Certificate signing request expiration seconds (#2559)

* Add expirationSeconds to CertificateSigningRequest

* add changelog-entry

* changelog

---------

Co-authored-by: Moritz Reinhardt <[email protected]>

Author: BBBmau

.changelog/2559.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+`resource/kubernetes_certificate_signing_request_v1`: Add argument `spec.expiration_seconds`
+```

docs/resources/certificate_signing_request_v1.md

@@ -97,6 +97,18 @@ Custom signerNames can also be specified. The signer defines:
 
 Optional:
 
+- `expiration_seconds` (Integer) expirationSeconds is the requested duration of validity of the issued certificate.
+
+The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration. The v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.
+
+Certificate signers may not honor this field for various reasons:
+
+1. Old signer that is unaware of the field (such as the in-tree implementations prior to v1.22)
+2. Signer whose configured maximum is shorter than the requested duration
+3. Signer whose configured minimum is longer than the requested duration
+
+The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
+
 - `usages` (Set of String) usages specifies a set of key usages requested in the issued certificate.
 
 Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth".

kubernetes/resource_kubernetes_certificate_signing_request_v1.go

@@ -57,6 +57,12 @@ func resourceKubernetesCertificateSigningRequestV1() *schema.Resource {
 				MaxItems:    1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
+						"expiration_seconds": {
+							Type:        schema.TypeInt,
+							Description: apiDocSpec["expirationSeconds"],
+							Optional:    true,
+							ForceNew:    true,
+						},
 						"request": {
 							Type:        schema.TypeString,
 							Description: apiDocSpec["request"],

kubernetes/resource_kubernetes_certificate_signing_request_v1_test.go

@@ -39,6 +39,7 @@ func TestAccKubernetesCertificateSigningRequestV1_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "certificate"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.signer_name", signerName),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.usages.0", usages[0]),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.expiration_seconds", "604800"),
 				),
 			},
 		},
@@ -150,7 +151,8 @@ func testAccKubernetesCertificateSigningRequestV1Config_basic(name, signerName s
   }
   auto_approve = %t
   spec {
-    request     = <<EOT
+    expiration_seconds = 604800 # 1 week
+    request            = <<EOT
 -----BEGIN CERTIFICATE REQUEST-----
 MIHSMIGBAgEAMCoxGDAWBgNVBAoTD2V4YW1wbGUgY2x1c3RlcjEOMAwGA1UEAxMF
 YWRtaW4wTjAQBgcqhkjOPQIBBgUrgQQAIQM6AASSG8S2+hQvfMq5ucngPCzK0m0C
@@ -159,8 +161,8 @@ BAMCA0AAMD0CHQDErNLjX86BVfOsYh/A4zmjmGknZpc2u6/coTHqAhxcR41hEU1I
 DpNPvh30e0Js8/DYn2YUfu/pQU19
 -----END CERTIFICATE REQUEST-----
 EOT
-    signer_name = %q
-    usages      = %q
+    signer_name        = %q
+    usages             = %q
   }
 }
 `, name, autoApprove, signerName, usages)

kubernetes/structures_certificate_signing_request_v1.go

@@ -7,6 +7,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	certificates "k8s.io/api/certificates/v1"
+	"k8s.io/utils/ptr"
 )
 
 func expandCertificateSigningRequestV1Spec(csr []interface{}) *certificates.CertificateSigningRequestSpec {
@@ -15,6 +16,9 @@ func expandCertificateSigningRequestV1Spec(csr []interface{}) *certificates.Cert
 		return obj
 	}
 	in := csr[0].(map[string]interface{})
+	if v, ok := in["expiration_seconds"].(int); ok && v >= 600 {
+		obj.ExpirationSeconds = ptr.To(int32(v))
+	}
 	obj.Request = []byte(in["request"].(string))
 	if v, ok := in["usages"].(*schema.Set); ok && v.Len() > 0 {
 		obj.Usages = expandCertificateSigningRequestV1Usages(v.List())