fix(auto-cert-renewal): adds 0 as valid value for daysBeforeExpiry (#1218)

atulv7 · dkoshkin · web-flow · commit 2abeb0d7bfbe · 2025-07-18T14:47:42.000-07:00
**What problem does this PR solve?**: As of now to disable CAPI based automated certificate renewal we have to set `autoRenewCertificates` to `nil` which results in SSA patch [issue](kubernetes/kubernetes#117447). To avoid this added 0 as a valid value for `autoRenewCertificates.daysBeforeExpiry` denoting the feat is disabled. **Which issue(s) this PR fixes**: Fixes [NCN-108329](https://jira.nutanix.com/browse/NCN-108329) **How Has This Been Tested?**:  - Tested using the dev workflow along with the konvoy [changes](mesosphere/konvoy2#3959) --------- Co-authored-by: Dimitri Koshkin <dimitri.koshkin@nutanix.com>
diff --git a/api/v1alpha1/controlplane_types.go b/api/v1alpha1/controlplane_types.go
@@ -13,9 +13,10 @@ type GenericControlPlaneSpec struct {
 type AutoRenewCertificatesSpec struct {
 	// DaysBeforeExpiry indicates a rollout needs to be performed if the
 	// certificates of the control plane will expire within the specified days.
+	// Set to 0 to disable automated certificate renewal.
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Minimum=7
-	DaysBeforeExpiry int32 `json:"daysBeforeExpiry,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self == 0 || self >= 7",message="Value must be 0 or at least 7"
+	DaysBeforeExpiry int32 `json:"daysBeforeExpiry"`
 }
 
 // DockerControlPlaneSpec defines the desired state of the control plane for a Docker cluster.
diff --git a/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml
@@ -339,9 +339,12 @@ spec:
                           description: |-
                             DaysBeforeExpiry indicates a rollout needs to be performed if the
                             certificates of the control plane will expire within the specified days.
+                            Set to 0 to disable automated certificate renewal.
                           format: int32
-                          minimum: 7
                           type: integer
+                          x-kubernetes-validations:
+                            - message: Value must be 0 or at least 7
+                              rule: self == 0 || self >= 7
                       required:
                         - daysBeforeExpiry
                       type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml
@@ -304,9 +304,12 @@ spec:
                           description: |-
                             DaysBeforeExpiry indicates a rollout needs to be performed if the
                             certificates of the control plane will expire within the specified days.
+                            Set to 0 to disable automated certificate renewal.
                           format: int32
-                          minimum: 7
                           type: integer
+                          x-kubernetes-validations:
+                            - message: Value must be 0 or at least 7
+                              rule: self == 0 || self >= 7
                       required:
                         - daysBeforeExpiry
                       type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_dockerworkernodeconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_dockerworkernodeconfigs.yaml
@@ -52,9 +52,12 @@ spec:
                     description: |-
                       DaysBeforeExpiry indicates a rollout needs to be performed if the
                       certificates of the control plane will expire within the specified days.
+                      Set to 0 to disable automated certificate renewal.
                     format: int32
-                    minimum: 7
                     type: integer
+                    x-kubernetes-validations:
+                    - message: Value must be 0 or at least 7
+                      rule: self == 0 || self >= 7
                 required:
                 - daysBeforeExpiry
                 type: object
diff --git a/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml b/api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml
@@ -304,9 +304,12 @@ spec:
                           description: |-
                             DaysBeforeExpiry indicates a rollout needs to be performed if the
                             certificates of the control plane will expire within the specified days.
+                            Set to 0 to disable automated certificate renewal.
                           format: int32
-                          minimum: 7
                           type: integer
+                          x-kubernetes-validations:
+                            - message: Value must be 0 or at least 7
+                              rule: self == 0 || self >= 7
                       required:
                         - daysBeforeExpiry
                       type: object
diff --git a/common/pkg/testutils/capitest/variables.go b/common/pkg/testutils/capitest/variables.go
@@ -26,12 +26,30 @@ type VariableTestDef struct {
 	ExpectError bool
 }
 
-func ValidateDiscoverVariables[T mutation.DiscoverVariables](
+func ValidateDiscoverVariables[V mutation.DiscoverVariables](
 	t *testing.T,
 	variableName string,
 	variableSchema *clusterv1.VariableSchema,
 	variableRequired bool,
-	handlerCreator func() T,
+	handlerCreator func() V,
+	variableTestDefs ...VariableTestDef,
+) {
+	ValidateDiscoverVariablesAs[V, any](
+		t,
+		variableName,
+		variableSchema,
+		variableRequired,
+		handlerCreator,
+		variableTestDefs...,
+	)
+}
+
+func ValidateDiscoverVariablesAs[V mutation.DiscoverVariables, T any](
+	t *testing.T,
+	variableName string,
+	variableSchema *clusterv1.VariableSchema,
+	variableRequired bool,
+	handlerCreator func() V,
 	variableTestDefs ...VariableTestDef,
 ) {
 	t.Helper()
@@ -72,7 +90,7 @@ func ValidateDiscoverVariables[T mutation.DiscoverVariables](
 			case tt.OldVals != nil:
 				encodedOldVals, err := json.Marshal(tt.OldVals)
 				g.Expect(err).NotTo(gomega.HaveOccurred())
-				validateErr = openapi.ValidateClusterVariableUpdate(
+				validateErr = openapi.ValidateClusterVariableUpdate[T](
 					&clusterv1.ClusterVariable{
 						Name:  variableName,
 						Value: apiextensionsv1.JSON{Raw: encodedVals},
@@ -85,7 +103,7 @@ func ValidateDiscoverVariables[T mutation.DiscoverVariables](
 					field.NewPath(variableName),
 				).ToAggregate()
 			default:
-				validateErr = openapi.ValidateClusterVariable(
+				validateErr = openapi.ValidateClusterVariable[T](
 					&clusterv1.ClusterVariable{
 						Name:  variableName,
 						Value: apiextensionsv1.JSON{Raw: encodedVals},
diff --git a/common/pkg/testutils/openapi/cel.go b/common/pkg/testutils/openapi/cel.go
@@ -0,0 +1,111 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package openapi
+
+import (
+	"context"
+	"reflect"
+	"strings"
+
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	"k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// validateCELRecursively recursively validates CEL rules across all schema.Properties.
+// validator.Validate() does not traverse nested structs, so we need to do it manually.
+// It walks each field of the struct, checking if it has a CEL validation rule,
+// and if so, it validates the field using the CEL validator.
+func validateCELRecursively(
+	ctx context.Context,
+	validator *cel.Validator,
+	path *field.Path,
+	schema *structuralschema.Structural,
+	newVal reflect.Value,
+	oldVal reflect.Value,
+	budget int64,
+) field.ErrorList {
+	var errs field.ErrorList
+
+	// Prepare values for top-level Validate call
+	newIface := reflectValueToInterface(newVal)
+	oldIface := reflectValueToInterface(oldVal)
+
+	selfErrs, _ := validator.Validate(ctx, path, schema, newIface, oldIface, budget)
+	errs = append(errs, selfErrs...)
+
+	// Dereference pointers
+	if newVal.Kind() == reflect.Pointer && !newVal.IsNil() {
+		newVal = newVal.Elem()
+	}
+	if oldVal.Kind() == reflect.Pointer && !oldVal.IsNil() {
+		oldVal = oldVal.Elem()
+	}
+
+	// Recurse only if newVal is struct
+	if newVal.Kind() != reflect.Struct {
+		return errs
+	}
+
+	typ := newVal.Type()
+	for i := 0; i < newVal.NumField(); i++ {
+		fieldType := typ.Field(i)
+		newFieldVal := newVal.Field(i)
+
+		if fieldType.PkgPath != "" {
+			continue // unexported
+		}
+
+		// Get old value safely
+		var oldFieldVal reflect.Value
+		if oldVal.IsValid() && oldVal.Kind() == reflect.Struct {
+			oldFieldVal = oldVal.FieldByName(fieldType.Name)
+		}
+
+		// Handle embedded fields
+		if fieldType.Anonymous && newFieldVal.Kind() == reflect.Struct {
+			errs = append(errs,
+				validateCELRecursively(ctx, validator, path, schema, newFieldVal, oldFieldVal, budget)...)
+			continue
+		}
+
+		jsonName := jsonFieldName(fieldType)
+		if jsonName == "" {
+			continue
+		}
+
+		subSchema, okSchema := schema.Properties[jsonName]
+		subValidator, okValidator := validator.Properties[jsonName]
+		if !okSchema || !okValidator {
+			continue
+		}
+
+		subPath := path.Child(jsonName)
+		errs = append(errs,
+			validateCELRecursively(ctx, &subValidator, subPath, &subSchema, newFieldVal, oldFieldVal, budget)...)
+	}
+
+	return errs
+}
+
+func reflectValueToInterface(v reflect.Value) interface{} {
+	if !v.IsValid() {
+		return nil
+	}
+	if v.Kind() == reflect.Pointer && v.IsNil() {
+		return nil
+	}
+	return v.Interface()
+}
+
+func jsonFieldName(field reflect.StructField) string {
+	tag := field.Tag.Get("json")
+	if tag == "-" {
+		return ""
+	}
+	if tag == "" {
+		return field.Name
+	}
+	return strings.Split(tag, ",")[0]
+}
diff --git a/common/pkg/testutils/openapi/validate.go b/common/pkg/testutils/openapi/validate.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"strings"
 
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
@@ -24,7 +25,7 @@ import (
 // See: https://github.com/kubernetes-sigs/cluster-api/blob/v1.5.1/internal/topology/variables/cluster_variable_validation.go#L118
 //
 //nolint:lll // Adding for URL above, does not work when adding to end of line in a comment block.
-func ValidateClusterVariable(
+func ValidateClusterVariable[T any](
 	value *clusterv1.ClusterVariable,
 	definition *clusterv1.ClusterClassVariable,
 	fldPath *field.Path,
@@ -34,7 +35,7 @@ func ValidateClusterVariable(
 		return field.ErrorList{err}
 	}
 
-	variableValue, err := unmarshalAndDefaultVariableValue(fldPath, value, structuralSchema)
+	variableValue, err := unmarshalAndDefaultVariableValue[T](fldPath, value, structuralSchema)
 	if err != nil {
 		return field.ErrorList{err}
 	}
@@ -45,26 +46,27 @@ func ValidateClusterVariable(
 		return err
 	}
 
+	var oldVariableValue T
 	// Validate variable against the schema using CEL.
-	if err := validateCEL(fldPath, variableValue, nil, structuralSchema); err != nil {
+	if err := validateCEL[T](fldPath, variableValue, oldVariableValue, structuralSchema); err != nil {
 		return err
 	}
 
 	return validateUnknownFields(fldPath, value, variableValue, apiExtensionsSchema)
 }
 
-func unmarshalAndDefaultVariableValue(
+func unmarshalAndDefaultVariableValue[T any](
 	fldPath *field.Path,
 	value *clusterv1.ClusterVariable,
 	s *structuralschema.Structural,
-) (any, *field.Error) {
+) (T, *field.Error) {
 	// Parse JSON value.
-	var variableValue any
+	var variableValue T
 	// Only try to unmarshal the clusterVariable if it is not nil, otherwise the variableValue is nil.
 	// Note: A clusterVariable with a nil value is the result of setting the variable value to "null" via YAML.
 	if value.Value.Raw != nil {
 		if err := json.Unmarshal(value.Value.Raw, &variableValue); err != nil {
-			return nil, field.Invalid(
+			return variableValue, field.Invalid(
 				fldPath.Child("value"), string(value.Value.Raw),
 				fmt.Sprintf("variable %q could not be parsed: %v", value.Name, err),
 			)
@@ -122,9 +124,9 @@ func validatorAndSchemas(
 	return validator, apiExtensionsSchema, s, nil
 }
 
-func validateCEL(
+func validateCEL[T any](
 	fldPath *field.Path,
-	variableValue, oldVariableValue any,
+	variableValue, oldVariableValue T,
 	structuralSchema *structuralschema.Structural,
 ) field.ErrorList {
 	// Note: k/k CR validation also uses celconfig.PerCallLimit when creating the validator for a custom resource.
@@ -138,12 +140,13 @@ func validateCEL(
 
 	// Note: k/k CRD validation also uses celconfig.RuntimeCELCostBudget for the Validate call.
 	// The current RuntimeCELCostBudget gives roughly 1 second for the validation of a variable value.
-	if validationErrors, _ := celValidator.Validate(
+	if validationErrors := validateCELRecursively(
 		context.Background(),
+		celValidator,
 		fldPath.Child("value"),
 		structuralSchema,
-		variableValue,
-		oldVariableValue,
+		reflect.ValueOf(variableValue),
+		reflect.ValueOf(oldVariableValue),
 		celconfig.RuntimeCELCostBudget,
 	); len(validationErrors) > 0 {
 		var allErrs field.ErrorList
@@ -215,8 +218,8 @@ func validateUnknownFields(
 	return nil
 }
 
-// ValidateClusterVariable validates an update to a clusterVariable.
-func ValidateClusterVariableUpdate(
+// ValidateClusterVariableUpdate validates an update to a clusterVariable.
+func ValidateClusterVariableUpdate[T any](
 	value, oldValue *clusterv1.ClusterVariable,
 	definition *clusterv1.ClusterClassVariable,
 	fldPath *field.Path,
@@ -226,12 +229,12 @@ func ValidateClusterVariableUpdate(
 		return field.ErrorList{err}
 	}
 
-	variableValue, err := unmarshalAndDefaultVariableValue(fldPath, value, structuralSchema)
+	variableValue, err := unmarshalAndDefaultVariableValue[T](fldPath, value, structuralSchema)
 	if err != nil {
 		return field.ErrorList{err}
 	}
 
-	oldVariableValue, err := unmarshalAndDefaultVariableValue(fldPath, oldValue, structuralSchema)
+	oldVariableValue, err := unmarshalAndDefaultVariableValue[T](fldPath, oldValue, structuralSchema)
 	if err != nil {
 		return field.ErrorList{err}
 	}
@@ -243,7 +246,7 @@ func ValidateClusterVariableUpdate(
 	}
 
 	// Validate variable against the schema using CEL.
-	if err := validateCEL(fldPath, variableValue, oldVariableValue, structuralSchema); err != nil {
+	if err := validateCEL[T](fldPath, variableValue, oldVariableValue, structuralSchema); err != nil {
 		return err
 	}
 
diff --git a/pkg/handlers/generic/mutation/autorenewcerts/inject.go b/pkg/handlers/generic/mutation/autorenewcerts/inject.go
@@ -70,10 +70,9 @@ func (h *autoRenewCerts) Mutate(
 	if err != nil {
 		if variables.IsNotFoundError(err) {
 			log.V(5).Info("Control Plane auto renew certs variable not defined")
-			return nil
+		} else {
+			return err
 		}
-
-		return err
 	}
 
 	log = log.WithValues(
@@ -92,10 +91,18 @@ func (h *autoRenewCerts) Mutate(
 		selectors.ControlPlane(),
 		log,
 		func(obj *controlplanev1.KubeadmControlPlaneTemplate) error {
-			log.WithValues(
+			log = log.WithValues(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", client.ObjectKeyFromObject(obj),
-			).Info(fmt.Sprintf(
+			)
+
+			if autoRenewCertsVar.DaysBeforeExpiry == 0 {
+				log.Info("removing auto renew certs config from control plane kubeadm config spec")
+				obj.Spec.Template.Spec.RolloutBefore = nil
+				return nil
+			}
+
+			log.Info(fmt.Sprintf(
 				"adding auto renew certs config for %d days before expiry to control plane kubeadm config spec",
 				autoRenewCertsVar.DaysBeforeExpiry,
 			))
diff --git a/pkg/handlers/generic/mutation/autorenewcerts/inject_test.go b/pkg/handlers/generic/mutation/autorenewcerts/inject_test.go
diff --git a/pkg/handlers/generic/mutation/autorenewcerts/variables_test.go b/pkg/handlers/generic/mutation/autorenewcerts/variables_test.go
