Merge pull request #6193 from jabellard/leaf-cert-validatity-imp

karmada-bot · web-flow · commit 6dfe381395c7 · 2025-03-13T16:48:34.000+08:00
Add Support to Configure Leaf Certificate Validity Period in Karmada Operator
diff --git a/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml b/charts/karmada-operator/crds/operator.karmada.io_karmadas.yaml
@@ -5197,6 +5197,13 @@ spec:
                           referenced.
                         type: string
                     type: object
+                  leafCertValidityDays:
+                    description: |-
+                      LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+                      If not specified, the default validity period of 1 year will be used.
+                    format: int32
+                    minimum: 1
+                    type: integer
                 type: object
               featureGates:
                 additionalProperties:
diff --git a/operator/config/crds/operator.karmada.io_karmadas.yaml b/operator/config/crds/operator.karmada.io_karmadas.yaml
@@ -5197,6 +5197,13 @@ spec:
                           referenced.
                         type: string
                     type: object
+                  leafCertValidityDays:
+                    description: |-
+                      LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+                      If not specified, the default validity period of 1 year will be used.
+                    format: int32
+                    minimum: 1
+                    type: integer
                 type: object
               featureGates:
                 additionalProperties:
diff --git a/operator/pkg/apis/operator/v1alpha1/type.go b/operator/pkg/apis/operator/v1alpha1/type.go
@@ -133,6 +133,12 @@ type CustomCertificate struct {
 	// all components that access the APIServer as clients.
 	// +optional
 	APIServerCACert *LocalSecretReference `json:"apiServerCACert,omitempty"`
+
+	// LeafCertValidityDays specifies the validity period of leaf certificates (e.g., API Server certificate) in days.
+	// If not specified, the default validity period of 1 year will be used.
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	LeafCertValidityDays *int32 `json:"leafCertValidityDays,omitempty"`
 }
 
 // ImageRegistry represents an image registry as well as the
diff --git a/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go b/operator/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/operator/pkg/tasks/init/cert.go b/operator/pkg/tasks/init/cert.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientset "k8s.io/client-go/kubernetes"
@@ -200,5 +201,11 @@ func mutateCertConfig(data InitData, cc *certs.CertConfig) error {
 		}
 	}
 
+	if data.CustomCertificate().LeafCertValidityDays != nil {
+		certValidityDuration := time.Hour * 24 * time.Duration(*data.CustomCertificate().LeafCertValidityDays)
+		notAfter := time.Now().Add(certValidityDuration).UTC()
+		cc.NotAfter = &notAfter
+	}
+
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ import (`
`20`	`20`	`"context"`
`21`	`21`	`"errors"`
`22`	`22`	`"fmt"`
	`23`	`+ "time"`
`23`	`24`
`24`	`25`	`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
`25`	`26`	`clientset "k8s.io/client-go/kubernetes"`
`@@ -200,5 +201,11 @@ func mutateCertConfig(data InitData, cc *certs.CertConfig) error {`
`200`	`201`	`}`
`201`	`202`	`}`
`202`	`203`
	`204`	`+ if data.CustomCertificate().LeafCertValidityDays != nil {`
	`205`	`+ certValidityDuration := time.Hour * 24 * time.Duration(*data.CustomCertificate().LeafCertValidityDays)`
	`206`	`+ notAfter := time.Now().Add(certValidityDuration).UTC()`
	`207`	`+ cc.NotAfter = &notAfter`
	`208`	`+ }`
	`209`	`+`
`203`	`210`	`return nil`
`204`	`211`	`}`