Support setting CA validity duration via unsupportedConfigOverrides #85
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
marun
force-pushed
the
ca-validity-duration
branch
from
0022f25
to
c9a9bae
Compare
|
Rebased and ready for review |
marun
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
marun
force-pushed
the
ca-validity-duration
branch
4 times, most recently
from
e009dae
to
747b4d3
Compare
| return caConfig, nil | ||
| } | ||
| // operator-go's cert generation only accepts an expiry in days. To | ||
| // ensure support for all validity durations, even those less than a |
There was a problem hiding this comment.
I don't see value in durations < 1 day, just stick to what library-go does and pass the duration in days directly to it. The API ValidityDuration: certificate validity in seconds does not sound very user friendly, either.
There was a problem hiding this comment.
Having a flexible initial expiry is required to support validating that cert expiry is handled correctly in the context of a periodic job that takes less than a day to execute (see the description of the proposed rotation job). Exploratory testing has a similar requirement. If qa or someone else wants to see what happens when a cert expires, I think it makes sense to allow the specification of the appropriate interval (likely in minutes or hours) rather than forcing them to wait a whole day or depend on clock manipulation.
So, there is a requirement. And if this repo is the only one that requires it, I'm not sure why that suggests the effort of updating library-go (especially for an unsupported api).
To your point, though, it is not great UX for a general-purpose option to set the CA expiry in at most hours (since that's the maximum granularity that Duration supports). I think that suggests changing the name to ValidityDurationForTesting and maybe limiting the scope of the option to the initial cert (or manual rotation, since that's the same code path). If we are required to support custom cert duration for production use in the future, we could add a separate option specified in days. WDYT?
| @@ -16,7 +16,7 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| signingCertificateLifetimeInDays = 365 // 1 year | |||
| SigningCertificateLifetimeInDays = 365 // 1 year | |||
There was a problem hiding this comment.
If someone in the future changes this to var, I will eat them
|
/test e2e-aws-operator |
| // provided duration is greater than zero. If an error occurs or the duration is | ||
| // zero, the original CA is returned. | ||
| func maybeUpdateExpiry(caConfig *crypto.TLSCertificateConfig, duration time.Duration) (*crypto.TLSCertificateConfig, error) { | ||
| if duration.Nanoseconds() == 0 { |
There was a problem hiding this comment.
isn’t there duration.IsZero?
There was a problem hiding this comment.
Doh. Done.
Time.IsZero is a thing. Duration.IsZero is not.
| // reason indicates why a rotation of the signing CA should be forced. If the | ||
| // reason is not empty and has not been recorded as an annotation on the signing | ||
| // secret, the rotation of the signing CA will be triggered at most once. | ||
| // +optional | ||
| Reason string `json:"reason"` |
There was a problem hiding this comment.
So you do not share @stlaz's concerns regarding ValidityDuration being specified in at most hours?
There was a problem hiding this comment.
Probably >= 1h makes sense. So either document the minimum or switch to hours as integer.
There was a problem hiding this comment.
What would be the value in switching to an integer representing hours given that metav1.Duration supports providing a time in hours (e.g. 1h) and supporting a duration in minutes (e.g. 20m) is potentially useful for testing?
There was a problem hiding this comment.
See @liggitt's talk at contributor summit: metav1.Duration is considered a failure.
There was a problem hiding this comment.
I don't see the video up yet, but I'm assuming you're suggesting that metav1.Duration not be used? That reinforces my suggestion for ValidityDurationForTesting and denominating it in minutes. If ValidityDuration becomes a thing to set the CA expiry for production use, it would likely be in days.
There was a problem hiding this comment.
ValidityDurationForTesting is fine with me as well. Let's decide and move forward.
There was a problem hiding this comment.
I've update the name to ValidityDurationForTesting and left it as metav1.Duration, hopefully that makes sense for you.
pkg/operator/rotate.go
Outdated
| // Set a custom expiry if one was provided | ||
| signingCA.config, err = maybeUpdateExpiry(signingCA.config, serviceCAConfig.CAConfig.ValidityDuration) | ||
| if err != nil { | ||
| return "", fmt.Errorf("Error renewing ca for custom duration: %v", err) |
|
/approve |
openshift-ci-robot
added
the
approved
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
marun
force-pushed
the
ca-validity-duration
branch
from
747b4d3
to
98eae94
Compare
|
/hold cancel Updated a couple of error messages in latest push, nothing functional. |
openshift-ci-robot
removed
the
do-not-merge/hold
|
Sgtm overall (would switch to hours). |
marun
force-pushed
the
ca-validity-duration
branch
from
98eae94
to
3cd3ae3
Compare
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
This is intended to support testing of rotation compatibility.
marun
force-pushed
the
ca-validity-duration
branch
from
3cd3ae3
to
0852211
Compare
|
Rebased |
|
/retest |
1 similar comment
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marun, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Setting the duration of CA validity allows setting a short duration to test operator compatibility with CA rotation.
This PR is required by the proposed periodic rotation compatibility job: openshift/release#5930