From f121f39e4ce62e836e3eb33fdcc8fa14eed162c3 Mon Sep 17 00:00:00 2001 From: Joe Nathan Abellard Date: Fri, 28 Feb 2025 08:22:12 -0500 Subject: [PATCH 1/3] Add design doc Signed-off-by: Joe Nathan Abellard --- .../custom-leaf-cert-validity/README.md | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md diff --git a/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md new file mode 100644 index 000000000..c68cd9d10 --- /dev/null +++ b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md @@ -0,0 +1,78 @@ +--- +title: Support to Configure Leaf Certificate Validity Period in Karmada Operator +authors: +- "@jabellard" +reviewers: +- "@RainbowMango" +approvers: +- "@RainbowMango" + +creation-date: 2025-02-28 + +--- + +# Support to Configure Leaf Certificate Validity Period in Karmada Operator + +## Summary + +This proposal aims to extend the Karmada operator with support for configuring the validity period of leaf certificates (e.g., API server certificate). By allowing users to specify the validity period in days, this feature provides flexibility to align with organizational security policies and certificate management practices. + +## Motivation + +In scenarios where security policies require frequent rotation of certificates, the ability to configure the validity period of leaf certificates is essential. This feature ensures that the Karmada control plane can adhere to these policies by allowing users to specify a custom validity period for leaf certificates. + +### Goals + +- Allow users to specify the validity period of leaf certificates in days. +- Ensure that the configuration option is optional and defaults to the current behavior if not specified. +- Enable operators to align Karmada control plane PKI with organizational security policies. + +### Non-Goals + +- Change the default behavior of the Karmada operator when no custom validity period is provided. + +## Proposal + +The proposal introduces a new optional field, `LeafCertValidity`, in the `CustomCertificate` struct, where users can specify the validity period of leaf certificates in days. + +### API Changes + +```go +// CustomCertificate holds the configuration for generating the certificate. +type CustomCertificate struct { + // Other, existing fields omitted for brevity + + // LeafCertValidity specifies the validity period of leaf certificates in days. + // If not specified, the default validity period of 1 year will be used. + // +optional + LeafCertValidity *int `json:"leafCertValidity,omitempty"` +} +``` + +### User Stories + +#### Story 1 +As a cloud infrastructure architect, I want to configure the validity period of leaf certificates to comply with my organization's security policies. + + +### Risks and Mitigations + +1. *Incorrect Validity Period*: If the provided validity period is not a positive integer, the control plane setup may fail. + + - *Mitigation*: The operator will validate the provided validity period, ensuring it is a positive integer, and return detailed error messages if the configuration is incorrect. + +2. *Backward Compatibility*: Introducing a custom validity period feature might impact users who do not need or configure this option. + + - *Mitigation*: This feature is fully optional; if no validity period is provided, the operator will default to the current behavior of 1 year, maintaining backward compatibility. + +## Design Details + +The `LeafCertValidity` field in `CustomCertificate` will allow users to specify the validity period of leaf certificates in days. During the reconciliation process, the Karmada operator will: + +- Check if `CustomCertificate.LeafCertValidity` is set. +- If specified: + - Use the provided validity period to derive the `NotAfter` field of the leaf certificate. +- If not specified: + - Default to the current behavior of setting the `NotAfter` field to 1 year from the `NotBefore` field + +This feature requires minimal changes to the reconciliation process and does not impact existing installations that do not specify a custom validity period. \ No newline at end of file From 83fbe65bb386b32a287f6518b2cb0275bea96bf0 Mon Sep 17 00:00:00 2001 From: Joe Nathan Abellard Date: Fri, 28 Feb 2025 14:27:01 -0500 Subject: [PATCH 2/3] Add design doc Signed-off-by: Joe Nathan Abellard --- .../karmada-operator/custom-leaf-cert-validity/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md index c68cd9d10..c5f2c3e2b 100644 --- a/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md +++ b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md @@ -38,11 +38,10 @@ The proposal introduces a new optional field, `LeafCertValidity`, in the `Custom ### API Changes ```go -// CustomCertificate holds the configuration for generating the certificate. type CustomCertificate struct { // Other, existing fields omitted for brevity - // LeafCertValidity specifies the validity period of leaf certificates in days. + // LeafCertValidity specifies the validity period of leaf certificates (e.g., API Server certificate) in days. // If not specified, the default validity period of 1 year will be used. // +optional LeafCertValidity *int `json:"leafCertValidity,omitempty"` From 5652025362bc858bb1b3459c5f491d6b0375a151 Mon Sep 17 00:00:00 2001 From: Joe Nathan Abellard Date: Thu, 6 Mar 2025 15:28:05 -0500 Subject: [PATCH 3/3] Address comments Signed-off-by: Joe Nathan Abellard --- .../custom-leaf-cert-validity/README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md index c5f2c3e2b..16eca08f8 100644 --- a/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md +++ b/docs/proposals/karmada-operator/custom-leaf-cert-validity/README.md @@ -33,7 +33,7 @@ In scenarios where security policies require frequent rotation of certificates, ## Proposal -The proposal introduces a new optional field, `LeafCertValidity`, in the `CustomCertificate` struct, where users can specify the validity period of leaf certificates in days. +The proposal introduces a new optional field, `LeafCertValidityDays`, in the `CustomCertificate` struct, where users can specify the validity period of leaf certificates in days. ### API Changes @@ -41,10 +41,10 @@ The proposal introduces a new optional field, `LeafCertValidity`, in the `Custom type CustomCertificate struct { // Other, existing fields omitted for brevity - // LeafCertValidity specifies the validity period of leaf certificates (e.g., API Server certificate) in days. + // LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days. // If not specified, the default validity period of 1 year will be used. // +optional - LeafCertValidity *int `json:"leafCertValidity,omitempty"` + LeafCertValidityDays *int `json:"leafCertValidityDays,omitempty"` } ``` @@ -66,9 +66,9 @@ As a cloud infrastructure architect, I want to configure the validity period of ## Design Details -The `LeafCertValidity` field in `CustomCertificate` will allow users to specify the validity period of leaf certificates in days. During the reconciliation process, the Karmada operator will: +The `LeafCertValidityDays` field in `CustomCertificate` will allow users to specify the validity period of leaf certificates in days. During the reconciliation process, the Karmada operator will: -- Check if `CustomCertificate.LeafCertValidity` is set. +- Check if `CustomCertificate.LeafCertValidityDays` is set. - If specified: - Use the provided validity period to derive the `NotAfter` field of the leaf certificate. - If not specified: