Merge pull request #36 from munnerz/default-renewal-time

jetstack-bot · web-flow · commit eb8bb6dc003e · 2022-09-13T14:34:04.000+01:00
Default renewal time to halfway through certificates lifetime
diff --git a/manager/manager.go b/manager/manager.go
@@ -18,6 +18,8 @@ package manager
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"math"
@@ -402,6 +404,18 @@ func (m *Manager) issue(ctx context.Context, volumeID string) error {
 		return fmt.Errorf("waiting for request: %w", err)
 	}
 
+	// Default the renewal time to be 2/3rds through the certificate's duration.
+	// The implementation's writeKeypair function may override this value before
+	// writing to the storage layer.
+	block, _ := pem.Decode(req.Status.Certificate)
+	crt, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("parsing issued certificate: %w", err)
+	}
+	duration := crt.NotAfter.Sub(crt.NotBefore)
+	renewalPoint := crt.NotBefore.Add(duration * (2 / 3))
+	meta.NextIssuanceTime = &renewalPoint
+
 	if err := m.writeKeypair(meta, key, req.Status.Certificate, req.Status.CA); err != nil {
 		return fmt.Errorf("writing keypair: %w", err)
 	}
diff --git a/test/integration/issuance_test.go b/test/integration/issuance_test.go
@@ -39,6 +39,27 @@ import (
 	testutil "github.com/cert-manager/csi-lib/test/util"
 )
 
+// Self signed certificate valid for 'example.com' (and probably expired by the time this is read).
+// This is used during test fixtures as the test driver attempts to parse the PEM certificate data,
+// so we can't just use any random bytes.
+var selfSignedExampleCertificate = []byte(`-----BEGIN CERTIFICATE-----
+MIICxjCCAa6gAwIBAgIRAI0W8ofWt2fD+J7Cha10KwwwDQYJKoZIhvcNAQELBQAw
+ADAeFw0yMjA5MTMwODI0MDBaFw0yMjEyMTIwODI0MDBaMAAwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDR2ktXXbuJPZhudwfbwiYuKjb7BfehfuRZtme4
+HNvIhf0ABavuK4uRlKAKXRt1SZWMzm6P7NpTSOHjlxoBluZKFsgQbtNYYC8cBOMr
+1TuU9UwAD6U4Lw+obWQppwaEYIifdSVWUqphRT2I6EJONEB9ZUr0gHMKJ2sjl163
+WseSDyjPHkEM3wmpHpdDfYjNQRZ9sKB4J4/R8maW1IPpzltbryNQMfVJCYA7SjvJ
+KZK5cyhabqNVeBhjBSp+UczQVrJ4ruam3i4LFUbu7DVJ/60C8knhFxGJZ5uaPbOd
+eStraFOp50S3JbSpymq2m8c02ZsunUYiWCXGoh/UqrfYViVVAgMBAAGjOzA5MA4G
+A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMBkGA1UdEQEB/wQPMA2CC2V4YW1w
+bGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCkAvvWIUgdpuukL8nqX3850FtHl8r9
+I9oCra4Tv7fxsggFMhIbrVUjzE0NCB/kTjr5j/KFid9TFtbBo7bvYRKI1Qx12y28
+CTvY1y5BqFN/lT917B+8lrWyvxsbtQ0Xhvj9JgbLhGQutR4J+ee1sKZTPqP/sSGl
+PfY1JD5zWYWXWweLAR9hTp62SL6KVfsTT77jw0foehEKxfJbZY2wkdUS5GFMB8/a
+KQ+2l7/qPU8XL8whXEsifoJJ+U66v3cfsH0PIhTV2JKhagljdTVf333JBD/z49qv
+vnEIALrtIClFU6D/mTU5wyHhN29llwfjUgJrmYWqoWTZSiwGS6YmZpry
+-----END CERTIFICATE-----`)
+
 func TestIssuesCertificate(t *testing.T) {
 	store := storage.NewMemoryFS()
 	clock := fakeclock.NewFakeClock(time.Now())
@@ -69,7 +90,7 @@ func TestIssuesCertificate(t *testing.T) {
 	defer stop()
 
 	stopCh := make(chan struct{})
-	go testutil.IssueOneRequest(t, opts.Client, "certificaterequest-namespace", stopCh, []byte("certificate bytes"), []byte("ca bytes"))
+	go testutil.IssueOneRequest(t, opts.Client, "certificaterequest-namespace", stopCh, selfSignedExampleCertificate, []byte("ca bytes"))
 	defer close(stopCh)
 
 	tmpDir, err := os.MkdirTemp("", "*")
@@ -98,7 +119,7 @@ func TestIssuesCertificate(t *testing.T) {
 	if !reflect.DeepEqual(files["ca"], []byte("ca bytes")) {
 		t.Errorf("unexpected CA data: %v", files["ca"])
 	}
-	if !reflect.DeepEqual(files["cert"], []byte("certificate bytes")) {
+	if !reflect.DeepEqual(files["cert"], selfSignedExampleCertificate) {
 		t.Errorf("unexpected certificate data: %v", files["cert"])
 	}
 }
@@ -150,7 +171,7 @@ func TestManager_CleansUpOldRequests(t *testing.T) {
 
 	// Set up a goroutine that automatically issues all CertificateRequests
 	stopCh := make(chan struct{})
-	go testutil.IssueAllRequests(t, opts.Client, "testns", stopCh, []byte("certificate bytes"), []byte("ca bytes"))
+	go testutil.IssueAllRequests(t, opts.Client, "testns", stopCh, selfSignedExampleCertificate, []byte("ca bytes"))
 	defer close(stopCh)
 
 	// Call NodePublishVolume
diff --git a/test/integration/ready_to_request_test.go b/test/integration/ready_to_request_test.go
@@ -81,7 +81,7 @@ func Test_CompletesIfNotReadyToRequest_ContinueOnNotReadyEnabled(t *testing.T) {
 
 	// Setup a routine to issue/sign the request IF it is created
 	stopCh := make(chan struct{})
-	go testutil.IssueAllRequests(t, opts.Client, "certificaterequest-namespace", stopCh, []byte("certificate bytes"), []byte("ca bytes"))
+	go testutil.IssueAllRequests(t, opts.Client, "certificaterequest-namespace", stopCh, selfSignedExampleCertificate, []byte("ca bytes"))
 	defer close(stopCh)
 
 	tmpDir, err := os.MkdirTemp("", "*")
@@ -116,7 +116,7 @@ func Test_CompletesIfNotReadyToRequest_ContinueOnNotReadyEnabled(t *testing.T) {
 		if !reflect.DeepEqual(files["ca"], []byte("ca bytes")) {
 			return false, fmt.Errorf("unexpected CA data: %v", files["ca"])
 		}
-		if !reflect.DeepEqual(files["cert"], []byte("certificate bytes")) {
+		if !reflect.DeepEqual(files["cert"], selfSignedExampleCertificate) {
 			return false, fmt.Errorf("unexpected certificate data: %v", files["cert"])
 		}
 		return true, nil
@@ -161,7 +161,7 @@ func TestFailsIfNotReadyToRequest_ContinueOnNotReadyDisabled(t *testing.T) {
 
 	// Setup a routine to issue/sign the request IF it is created
 	stopCh := make(chan struct{})
-	go testutil.IssueAllRequests(t, opts.Client, "certificaterequest-namespace", stopCh, []byte("certificate bytes"), []byte("ca bytes"))
+	go testutil.IssueAllRequests(t, opts.Client, "certificaterequest-namespace", stopCh, selfSignedExampleCertificate, []byte("ca bytes"))
 	defer close(stopCh)
 	tmpDir, err := os.MkdirTemp("", "*")
 	if err != nil {
