Merge pull request #6193 from jabellard/leaf-cert-validatity-imp

Add Support to Configure Leaf Certificate Validity Period in Karmada Operator
2025-03-13 16:48:34 +08:00 · 2025-03-13 16:48:34 +08:00 · 6dfe381395
parent 63ad83dfdd b192c9c0d3
commit 6dfe381395
5 changed files with 32 additions and 0 deletions
--- a/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml
+++ b/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml
@ -5197,6 +5197,13 @@ spec:
                          referenced.
                        type: string
                    type: object
+                  leafCertValidityDays:
+                    description: |-
+                      LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+                      If not specified, the default validity period of 1 year will be used.
+                    format: int32
+                    minimum: 1
+                    type: integer
                type: object
              featureGates:
                additionalProperties:
--- a/operator/config/crds/operator.karmada.io_karmadas.yaml
+++ b/operator/config/crds/operator.karmada.io_karmadas.yaml
@ -5197,6 +5197,13 @@ spec:
                          referenced.
                        type: string
                    type: object
+                  leafCertValidityDays:
+                    description: |-
+                      LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+                      If not specified, the default validity period of 1 year will be used.
+                    format: int32
+                    minimum: 1
+                    type: integer
                type: object
              featureGates:
                additionalProperties:
--- a/operator/pkg/apis/operator/v1alpha1/type.go
+++ b/operator/pkg/apis/operator/v1alpha1/type.go
@ -133,6 +133,12 @@ type CustomCertificate struct {
 	// all components that access the APIServer as clients.
 	// +optional
 	APIServerCACert *LocalSecretReference `json:"apiServerCACert,omitempty"`
+
+	// LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+	// If not specified, the default validity period of 1 year will be used.
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	LeafCertValidityDays *int32 `json:"leafCertValidityDays,omitempty"`
 }

 // ImageRegistry represents an image registry as well as the
--- a/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
+++ b/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
@ -114,6 +114,11 @@ func (in *CustomCertificate) DeepCopyInto(out *CustomCertificate) {
 		*out = new(LocalSecretReference)
 		**out = **in
 	}
+	if in.LeafCertValidityDays != nil {
+		in, out := &in.LeafCertValidityDays, &out.LeafCertValidityDays
+		*out = new(int32)
+		**out = **in
+	}
 	return
 }

--- a/operator/pkg/tasks/init/cert.go
+++ b/operator/pkg/tasks/init/cert.go
@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"time"

 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
@ -200,5 +201,11 @@ func mutateCertConfig(data InitData, cc *certs.CertConfig) error {
 		}
 	}

+	if data.CustomCertificate().LeafCertValidityDays != nil {
+		certValidityDuration := time.Hour * 24 * time.Duration(*data.CustomCertificate().LeafCertValidityDays)
+		notAfter := time.Now().Add(certValidityDuration).UTC()
+		cc.NotAfter = &notAfter
+	}
+
 	return nil
 }