Skip to content

Commit

Permalink
certrotationcontroller: use custom periods when ShortCertRotation is …
Browse files Browse the repository at this point in the history
…enabled
  • Loading branch information
vrutkovs committed Nov 8, 2024
1 parent 7b119b5 commit 83ccdee
Showing 1 changed file with 56 additions and 53 deletions.
109 changes: 56 additions & 53 deletions pkg/operator/certrotationcontroller/certrotationcontroller.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ import (
"github.com/openshift/library-go/pkg/operator/v1helpers"
)

// defaultRotationDay is the default rotation base for all cert rotation operations.
const defaultRotationDay = 24 * time.Hour

type CertRotationController struct {
certRotators []factory.Controller

Expand Down Expand Up @@ -119,14 +116,20 @@ func newCertRotationController(
configInformer.Config().V1().Networks().Informer().AddEventHandler(ret.serviceHostnameEventHandler())
configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler())

rotationDay := defaultRotationDay
monthPeriod := time.Hour * 24 * 30
yearPeriod := monthPeriod * 12
tenMonthPeriod := monthPeriod * 10
foreverPeriod := 10 * yearPeriod

featureGates, err := featureGateAccessor.CurrentFeatureGates()
if err != nil {
return nil, fmt.Errorf("unable to get FeatureGates: %w", err)
}

if featureGates.Enabled(features.FeatureShortCertRotation) {
rotationDay = time.Minute
monthPeriod = 45 * time.Minute
yearPeriod = 90 * time.Minute
tenMonthPeriod = 60 * time.Minute
}

certRotator := certrotation.NewCertRotationController(
Expand All @@ -138,8 +141,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -165,8 +168,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:openshift-aggregator"},
Expand All @@ -190,10 +193,10 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'",
},
Validity: 1 * 365 * defaultRotationDay, // this comes from the installer
Validity: yearPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
Refresh: 292 * defaultRotationDay,
Refresh: tenMonthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -219,8 +222,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}},
Expand All @@ -243,12 +246,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
Validity: foreverPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -273,8 +276,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ServingRotation{
Hostnames: func() []string { return []string{"localhost", "127.0.0.1"} },
Expand All @@ -297,12 +300,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
Validity: foreverPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -327,8 +330,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ServingRotation{
Hostnames: ret.serviceNetwork.GetHostnames,
Expand All @@ -352,12 +355,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
Validity: foreverPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -382,8 +385,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ServingRotation{
Hostnames: ret.externalLoadBalancer.GetHostnames,
Expand All @@ -407,12 +410,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
Validity: foreverPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -437,8 +440,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[bz-kube-apiserver] kube-apiserver should be accessible by clients using internal load balancer without iptables issues'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ServingRotation{
Hostnames: ret.internalLoadBalancer.GetHostnames,
Expand All @@ -462,12 +465,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay, // this comes from the installer
Validity: foreverPeriod, // this comes from the installer
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Client: kubeClient.CoreV1(),
Expand All @@ -490,12 +493,12 @@ func newCertRotationController(
AdditionalAnnotations: certrotation.AdditionalAnnotations{
JiraComponent: "kube-apiserver",
},
Validity: 10 * 365 * defaultRotationDay,
Validity: foreverPeriod,
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
// Given that in this case rotation will be after 8y,
// it means we effectively do not rotate.
Refresh: 8 * 365 * defaultRotationDay,
Refresh: 8 * yearPeriod,
CertCreator: &certrotation.ServingRotation{
Hostnames: func() []string { return []string{"localhost-recovery"} },
},
Expand All @@ -518,8 +521,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 60 * defaultRotationDay,
Refresh: 30 * defaultRotationDay,
Validity: 2 * monthPeriod,
Refresh: monthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -545,8 +548,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-controller-manager'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:kube-controller-manager"},
Expand All @@ -570,8 +573,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 60 * defaultRotationDay,
Refresh: 30 * defaultRotationDay,
Validity: 2 * monthPeriod,
Refresh: monthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -597,8 +600,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-scheduler'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:kube-scheduler"},
Expand All @@ -622,8 +625,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 60 * defaultRotationDay,
Refresh: 30 * defaultRotationDay,
Validity: 2 * monthPeriod,
Refresh: monthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -649,8 +652,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:control-plane-node-admin", Groups: []string{"system:masters"}},
Expand All @@ -674,8 +677,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 60 * defaultRotationDay,
Refresh: 30 * defaultRotationDay,
Validity: 2 * monthPeriod,
Refresh: monthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand All @@ -701,8 +704,8 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 30 * rotationDay,
Refresh: 15 * rotationDay,
Validity: monthPeriod,
Refresh: monthPeriod / 2,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{Name: "system:serviceaccount:openshift-kube-apiserver:check-endpoints"},
Expand All @@ -726,10 +729,10 @@ func newCertRotationController(
JiraComponent: "kube-apiserver",
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
},
Validity: 1 * 365 * defaultRotationDay,
Validity: yearPeriod,
// Refresh set to 80% of the validity.
// This range is consistent with most other signers defined in this pkg.
Refresh: 292 * defaultRotationDay,
Refresh: tenMonthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(),
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(),
Expand Down Expand Up @@ -758,9 +761,9 @@ func newCertRotationController(
// This needs to live longer then control plane certs so there is high chance that if a cluster breaks
// because of expired certs these are still valid to use for collecting data using localhost-recovery
// endpoint with long lived serving certs for localhost.
Validity: 2 * 365 * defaultRotationDay,
Validity: 2 * yearPeriod,
// We rotate sooner so certs are always valid for 90 days (30 days more then kube-control-plane-signer)
Refresh: 30 * defaultRotationDay,
Refresh: monthPeriod,
RefreshOnlyWhenExpired: refreshOnlyWhenExpired,
CertCreator: &certrotation.ClientRotation{
UserInfo: &user.DefaultInfo{
Expand Down

0 comments on commit 83ccdee

Please sign in to comment.