Set not-before/not-after annotations for secrets created from CSRs

Vadim Rutkovsky · Vadim Rutkovsky · commit ff84afa1d0dd · 2024-11-22T13:01:09.000+01:00
diff --git a/pkg/operator/csr/cert_controller.go b/pkg/operator/csr/cert_controller.go
@@ -3,6 +3,7 @@ package csr
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
 	"math/rand"
@@ -166,7 +167,7 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
 
 	// reconcile pending csr if exists
 	if len(c.csrName) > 0 {
-		newSecretConfig, err := c.syncCSR(secret)
+		newSecretConfig, leaf, err := c.syncCSR(secret)
 		if err != nil {
 			c.reset()
 			return err
@@ -179,6 +180,12 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
 			newSecretConfig[k] = v
 		}
 		secret.Data = newSecretConfig
+
+		// Update not-before/not-after annotations
+		c.AdditionalAnnotations.NotBefore = leaf.NotBefore.Format(time.RFC3339)
+		c.AdditionalAnnotations.NotAfter = leaf.NotAfter.Format(time.RFC3339)
+		_ = c.AdditionalAnnotations.EnsureTLSMetadataUpdate(&secret.ObjectMeta)
+
 		// save the changes into secret
 		if err := c.saveSecret(secret); err != nil {
 			return err
@@ -231,10 +238,10 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
 	return nil
 }
 
-func (c *clientCertificateController) syncCSR(secret *corev1.Secret) (map[string][]byte, error) {
+func (c *clientCertificateController) syncCSR(secret *corev1.Secret) (map[string][]byte, *x509.Certificate, error) {
 	// skip if there is no ongoing csr
 	if len(c.csrName) == 0 {
-		return nil, fmt.Errorf("no ongoing csr")
+		return nil, nil, fmt.Errorf("no ongoing csr")
 	}
 
 	// skip if csr no longer exists
@@ -244,38 +251,44 @@ func (c *clientCertificateController) syncCSR(secret *corev1.Secret) (map[string
 		// fallback to fetching csr from hub apiserver in case it is not cached by informer yet
 		csr, err = c.hubCSRClient.Get(context.Background(), c.csrName, metav1.GetOptions{})
 		if errors.IsNotFound(err) {
-			return nil, fmt.Errorf("unable to get csr %q. It might have already been deleted.", c.csrName)
+			return nil, nil, fmt.Errorf("unable to get csr %q. It might have already been deleted.", c.csrName)
 		}
 	case err != nil:
-		return nil, err
+		return nil, nil, err
 	}
 
 	// skip if csr is not approved yet
 	if !isCSRApproved(csr) {
-		return nil, nil
+		return nil, nil, nil
 	}
 
 	// skip if csr has no certificate in its status yet
 	if len(csr.Status.Certificate) == 0 {
-		return nil, nil
+		return nil, nil, nil
 	}
 
 	klog.V(4).Infof("Sync csr %v", c.csrName)
 	// check if cert in csr status matches with the corresponding private key
 	if c.keyData == nil {
-		return nil, fmt.Errorf("No private key found for certificate in csr: %s", c.csrName)
+		return nil, nil, fmt.Errorf("No private key found for certificate in csr: %s", c.csrName)
 	}
 	_, err = tls.X509KeyPair(csr.Status.Certificate, c.keyData)
 	if err != nil {
-		return nil, fmt.Errorf("Private key does not match with the certificate in csr: %s", c.csrName)
+		return nil, nil, fmt.Errorf("Private key does not match with the certificate in csr: %s", c.csrName)
+	}
+	parsed, err := x509.ParseCertificate(csr.Status.Certificate)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse the certificate in csr %s: %v", c.csrName, err)
+	}
+	if parsed == nil {
+		return nil, nil, fmt.Errorf("Empty leaf certificate in csr: %s", c.csrName)
 	}
 
 	data := map[string][]byte{
 		TLSCertFile: csr.Status.Certificate,
 		TLSKeyFile:  c.keyData,
 	}
-
-	return data, nil
+	return data, parsed, nil
 }
 
 func (c *clientCertificateController) createCSR(ctx context.Context) (string, error) {
