[tls] Add annotations for duration and renewBefore to issuers

To help what should be the duration and/or renewBefore for a cert being issued, we add annotations to the issuer. - if no duration annotation is set, use the default from certmanager lib-common module, - if no renewBefore annotation is set, the cert-manager default is used
stuggi · May 15, 2024 · ccd5970 · ccd5970
1 parent 192504e
commit ccd5970
Show file tree

Hide file tree

Showing 5 changed files with 163 additions and 7 deletions.
diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -922,3 +922,21 @@ func (instance OpenStackControlPlane) GetLibvirtIssuer() string {
 
 	return LibvirtCaName
 }
+
+// GetDurationHours - returns the duration in hours
+func (c CertConfig) GetDurationHours() string {
+	if c.Duration != nil {
+		return c.Duration.Duration.String()
+	}
+
+	return ""
+}
+
+// GetRenewBeforeHours - returns the renewBefore in hours
+func (c CertConfig) GetRenewBeforeHours() string {
+	if c.RenewBefore != nil {
+		return c.RenewBefore.Duration.String()
+	}
+
+	return ""
+}
diff --git a/go.mod b/go.mod
@@ -128,3 +128,5 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202304141430
 
 // custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.6.0_patches_tag)
 replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20240313124519-961a0ee8bf7f //allow-merging
+
+replace github.com/openstack-k8s-operators/lib-common/modules/certmanager => github.com/stuggi/lib-common/modules/certmanager v0.0.0-20240514084540-b9c336d65790
diff --git a/go.sum b/go.sum
@@ -116,8 +116,6 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240430114001-a
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240430114001-aa12ec2b2ba4/go.mod h1:aKCIsV3tadtnhr5iGca7/k+KnSI5ORFUt0aEAPFYQi0=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240429164853-7e1e3b111ee9 h1:aS7xUxC/uOXfw0T4ARTu0G1qb6eJ0WnB2JRv9donPOE=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240429164853-7e1e3b111ee9/go.mod h1:Y/ge/l24phVaJb9S8mYRjtnDkohFkX/KEOUXLArcyvQ=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240429052447-09a614506ca6 h1:z57GyTly+w61GhbwqFEOnrLwzA7be4ZRBGTki2O13HM=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240429052447-09a614506ca6/go.mod h1:ORxH/VVsk24ExdxecUiAWhLtV17xIv6lO89LLmSvKPE=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240429052447-09a614506ca6 h1:WLsG3Ko+phW5xZJjncypLWGASoLqKrt05qN9Zxsad6g=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240429052447-09a614506ca6/go.mod h1:lYhFzul37AR/6gAhTAA1KKWbOlzB3F/7014lejn883c=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240429052447-09a614506ca6 h1:/mhzQQ9FF70z00zZD7dpgOoNXvEu9q68oob3oAiJW08=
@@ -179,6 +177,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stuggi/lib-common/modules/certmanager v0.0.0-20240514084540-b9c336d65790 h1:7f1w6UVJGGgWhSPNJ8l7Bm4tyA531lWe7URAl4BL4o4=
+github.com/stuggi/lib-common/modules/certmanager v0.0.0-20240514084540-b9c336d65790/go.mod h1:ORxH/VVsk24ExdxecUiAWhLtV17xIv6lO89LLmSvKPE=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/pkg/openstack/ca.go b/pkg/openstack/ca.go
@@ -98,6 +98,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	instance.Status.TLS.CAList = []corev1.TLSCAStatus{}
 	// create CA for ingress and public podLevel termination
 	issuerLabels := map[string]string{certmanager.RootCAIssuerPublicLabel: ""}
+	issuerAnnotations := getIssuerAnnotations(&instance.Spec.TLS.Ingress.Cert)
 	if !instance.Spec.TLS.Ingress.Ca.IsCustomIssuer() {
 		ctrlResult, err = ensureRootCA(
 			ctx,
@@ -106,6 +107,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 			issuerReq,
 			tls.DefaultCAPrefix+string(service.EndpointPublic),
 			issuerLabels,
+			issuerAnnotations,
 			bundle,
 			caOnlyBundle,
 			instance.Spec.TLS.Ingress.Ca,
@@ -119,7 +121,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 		customIssuer := *instance.Spec.TLS.Ingress.Ca.CustomIssuer
 
 		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabel(ctx, helper, customIssuer, instance.Namespace, issuerLabels)
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -162,6 +164,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 
 	// create CA for internal podLevel termination
 	issuerLabels = map[string]string{certmanager.RootCAIssuerInternalLabel: ""}
+	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Internal.Cert)
 	if !instance.Spec.TLS.PodLevel.Internal.Ca.IsCustomIssuer() {
 		ctrlResult, err = ensureRootCA(
 			ctx,
@@ -170,6 +173,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 			issuerReq,
 			tls.DefaultCAPrefix+string(service.EndpointInternal),
 			issuerLabels,
+			issuerAnnotations,
 			bundle,
 			caOnlyBundle,
 			instance.Spec.TLS.PodLevel.Internal.Ca,
@@ -182,7 +186,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Internal.Ca.CustomIssuer
 		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabel(ctx, helper, customIssuer, instance.Namespace, issuerLabels)
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -226,6 +230,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 
 	// create CA for libvirt
 	issuerLabels = map[string]string{certmanager.RootCAIssuerLibvirtLabel: ""}
+	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Libvirt.Cert)
 	if !instance.Spec.TLS.PodLevel.Libvirt.Ca.IsCustomIssuer() {
 		ctrlResult, err = ensureRootCA(
 			ctx,
@@ -234,6 +239,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 			issuerReq,
 			corev1.LibvirtCaName,
 			issuerLabels,
+			issuerAnnotations,
 			bundle,
 			caOnlyBundle,
 			instance.Spec.TLS.PodLevel.Libvirt.Ca,
@@ -246,7 +252,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Libvirt.Ca.CustomIssuer
 		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabel(ctx, helper, customIssuer, instance.Namespace, issuerLabels)
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -289,6 +295,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 
 	// create CA for ovn
 	issuerLabels = map[string]string{certmanager.RootCAIssuerOvnDBLabel: ""}
+	issuerAnnotations = getIssuerAnnotations(&instance.Spec.TLS.PodLevel.Ovn.Cert)
 	if !instance.Spec.TLS.PodLevel.Ovn.Ca.IsCustomIssuer() {
 		ctrlResult, err = ensureRootCA(
 			ctx,
@@ -297,6 +304,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 			issuerReq,
 			corev1.OvnDbCaName,
 			issuerLabels,
+			issuerAnnotations,
 			bundle,
 			caOnlyBundle,
 			instance.Spec.TLS.PodLevel.Ovn.Ca,
@@ -309,7 +317,7 @@ func ReconcileCAs(ctx context.Context, instance *corev1.OpenStackControlPlane, h
 	} else {
 		customIssuer := *instance.Spec.TLS.PodLevel.Ovn.Ca.CustomIssuer
 		// add CA labelselector to issuer
-		caCertSecretName, err := addIssuerLabel(ctx, helper, customIssuer, instance.Namespace, issuerLabels)
+		caCertSecretName, err := addIssuerLabelAnnotation(ctx, helper, customIssuer, instance.Namespace, issuerLabels, issuerAnnotations)
 		if err != nil {
 			instance.Status.Conditions.Set(condition.FalseCondition(
 				corev1.OpenStackControlPlaneCAReadyCondition,
@@ -448,6 +456,7 @@ func ensureRootCA(
 	issuerReq *certmgrv1.Issuer,
 	caName string,
 	labels map[string]string,
+	annotations map[string]string,
 	bundle *caBundle,
 	caOnlyBundle *caBundle,
 	caCfg corev1.CACertConfig,
@@ -462,6 +471,7 @@ func ensureRootCA(
 		issuerReq,
 		caName,
 		labels,
+		annotations,
 		caCfg,
 	)
 	if err != nil {
@@ -518,6 +528,7 @@ func createRootCACertAndIssuer(
 	selfsignedIssuerReq *certmgrv1.Issuer,
 	caName string,
 	labels map[string]string,
+	annotations map[string]string,
 	caCfg corev1.CACertConfig,
 ) ([]byte, ctrl.Result, error) {
 	// create RootCA Certificate used to sign certificates
@@ -570,6 +581,7 @@ func createRootCACertAndIssuer(
 		caCertReq.Name,
 		instance.GetNamespace(),
 		labels,
+		annotations,
 		caCertReq.Name,
 	)
 
@@ -740,12 +752,13 @@ func (cab *caBundle) getBundlePEM() string {
 	return bundleData
 }
 
-func addIssuerLabel(
+func addIssuerLabelAnnotation(
 	ctx context.Context,
 	helper *helper.Helper,
 	name string,
 	namespace string,
 	labels map[string]string,
+	annotations map[string]string,
 ) (string, error) {
 	var caCertSecretName string
 	// get  issuer
@@ -764,6 +777,8 @@ func addIssuerLabel(
 	beforeIssuer := issuer.DeepCopyObject().(client.Object)
 	// merge labels
 	issuer.Labels = util.MergeMaps(issuer.Labels, labels)
+	// merge annotations
+	issuer.Annotations = util.MergeMaps(issuer.Annotations, annotations)
 
 	// patch issuer
 	patch := client.MergeFrom(beforeIssuer)
@@ -791,3 +806,19 @@ func addIssuerLabel(
 
 	return caCertSecretName, nil
 }
+
+func getIssuerAnnotations(certConfig *corev1.CertConfig) map[string]string {
+	annotations := map[string]string{}
+	certDuration := certConfig.GetDurationHours()
+	if certDuration == "" {
+		certDuration = certmanager.CertDefaultDuration
+	}
+	annotations[certmanager.CertDurationAnnotation] = certDuration
+
+	certRenewBefore := certConfig.GetRenewBeforeHours()
+	if certRenewBefore != "" {
+		annotations[certmanager.CertRenewBeforeAnnotation] = certRenewBefore
+	}
+
+	return annotations
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -128,3 +128,5 @@ replace github.com/openshift/api => github.com/openshift/api v0.0.0-202304141430

		// custom RabbitmqClusterSpecCore for OpenStackControlplane (v2.6.0_patches_tag)
		replace github.com/rabbitmq/cluster-operator/v2 => github.com/openstack-k8s-operators/rabbitmq-cluster-operator/v2 v2.6.1-0.20240313124519-961a0ee8bf7f //allow-merging

		replace github.com/openstack-k8s-operators/lib-common/modules/certmanager => github.com/stuggi/lib-common/modules/certmanager v0.0.0-20240514084540-b9c336d65790