✨ Add CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig (#12335)

* Add CertificateValidityPeriod type to KubeadmConfig

* Add CACertificateValidityPeriod to Kubeadmconfig

* Use CACertificateValidityPeriod while generating certificates

* Address reveiw comments

Author: Karthik-K-N

api/bootstrap/kubeadm/v1beta1/conversion.go

@@ -80,6 +80,18 @@ func RestoreKubeadmConfigSpec(restored *bootstrapv1.KubeadmConfigSpec, dst *boot
 		}
 		dst.JoinConfiguration.Timeouts = restored.JoinConfiguration.Timeouts
 	}
+	if restored.ClusterConfiguration != nil &&
+		(restored.ClusterConfiguration.CertificateValidityPeriodDays != 0 || restored.ClusterConfiguration.CACertificateValidityPeriodDays != 0) {
+		if dst.ClusterConfiguration == nil {
+			dst.ClusterConfiguration = &bootstrapv1.ClusterConfiguration{}
+		}
+		if restored.ClusterConfiguration.CertificateValidityPeriodDays != 0 {
+			dst.ClusterConfiguration.CertificateValidityPeriodDays = restored.ClusterConfiguration.CertificateValidityPeriodDays
+		}
+		if restored.ClusterConfiguration.CACertificateValidityPeriodDays != 0 {
+			dst.ClusterConfiguration.CACertificateValidityPeriodDays = restored.ClusterConfiguration.CACertificateValidityPeriodDays
+		}
+	}
 }
 
 func RestoreBoolIntentKubeadmConfigSpec(src *KubeadmConfigSpec, dst *bootstrapv1.KubeadmConfigSpec, hasRestored bool, restored *bootstrapv1.KubeadmConfigSpec) error {
@@ -570,6 +582,10 @@ func Convert_v1beta1_Condition_To_v1_Condition(in *clusterv1beta1.Condition, out
 	return clusterv1beta1.Convert_v1beta1_Condition_To_v1_Condition(in, out, s)
 }
 
+func Convert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	return autoConvert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in, out, s)
+}
+
 func dropEmptyStringsKubeadmConfigSpec(dst *KubeadmConfigSpec) {
 	for i, u := range dst.Users {
 		dropEmptyString(&u.Gecos)

api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go

@@ -186,6 +186,22 @@ type ClusterConfiguration struct {
 	// featureGates enabled by the user.
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
+
+	// certificateValidityPeriodDays specifies the validity period for non-CA certificates generated by kubeadm.
+	// If not specified, kubeadm will use a default of 365 days (1 year).
+	// This field is only supported with Kubernetes v1.31 or above.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=1095
+	CertificateValidityPeriodDays int32 `json:"certificateValidityPeriodDays,omitempty"`
+
+	// caCertificateValidityPeriodDays specifies the validity period for CA certificates generated by Cluster API.
+	// If not specified, Cluster API will use a default of 3650 days (10 years).
+	// This field cannot be modified.
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=36500
+	CACertificateValidityPeriodDays int32 `json:"caCertificateValidityPeriodDays,omitempty"`
 }
 
 // APIServer holds settings necessary for API server deployments in the cluster.

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

@@ -307,3 +307,7 @@ func (src *ClusterConfiguration) GetAdditionalData(data *upstream.AdditionalData
 		data.ControlPlaneComponentHealthCheckSeconds = clusterv1.ConvertToSeconds(src.APIServer.TimeoutForControlPlane)
 	}
 }
+
+func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta3_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	return autoConvert_v1beta2_ClusterConfiguration_To_upstreamv1beta3_ClusterConfiguration(in, out, s)
+}

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml

@@ -86,6 +86,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {
 		hubNodeRegistrationOptionsFuzzer,
 		hubHostPathMountFuzzer,
 		hubBootstrapTokenDiscoveryFuzzer,
+		hubClusterConfigurationFuzzer,
 	}
 }
 
@@ -231,3 +232,10 @@ func hubBootstrapTokenDiscoveryFuzzer(obj *bootstrapv1.BootstrapTokenDiscovery,
 		obj.UnsafeSkipCAVerification = ptr.To(false)
 	}
 }
+
+func hubClusterConfigurationFuzzer(obj *bootstrapv1.ClusterConfiguration, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	obj.CertificateValidityPeriodDays = 0
+	obj.CACertificateValidityPeriodDays = 0
+}

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml

@@ -17,7 +17,9 @@ limitations under the License.
 package upstreamv1beta4
 
 import (
+	"math"
 	"reflect"
+	"time"
 	"unsafe"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -67,9 +69,22 @@ func Convert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguratio
 	// Following fields do not exist in CABPK v1beta1 version:
 	// - Proxy (Not supported yet)
 	// - EncryptionAlgorithm (Not supported yet)
-	// - CertificateValidityPeriod (Not supported yet)
-	// - CACertificateValidityPeriod (Not supported yet)
-	return autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s)
+	if err := autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s); err != nil {
+		return err
+	}
+	out.CertificateValidityPeriodDays = convertToDays(in.CertificateValidityPeriod)
+	out.CACertificateValidityPeriodDays = convertToDays(in.CACertificateValidityPeriod)
+	return nil
+}
+
+// Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration is an autogenerated conversion function.
+func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration(in, out, s); err != nil {
+		return err
+	}
+	out.CertificateValidityPeriod = convertFromDays(in.CertificateValidityPeriodDays)
+	out.CACertificateValidityPeriod = convertFromDays(in.CACertificateValidityPeriodDays)
+	return nil
 }
 
 func Convert_upstreamv1beta4_DNS_To_v1beta2_DNS(in *DNS, out *bootstrapv1.DNS, s apimachineryconversion.Scope) error {
@@ -311,3 +326,26 @@ func (src *ClusterConfiguration) GetAdditionalData(data *upstream.AdditionalData
 	// NOTE: for kubeadm v1beta4 types we are not reading ControlPlaneComponentHealthCheckSeconds into additional data
 	// because Cluster API types are aligned with kubeadm's v1beta4 API version.
 }
+
+// convertToDays takes *metav1.Duration and returns a *int32.
+// Durations longer than MaxInt32 are capped.
+// NOTE: this is a util function intended only for usage in API conversions.
+func convertToDays(in *metav1.Duration) int32 {
+	if in == nil {
+		return 0
+	}
+	days := math.Trunc(in.Hours() / 24)
+	if days > math.MaxInt32 {
+		return math.MaxInt32
+	}
+	return int32(days)
+}
+
+// convertFromDays takes *int32 and returns a *metav1.Duration.
+// NOTE: this is a util function intended only for usage in API conversions.
+func convertFromDays(in int32) *metav1.Duration {
+	if in == 0 {
+		return nil
+	}
+	return ptr.To(metav1.Duration{Duration: time.Duration(in) * time.Hour * 24})
+}

bootstrap/kubeadm/types/upstreamv1beta3/conversion.go

@@ -82,6 +82,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {
 		hubHostPathMountFuzzer,
 		hubBootstrapTokenDiscoveryFuzzer,
 		hubNodeRegistrationOptionsFuzzer,
+		hubClusterConfigurationFuzzer,
 	}
 }
 
@@ -100,8 +101,8 @@ func spokeClusterConfigurationFuzzer(obj *ClusterConfiguration, c randfill.Conti
 
 	obj.Proxy = Proxy{}
 	obj.EncryptionAlgorithm = ""
-	obj.CACertificateValidityPeriod = nil
-	obj.CertificateValidityPeriod = nil
+	obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(3*365)+1) * time.Hour * 24})
+	obj.CACertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(100*365)+1) * time.Hour * 24})
 
 	// Drop the following fields as they have been removed in v1beta2, so we don't have to preserve them.
 	obj.Networking.ServiceSubnet = ""
@@ -213,3 +214,10 @@ func hubNodeRegistrationOptionsFuzzer(obj *bootstrapv1.NodeRegistrationOptions,
 		obj.Taints = nil
 	}
 }
+
+func hubClusterConfigurationFuzzer(obj *bootstrapv1.ClusterConfiguration, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	obj.CertificateValidityPeriodDays = c.Int31n(3*365 + 1)
+	obj.CACertificateValidityPeriodDays = c.Int31n(100*365 + 1)
+}