateRequest, usages []capi.KeyUsage, e
 }

 func (s *signer) duration(expirationSeconds *int32) time.Duration {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.CSRDuration) {
-		return s.certTTL
-	}
-
 	if expirationSeconds == nil {
 		return s.certTTL
 	}
--- a/pkg/controller/certificates/signer/signer_test.go
+++ b/pkg/controller/certificates/signer/signer_test.go
@@ -31,15 +31,12 @@ import (

 	capi "k8s.io/api/certificates/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/kubernetes/fake"
 	testclient "k8s.io/client-go/testing"
 	"k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/certificate/csr"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	capihelper "k8s.io/kubernetes/pkg/apis/certificates/v1"
 	"k8s.io/kubernetes/pkg/controller/certificates"
-	"k8s.io/kubernetes/pkg/features"
 	testingclock "k8s.io/utils/clock/testing"
 )

@@ -360,83 +357,63 @@ func Test_signer_duration(t *testing.T) {
 		name              string
 		certTTL           time.Duration
 		expirationSeconds *int32
-		wantGateEnabled   time.Duration
-		wantGateDisabled  time.Duration
+		want              time.Duration
 	}{
 		{
 			name:              "can request shorter duration than TTL",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(30 * time.Minute),
-			wantGateEnabled:   30 * time.Minute,
-			wantGateDisabled:  time.Hour,
+			want:              30 * time.Minute,
 		},
 		{
 			name:              "cannot request longer duration than TTL",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(3 * time.Hour),
-			wantGateEnabled:   time.Hour,
-			wantGateDisabled:  time.Hour,
+			want:              time.Hour,
 		},
 		{
 			name:              "cannot request negative duration",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(-time.Minute),
-			wantGateEnabled:   10 * time.Minute,
-			wantGateDisabled:  time.Hour,
+			want:              10 * time.Minute,
 		},
 		{
 			name:              "cannot request duration less than 10 mins",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(10*time.Minute - time.Second),
-			wantGateEnabled:   10 * time.Minute,
-			wantGateDisabled:  time.Hour,
+			want:              10 * time.Minute,
 		},
 		{
 			name:              "can request duration of exactly 10 mins",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(10 * time.Minute),
-			wantGateEnabled:   10 * time.Minute,
-			wantGateDisabled:  time.Hour,
+			want:              10 * time.Minute,
 		},
 		{
 			name:              "can request duration equal to the default",
 			certTTL:           time.Hour,
 			expirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
-			wantGateEnabled:   time.Hour,
-			wantGateDisabled:  time.Hour,
+			want:              time.Hour,
 		},
 		{
 			name:              "can choose not to request a duration to get the default",
 			certTTL:           time.Hour,
 			expirationSeconds: nil,
-			wantGateEnabled:   time.Hour,
-			wantGateDisabled:  time.Hour,
+			want:              time.Hour,
 		},
 	}
 	for _, tt := range tests {
 		tt := tt

-		f := func(t *testing.T, want time.Duration) {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
 			s := &signer{
 				certTTL: tt.certTTL,
 			}
-			if got := s.duration(tt.expirationSeconds); got != want {
-				t.Errorf("duration() = %v, want %v", got, want)
+			if got := s.duration(tt.expirationSeconds); got != tt.want {
+				t.Errorf("duration() = %v, want %v", got, tt.want)
 			}
-		}
-
-		// regular tests
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel() // these are safe to run in parallel but not the feature gate disabled tests
-
-			f(t, tt.wantGateEnabled)
 		})
-
-		// same tests with the feature gate disabled
-		t.Run("feature gate disabled - "+tt.name, func(t *testing.T) {
-			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSRDuration, false)()
-			f(t, tt.wantGateDisabled)
-		})
-
 	}
 }