cert refresh: use the specified ttl and SAN

The requested expiry date and extra SANs are currently ignored when refreshing worker node certificates. There's a TODO and a hard-coded 10y expiry date. This commit ensures that the specified expiry date and Subject Alternative Name are properly passed and applied.
canonical · Oct 30, 2024 · 206c597 · 206c597
1 parent 2cd7f6b
commit 206c597
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 11 deletions.
diff --git a/src/k8s/pkg/k8sd/api/certificates_refresh.go b/src/k8s/pkg/k8sd/api/certificates_refresh.go
@@ -229,6 +229,13 @@ func refreshCertsRunWorker(s state.State, r *http.Request, snap snap.Snap) respo
 		return response.InternalError(fmt.Errorf("failed to load k8sd public key, error: %w", err))
 	}
 
+	hostnames := []string{snap.Hostname()}
+	ips := []net.IP{net.ParseIP(s.Address().Hostname())}
+
+	extraIPs, extraNames := utils.SplitIPAndDNSSANs(req.ExtraSANs)
+	hostnames = append(hostnames, extraNames...)
+	ips = append(ips, extraIPs...)
+
 	g, ctx := errgroup.WithContext(r.Context())
 
 	for _, csr := range []struct {
@@ -247,8 +254,8 @@ func refreshCertsRunWorker(s state.State, r *http.Request, snap snap.Snap) respo
 			commonName:   fmt.Sprintf("system:node:%s", snap.Hostname()),
 			organization: []string{"system:nodes"},
 			usages:       []certv1.KeyUsage{certv1.UsageDigitalSignature, certv1.UsageKeyEncipherment, certv1.UsageServerAuth},
-			hostnames:    []string{snap.Hostname()},
-			ips:          []net.IP{net.ParseIP(s.Address().Hostname())},
+			hostnames:    hostnames,
+			ips:          ips,
 			signerName:   "k8sd.io/kubelet-serving",
 			certificate:  &certificates.KubeletCert,
 			key:          &certificates.KubeletKey,
@@ -298,6 +305,8 @@ func refreshCertsRunWorker(s state.State, r *http.Request, snap snap.Snap) respo
 			}
 			signatureB64 := base64.StdEncoding.EncodeToString(signature)
 
+			expirationSeconds := int32(req.ExpirationSeconds)
+
 			if _, err = client.CertificatesV1().CertificateSigningRequests().Create(ctx, &certv1.CertificateSigningRequest{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: csr.name,
@@ -307,9 +316,10 @@ func refreshCertsRunWorker(s state.State, r *http.Request, snap snap.Snap) respo
 					},
 				},
 				Spec: certv1.CertificateSigningRequestSpec{
-					Request:    []byte(csrPEM),
-					Usages:     csr.usages,
-					SignerName: csr.signerName,
+					Request:           []byte(csrPEM),
+					ExpirationSeconds: &expirationSeconds,
+					Usages:            csr.usages,
+					SignerName:        csr.signerName,
 				},
 			}, metav1.CreateOptions{}); err != nil {
 				return fmt.Errorf("failed to create CSR for %s: %w", csr.name, err)

diff --git a/src/k8s/pkg/k8sd/controllers/csrsigning/reconcile.go b/src/k8s/pkg/k8sd/controllers/csrsigning/reconcile.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/canonical/k8s/pkg/utils"
 	pkiutil "github.com/canonical/k8s/pkg/utils/pki"
 	certv1 "k8s.io/api/certificates/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -96,6 +97,15 @@ func (r *csrSigningReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, err
 	}
 
+	notBefore := time.Now()
+	var notAfter time.Time
+
+	if obj.Spec.ExpirationSeconds != nil {
+		notAfter = utils.SecondsToExpirationDate(notBefore, int(*obj.Spec.ExpirationSeconds))
+	} else {
+		notAfter = time.Now().AddDate(10, 0, 0)
+	}
+
 	var crtPEM []byte
 	switch obj.Spec.SignerName {
 	case "k8sd.io/kubelet-serving":
@@ -114,8 +124,8 @@ func (r *csrSigningReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 				CommonName:   obj.Spec.Username,
 				Organization: obj.Spec.Groups,
 			},
-			NotBefore:             time.Now(),
-			NotAfter:              time.Now().AddDate(10, 0, 0), // TODO: expiration date from obj, or config
+			NotBefore:             notBefore,
+			NotAfter:              notAfter,
 			IPAddresses:           certRequest.IPAddresses,
 			DNSNames:              certRequest.DNSNames,
 			BasicConstraintsValid: true,
@@ -149,8 +159,8 @@ func (r *csrSigningReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 				CommonName:   obj.Spec.Username,
 				Organization: obj.Spec.Groups,
 			},
-			NotBefore:             time.Now(),
-			NotAfter:              time.Now().AddDate(10, 0, 0), // TODO: expiration date from obj, or config
+			NotBefore:             notBefore,
+			NotAfter:              notAfter,
 			BasicConstraintsValid: true,
 			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
@@ -181,8 +191,8 @@ func (r *csrSigningReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 			Subject: pkix.Name{
 				CommonName: "system:kube-proxy",
 			},
-			NotBefore:             time.Now(),
-			NotAfter:              time.Now().AddDate(10, 0, 0), // TODO: expiration date from obj, or config
+			NotBefore:             notBefore,
+			NotAfter:              notAfter,
 			BasicConstraintsValid: true,
 			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,