feature request: Add custom renewal time for certificates

[transfaeries]

It'd be useful to give people more control over when certificates renew rather than a constant 30 days before expiry. Shorter times would be useful for testing, and in general people or companies could choose a different interval to match their own schedule.

At the moment the time to renewal is set as a constant in pkg/controller/certificates/sync.go

const renewBefore = time.Hour * 24 * 30

It subtracts this number from the expiry date and renews if the result is less than 0

durationUntilExpiry := cert.NotAfter.Sub(time.Now())
renewIn := durationUntilExpiry - renewBefore
if renewIn <= 0 {
	err := c.renew(ctx, i, crtCopy)
	...
 }

I propose that the user should be allowed to provide their own renewIn as an annotation on the ingress or a field in the certificate issue. In the form of a string "00d00h00m".

The tricky thing is, since as of now the code relies on a fixed timestamp on the certificate to count down the hours until renewal. A variable renewal time would have to be stored somewhere. Possibly as a field on the certificate resource.

Basically the program would take this string, convert it into a duration, subtract that duration from the expiry date, and store this as a renewBefore. So for instance if the user provides 15d00h00m. For a certificate that expires in 90 days renewBefore should be set to
90 days - 15 days = 75 days. So we'd store 75*time.Hour*24 + 0*time.Hour + 0*time.Minute or as a string 75d00h00m

So then every time the controller checks if it should renew instead of subtracting the constant time.Hour * 24 * 30 it would get the custom duration and subtract that.

I've started writing some of this code, but I'm having trouble figuring out a) how to read from an annotation and pass it onto pkg/controller/certificates/sync.go b) how to read and write from the certificate resource for pkg/controller/certificates/sync.go

I also wonder if other people might not have a better way to do this. This is just what I figured would be one way to do it that leaves most of the existing code untouched.

/kind feature

[munnerz]

#292 adds this feature, although it is set on a per-issuer basis (i.e. we add a renewBefore and duration field to the issuer, and all certificates issued by that issuer will have the specified renewBefore/duration)

[munnerz]

More info: https://github.com/jetstack/cert-manager/pull/292/files#diff-710fc1fd847b7804eea67a91b26b0d5bR82

[transfaeries]

wow, thanks for the mega quick reply. I'll look through that Pull Request and see if it has what I need.

[retest-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[munnerz]

/remove-lifecycle stale
/lifecycle frozen

[munnerz]

This has been completed in #893 😄