Raise default ExpirationDaysCheck to 90 and extend into cert factory

Most of our products actually renew at 90 days, so make that the default. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-20 12:50:19 -07:00 · 2022-07-20 12:50:19 -07:00 · 8ebd77f8a4
commit 8ebd77f8a4
parent fdf983a935
2 changed files with 20 additions and 18 deletions
--- a/factory/gen.go
+++ b/factory/gen.go
@ -33,11 +33,12 @@ var (
 )

 type TLS struct {
-	CACert       *x509.Certificate
-	CAKey        crypto.Signer
-	CN           string
-	Organization []string
-	FilterCN     func(...string) []string
+	CACert              *x509.Certificate
+	CAKey               crypto.Signer
+	CN                  string
+	Organization        []string
+	FilterCN            func(...string) []string
+	ExpirationDaysCheck int
 }

 func cns(secret *v1.Secret) (cns []string) {
@ -95,13 +96,13 @@ func (t *TLS) Merge(target, additional *v1.Secret) (*v1.Secret, bool, error) {

 	// if the additional secret already has all the CNs, use it in preference to the
 	// current one. This behavior is required to allow for renewal or regeneration.
-	if !NeedsUpdate(0, additional, mergedCNs...) && !IsExpired(additional) {
+	if !NeedsUpdate(0, additional, mergedCNs...) && !t.IsExpired(additional) {
 		return additional, true, nil
 	}

 	// if the target secret already has all the CNs, continue using it. The additional
 	// cert had only a subset of the current CNs, so nothing needs to be added.
-	if !NeedsUpdate(0, target, mergedCNs...) && !IsExpired(target) {
+	if !NeedsUpdate(0, target, mergedCNs...) && !t.IsExpired(target) {
 		return target, false, nil
 	}

@ -193,7 +194,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 	return secret, true, nil
 }

-func IsExpired(secret *v1.Secret) bool {
+func (t *TLS) IsExpired(secret *v1.Secret) bool {
 	certsPem := secret.Data[v1.TLSCertKey]
 	if len(certsPem) == 0 {
 		return false
@ -204,7 +205,8 @@ func IsExpired(secret *v1.Secret) bool {
 		return false
 	}

-	return time.Now().After(certificates[0].NotAfter)
+	expirationDays := time.Duration(t.ExpirationDaysCheck) * time.Hour * 24
+	return time.Now().Add(expirationDays).After(certificates[0].NotAfter)
 }

 func (t *TLS) Verify(secret *v1.Secret) error {
--- a/listener.go
+++ b/listener.go
@ -45,14 +45,18 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	if config.TLSConfig == nil {
 		config.TLSConfig = &tls.Config{}
 	}
+	if config.ExpirationDaysCheck == 0 {
+		config.ExpirationDaysCheck = 90
+	}

 	dynamicListener := &listener{
 		factory: &factory.TLS{
-			CACert:       caCert,
-			CAKey:        caKey,
-			CN:           config.CN,
-			Organization: config.Organization,
-			FilterCN:     allowDefaultSANs(config.SANs, config.FilterCN),
+			CACert:              caCert,
+			CAKey:               caKey,
+			CN:                  config.CN,
+			Organization:        config.Organization,
+			FilterCN:            allowDefaultSANs(config.SANs, config.FilterCN),
+			ExpirationDaysCheck: config.ExpirationDaysCheck,
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@ -82,10 +86,6 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 		}
 	}

-	if config.ExpirationDaysCheck == 0 {
-		config.ExpirationDaysCheck = 30
-	}
-
 	tlsListener := tls.NewListener(dynamicListener.WrapExpiration(config.ExpirationDaysCheck), dynamicListener.tlsConfig)

 	return tlsListener, dynamicListener.cacheHandler(), nil