✨ Add CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig

[Karthik-K-N]

What this PR does / why we need it:

Adds CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #12289

/area provider/bootstrap-kubeadm

[Karthik-K-N]

/hold

Added CertificateValidityPeriod to KubeadmConfig if the changes (especially conversions) are in right direction will do the similar changes for CACertificateValidityPeriod as well.

@sbueringer Please let me know your opinion. Thanks.

[Karthik-K-N]

Added both the fields, Need to make changes to honor those fields while generating CA.

[sbueringer]

@Karthik-K-N Sorry can you rebase again? I think now we got all PRs merged for now. I'll look into the PR afterwards

[Karthik-K-N]

@Karthik-K-N Sorry can you rebase again? I think now we got all PRs merged for now. I'll look into the PR afterwards

No issues, Thanks, I just rebased the PR, I have added both the fields with their conversions, I will just try to work on how to use these fields while generating certificate

[Karthik-K-N]

/hold cancel

Ready for initial review, UT is pending

[sbueringer]

/test pull-cluster-api-verify-main
/test pull-cluster-api-e2e-main

[sbueringer]

Thank you for working on this

[sbueringer]

This can be changed to time.Days when we change the fields on the v1beta2 api to *Days

Please check if max of c.Int31() * time.Days is already more than max of Duration. Then we don't have to do anything here.

We only had to add this for other cases because it was possible to have a Duration which was to high to be converted to Seconds int32

[Karthik-K-N]

Since there is no built in methods in time package to use time.Days(), I was facing round trip errors while converting hours to Days back and forth due to round off of minute field.
So added this way to always get whole hours rather than in minutes.

Please suggest if there are any better ways to handle this.

[JoelSpeed]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: e5fdec0cee28873da6d595d3c1e08f0db9640aba

[sbueringer]

Will try to take another look soon (I currently assume worst case next week)

[sbueringer]

@Karthik-K-N Can you rebase the PR please? :) I'll review directly afterwards

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from joelspeed. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Karthik-K-N]

@Karthik-K-N Can you rebase the PR please? :) I'll review directly afterwards

Done. Thanks

[sbueringer]

/test pull-cluster-api-e2e-main

[sbueringer]

Thank you very much!

[sbueringer]

Suggested change

	// If not specified, kubeadm will use a default of 3650 days (10 years).
	// If not specified, kubeadm will use a default of 365 days (1 year).

[sbueringer]

Suggested change

	// +kubebuilder:validation:Maximum=10950
	// +kubebuilder:validation:Maximum=1095

APIserver won't survive more than 3 years + 1 day => See kubernetes/kubernetes#130047 (comment)

[sbueringer]

Suggested change

	// caCertificateValidityPeriodDays specifies the validity period for a CA certificate generated by kubeadm.
	// caCertificateValidityPeriodDays specifies the validity period for CA certificates generated by kubeadm.

[sbueringer]

Suggested change

	// certificateValidityPeriodDays specifies the validity period for a non-CA certificate generated by kubeadm.
	// certificateValidityPeriodDays specifies the validity period for non-CA certificates generated by kubeadm.

[sbueringer]

Suggested change

	// +kubebuilder:validation:Maximum=10950
	// +kubebuilder:validation:Maximum=36500

Let's use 100 years instead of 30 years. Rotating CA certificates is very painful today.

[sbueringer]

Suggested change

	// +optional
	// This field is only supported with Kubernetes v1.31 or above.
	// +optional

(This only applies to this field, as the other field is implemented by CAPI controllers)

[sbueringer]

I assume this avoids an overflow in metav1.Duration. Can we use this instead?

	obj.CertificateValidityPeriodDays = c.Int31n(3 * 365 + 1)
	obj.CACertificateValidityPeriodDays = c.Int31n(100 * 365 + 1)

This limits the days to our supported min/max range

[sbueringer]

Similar here. Should we use this?

	obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(3*365)+1) * time.Hour * 24})
	obj.CACertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31n(100*365)+1) * time.Hour * 24})

Currently we only use 1-24 days

[sbueringer]

Let's also set this and CACertificateValidityPeriodDays in before please

[sbueringer]

Suggested change

	// If not specified, kubeadm will use a default of 3650 days (10 years).
	// If not specified, Cluster API will use a default of 3650 days (10 years).
	// This field cannot be modified.

(It is us in this case, not kubeadm)

[sbueringer]

We need additional validation (+ corresponding test coverage)

validateRolloutBefore:

• If rolloutBefore.CertificatesExpiryDays is set we have to ensure certificateValidityPeriodDays > rolloutBefore.CertificatesExpiryDays.
• Otherwise control plane Machines are continuously rolled out because the cert expires too soon
• Example: CertificatesExpiryDays is 14 and certificateValidityPeriodDays is 10 => certs will only be valid for 10 days, rolloutBefore triggers because certs are valid <= 14 days

validateKubeadmControlPlaneSpec

• CertificateValidityPeriodDays <= CACertificateValidityPeriodDays
  • if CACertificateValidityPeriodDays is not set (==0) CertificateValidityPeriodDays <= the default value for CACertificateValidityPeriodDays

[sbueringer]

[had to put the comment somewhere]

I tested changes to certificateValidityPeriodDays, unfortunately it doesn't work as expected

A change to certificateValidityPeriodDays triggers a rollout but new Machines are not using the new value of certificateValidityPeriodDays.

I think we have to update the kubeadm-config ConfigMap in the wl cluster so kubeadm picks up the change.

We should add a new mutator somewhere around here:

cluster-api/controlplane/kubeadm/internal/controllers/upgrade.go

Line 69 in 686d66b

workloadCluster.UpdateImageRepositoryInKubeadmConfigMap(imageRepository),

This can be implemented similar to UpdateImageRepositoryInKubeadmConfigMap (please also add test coverage). I think we can simply set whatever is set on controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays.

Let me know if you have any questions :)

[k8s-ci-robot]

@Karthik-K-N: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cluster-api-e2e-main	9582a44	link	true	/test pull-cluster-api-e2e-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sbueringer]

Re: https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/kubernetes-sigs_cluster-api/12335/pull-cluster-api-e2e-main/1942878337315639296

e2e tests are fine, the one failure is currently expected

[Karthik-K-N]

Addressed all the review comments, Please take a look. Please let me know if I need to add any more test cases. thanks