certgen: parameterize gRPC certificate lifetime

Introduced new parameter `--certificate-lifetime` flag to set the
validity duration of gRPC certificates for the TLS connection between
Contour and Envoy.

This fixes #2023.
This fixes #2017.

Signed-off-by: Tero Saarni <[email protected]>

cmd/contour/certgen.go

@@ -36,6 +36,8 @@ func registerCertGen(app *kingpin.Application) (*kingpin.CmdClause, *certgenConf
 	certgenApp.Flag("kubeconfig", "path to kubeconfig (if not in running inside a cluster)").Default(filepath.Join(os.Getenv("HOME"), ".kube", "config")).StringVar(&certgenConfig.KubeConfig)
 	certgenApp.Flag("namespace", "Kubernetes namespace, used for Kube objects").Default("projectcontour").Envar("CONTOUR_NAMESPACE").StringVar(&certgenConfig.Namespace)
 	certgenApp.Arg("outputdir", "Directory to output any files to").Default("certs").StringVar(&certgenConfig.OutputDir)
+	// NOTE: --certificate-lifetime can be used to accept Duration string once certificate rotation is supported.
+	certgenApp.Flag("certificate-lifetime", "Generated certificate lifetime (in days)").Default("365").UintVar(&certgenConfig.Lifetime)
 
 	return certgenApp, &certgenConfig
 }
@@ -63,13 +65,16 @@ type certgenConfig struct {
 
 	// OutputPEM means that the certs generated will be output as PEM files in the current directory.
 	OutputPEM bool
+
+	// Lifetime is the number of days for which certificates will be valid.
+	Lifetime uint
 }
 
 // GenerateCerts performs the actual cert generation steps and then returns the certs for the output function.
 func GenerateCerts(certConfig *certgenConfig) (map[string][]byte, error) {
 
 	now := time.Now()
-	expiry := now.Add(24 * 365 * time.Hour)
+	expiry := now.Add(24 * time.Duration(certConfig.Lifetime) * time.Hour)
 	caCertPEM, caKeyPEM, err := certgen.NewCA("Project Contour", expiry)
 	if err != nil {
 		return nil, err