From 83ccdee9e2d7ed49b380e19e61d49632429638e6 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Mon, 5 Aug 2024 13:59:53 +0200 Subject: [PATCH] certrotationcontroller: use custom periods when ShortCertRotation is enabled --- .../certrotationcontroller.go | 109 +++++++++--------- 1 file changed, 56 insertions(+), 53 deletions(-) diff --git a/pkg/operator/certrotationcontroller/certrotationcontroller.go b/pkg/operator/certrotationcontroller/certrotationcontroller.go index c100e7b686..4e2e68d78b 100644 --- a/pkg/operator/certrotationcontroller/certrotationcontroller.go +++ b/pkg/operator/certrotationcontroller/certrotationcontroller.go @@ -26,9 +26,6 @@ import ( "github.com/openshift/library-go/pkg/operator/v1helpers" ) -// defaultRotationDay is the default rotation base for all cert rotation operations. -const defaultRotationDay = 24 * time.Hour - type CertRotationController struct { certRotators []factory.Controller @@ -119,14 +116,20 @@ func newCertRotationController( configInformer.Config().V1().Networks().Informer().AddEventHandler(ret.serviceHostnameEventHandler()) configInformer.Config().V1().Infrastructures().Informer().AddEventHandler(ret.externalLoadBalancerHostnameEventHandler()) - rotationDay := defaultRotationDay + monthPeriod := time.Hour * 24 * 30 + yearPeriod := monthPeriod * 12 + tenMonthPeriod := monthPeriod * 10 + foreverPeriod := 10 * yearPeriod + featureGates, err := featureGateAccessor.CurrentFeatureGates() if err != nil { return nil, fmt.Errorf("unable to get FeatureGates: %w", err) } if featureGates.Enabled(features.FeatureShortCertRotation) { - rotationDay = time.Minute + monthPeriod = 45 * time.Minute + yearPeriod = 90 * time.Minute + tenMonthPeriod = 60 * time.Minute } certRotator := certrotation.NewCertRotationController( @@ -138,8 +141,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -165,8 +168,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:openshift-aggregator"}, @@ -190,10 +193,10 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", }, - Validity: 1 * 365 * defaultRotationDay, // this comes from the installer + Validity: yearPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. - Refresh: 292 * defaultRotationDay, + Refresh: tenMonthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -219,8 +222,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-apiserver", Groups: []string{"kube-master"}}, @@ -243,12 +246,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -273,8 +276,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: func() []string { return []string{"localhost", "127.0.0.1"} }, @@ -297,12 +300,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -327,8 +330,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.serviceNetwork.GetHostnames, @@ -352,12 +355,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -382,8 +385,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.externalLoadBalancer.GetHostnames, @@ -407,12 +410,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -437,8 +440,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[bz-kube-apiserver] kube-apiserver should be accessible by clients using internal load balancer without iptables issues'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ServingRotation{ Hostnames: ret.internalLoadBalancer.GetHostnames, @@ -462,12 +465,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, // this comes from the installer + Validity: foreverPeriod, // this comes from the installer // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), Client: kubeClient.CoreV1(), @@ -490,12 +493,12 @@ func newCertRotationController( AdditionalAnnotations: certrotation.AdditionalAnnotations{ JiraComponent: "kube-apiserver", }, - Validity: 10 * 365 * defaultRotationDay, + Validity: foreverPeriod, // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. // Given that in this case rotation will be after 8y, // it means we effectively do not rotate. - Refresh: 8 * 365 * defaultRotationDay, + Refresh: 8 * yearPeriod, CertCreator: &certrotation.ServingRotation{ Hostnames: func() []string { return []string{"localhost-recovery"} }, }, @@ -518,8 +521,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -545,8 +548,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-controller-manager'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-controller-manager"}, @@ -570,8 +573,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -597,8 +600,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-scheduler'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:kube-scheduler"}, @@ -622,8 +625,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -649,8 +652,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:control-plane-node-admin", Groups: []string{"system:masters"}}, @@ -674,8 +677,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 60 * defaultRotationDay, - Refresh: 30 * defaultRotationDay, + Validity: 2 * monthPeriod, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -701,8 +704,8 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 30 * rotationDay, - Refresh: 15 * rotationDay, + Validity: monthPeriod, + Refresh: monthPeriod / 2, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{Name: "system:serviceaccount:openshift-kube-apiserver:check-endpoints"}, @@ -726,10 +729,10 @@ func newCertRotationController( JiraComponent: "kube-apiserver", AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'", }, - Validity: 1 * 365 * defaultRotationDay, + Validity: yearPeriod, // Refresh set to 80% of the validity. // This range is consistent with most other signers defined in this pkg. - Refresh: 292 * defaultRotationDay, + Refresh: tenMonthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets(), Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().Secrets().Lister(), @@ -758,9 +761,9 @@ func newCertRotationController( // This needs to live longer then control plane certs so there is high chance that if a cluster breaks // because of expired certs these are still valid to use for collecting data using localhost-recovery // endpoint with long lived serving certs for localhost. - Validity: 2 * 365 * defaultRotationDay, + Validity: 2 * yearPeriod, // We rotate sooner so certs are always valid for 90 days (30 days more then kube-control-plane-signer) - Refresh: 30 * defaultRotationDay, + Refresh: monthPeriod, RefreshOnlyWhenExpired: refreshOnlyWhenExpired, CertCreator: &certrotation.ClientRotation{ UserInfo: &user.DefaultInfo{