Merge pull request #503 from alexandrevilain/feat/add-support-for-ren…

…ewBefore

feat(mtls): add support for certificate renewBefore field

api/v1beta1/temporalcluster_types.go

@@ -674,6 +674,12 @@ type MTLSSpec struct {
 	// Useless if mTLS provider is not cert-manager.
 	// +optional
 	RefreshInterval *metav1.Duration `json:"refreshInterval"`
+	// RenewBefore is defines how long before the currently issued certificate's expiry
+	// cert-manager should renew the certificate. The default is 2/3 of the
+	// issued certificate's duration. Minimum accepted value is 5 minutes.
+	// Useless if mTLS provider is not cert-manager.
+	// +optional
+	RenewBefore *metav1.Duration `json:"renewBefore,omitempty"`
 }
 
 func (m *MTLSSpec) InternodeEnabled() bool {

api/v1beta1/temporalcluster_validate.go

@@ -0,0 +1,25 @@
+package v1beta1
+
+import (
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func (m *MTLSSpec) Validate() (admission.Warnings, field.ErrorList) {
+	var warns admission.Warnings
+	var errs field.ErrorList
+
+	if m == nil || m.Provider != CertManagerMTLSProvider {
+		return nil, nil
+	}
+
+	if m.RenewBefore != nil {
+		if m.RenewBefore.Duration < 5*time.Minute {
+			errs = append(errs, field.Invalid(field.NewPath("spec.mTLS.renewBefore"), m.RenewBefore, "must be at least 5 minutes"))
+		}
+	}
+
+	return warns, errs
+}

config/crd/bases/temporal.io_temporalclusters.yaml

@@ -466,6 +466,9 @@ spec:
                     refreshInterval:
                       description: RefreshInterval defines interval between refreshes of certificates in the cluster components. Defaults to 1 hour. Useless if mTLS provider is not cert-manager.
                       type: string
+                    renewBefore:
+                      description: RenewBefore is defines how long before the currently issued certificate's expiry cert-manager should renew the certificate. The default is 2/3 of the issued certificate's duration. Minimum accepted value is 5 minutes. Useless if mTLS provider is not cert-manager.
+                      type: string
                   type: object
                 metrics:
                   description: Metrics allows configuration of scraping endpoints for stats. prometheus or m3.

docs/api/v1beta1.md

@@ -2199,6 +2199,23 @@ Defaults to 1 hour.
 Useless if mTLS provider is not cert-manager.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>renewBefore</code><br>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
+Kubernetes meta/v1.Duration
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>RenewBefore is defines how long before the currently issued certificate&rsquo;s expiry
+cert-manager should renew the certificate. The default is <sup>2</sup>&frasl;<sub>3</sub> of the
+issued certificate&rsquo;s duration. Minimum accepted value is 5 minutes.
+Useless if mTLS provider is not cert-manager.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

internal/resource/mtls/certmanager/generic_frontend_client_certificate_builder.go

@@ -61,9 +61,10 @@ func (b *GenericFrontendClientCertificateBuilder) Update(object client.Object) e
 	certificate.Labels = object.GetLabels()
 	certificate.Annotations = object.GetAnnotations()
 	certificate.Spec = certmanagerv1.CertificateSpec{
-		SecretName: b.instance.ChildResourceName(GetCertificateSecretName(b.name)),
-		CommonName: fmt.Sprintf("%s client certificate", b.name),
-		Duration:   b.instance.Spec.MTLS.CertificatesDuration.ClientCertificates,
+		SecretName:  b.instance.ChildResourceName(GetCertificateSecretName(b.name)),
+		CommonName:  fmt.Sprintf("%s client certificate", b.name),
+		Duration:    b.instance.Spec.MTLS.CertificatesDuration.ClientCertificates,
+		RenewBefore: b.instance.Spec.MTLS.RenewBefore,
 		PrivateKey: &certmanagerv1.CertificatePrivateKey{
 			RotationPolicy: certmanagerv1.RotationPolicyAlways,
 			Encoding:       certmanagerv1.PKCS8,

internal/resource/mtls/certmanager/generic_intermediate_ca_certificate_builder.go

@@ -56,11 +56,12 @@ func (b *GenericItermediateCACertificateBuilder) Update(object client.Object) er
 	certificate.Labels = object.GetLabels()
 	certificate.Annotations = object.GetAnnotations()
 	certificate.Spec = certmanagerv1.CertificateSpec{
-		IsCA:       true,
-		SecretName: b.instance.ChildResourceName(b.secretName),
-		CommonName: b.commonName,
-		Duration:   b.instance.Spec.MTLS.CertificatesDuration.IntermediateCAsCertificates,
-		PrivateKey: caCertificatePrivateKey,
+		IsCA:        true,
+		SecretName:  b.instance.ChildResourceName(b.secretName),
+		CommonName:  b.commonName,
+		Duration:    b.instance.Spec.MTLS.CertificatesDuration.IntermediateCAsCertificates,
+		RenewBefore: b.instance.Spec.MTLS.RenewBefore,
+		PrivateKey:  caCertificatePrivateKey,
 		DNSNames: []string{
 			b.instance.ServerName(),
 		},

internal/resource/mtls/certmanager/mtls_frontend_certificate_builder.go

@@ -62,9 +62,10 @@ func (b *MTLSFrontendCertificateBuilder) Update(object client.Object) error {
 	certificate.Labels = object.GetLabels()
 	certificate.Annotations = object.GetAnnotations()
 	certificate.Spec = certmanagerv1.CertificateSpec{
-		SecretName: b.instance.ChildResourceName(FrontendCertificate),
-		CommonName: "Frontend Certificate",
-		Duration:   b.instance.Spec.MTLS.CertificatesDuration.FrontendCertificate,
+		SecretName:  b.instance.ChildResourceName(FrontendCertificate),
+		CommonName:  "Frontend Certificate",
+		Duration:    b.instance.Spec.MTLS.CertificatesDuration.FrontendCertificate,
+		RenewBefore: b.instance.Spec.MTLS.RenewBefore,
 		PrivateKey: &certmanagerv1.CertificatePrivateKey{
 			RotationPolicy: certmanagerv1.RotationPolicyAlways,
 			Encoding:       certmanagerv1.PKCS8,

internal/resource/mtls/certmanager/mtls_internode_certificate_builder.go

@@ -62,9 +62,10 @@ func (b *MTLSInternodeCertificateBuilder) Update(object client.Object) error {
 	certificate.Labels = object.GetLabels()
 	certificate.Annotations = object.GetAnnotations()
 	certificate.Spec = certmanagerv1.CertificateSpec{
-		SecretName: b.instance.ChildResourceName(InternodeCertificate),
-		CommonName: "Internode Certificate",
-		Duration:   b.instance.Spec.MTLS.CertificatesDuration.InternodeCertificate,
+		SecretName:  b.instance.ChildResourceName(InternodeCertificate),
+		CommonName:  "Internode Certificate",
+		Duration:    b.instance.Spec.MTLS.CertificatesDuration.InternodeCertificate,
+		RenewBefore: b.instance.Spec.MTLS.RenewBefore,
 		PrivateKey: &certmanagerv1.CertificatePrivateKey{
 			RotationPolicy: certmanagerv1.RotationPolicyAlways,
 			Encoding:       certmanagerv1.PKCS8,

internal/resource/mtls/certmanager/mtls_root_ca_certificate_builder.go

@@ -62,11 +62,12 @@ func (b *MTLSRootCACertificateBuilder) Update(object client.Object) error {
 	certificate.Labels = object.GetLabels()
 	certificate.Annotations = object.GetAnnotations()
 	certificate.Spec = certmanagerv1.CertificateSpec{
-		IsCA:       true,
-		Duration:   b.instance.Spec.MTLS.CertificatesDuration.RootCACertificate,
-		SecretName: b.instance.ChildResourceName(rootCaCertificate),
-		CommonName: "Root CA certificate",
-		PrivateKey: caCertificatePrivateKey,
+		IsCA:        true,
+		Duration:    b.instance.Spec.MTLS.CertificatesDuration.RootCACertificate,
+		RenewBefore: b.instance.Spec.MTLS.RenewBefore,
+		SecretName:  b.instance.ChildResourceName(rootCaCertificate),
+		CommonName:  "Root CA certificate",
+		PrivateKey:  caCertificatePrivateKey,
 		DNSNames: []string{
 			b.instance.ServerName(),
 		},

webhooks/temporalcluster_webhook.go

@@ -111,6 +111,10 @@ func (w *TemporalClusterWebhook) validateCluster(cluster *v1beta1.TemporalCluste
 		)
 	}
 
+	mTLSWarnings, mTLSErrors := cluster.Spec.MTLS.Validate()
+	warns = append(warns, mTLSWarnings...)
+	errs = append(errs, mTLSErrors...)
+
 	// Validate that the cluster version is a supported one.
 	err := cluster.Spec.Version.Validate()
 	if err != nil {