From 829d0f3c9804c9b56d2e6ad4bd6d137b90c7c8c8 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 8 Aug 2024 17:36:56 +0800 Subject: [PATCH 1/5] customize the cert's lifetime Signed-off-by: gang.liu --- .../v1alpha1/contourdeployment.go | 7 +++ examples/contour/01-crds.yaml | 7 +++ examples/render/contour-deployment.yaml | 7 +++ .../render/contour-gateway-provisioner.yaml | 7 +++ examples/render/contour-gateway.yaml | 7 +++ examples/render/contour.yaml | 7 +++ internal/provisioner/controller/gateway.go | 5 +++ .../provisioner/controller/gateway_test.go | 43 +++++++++++++++++++ internal/provisioner/model/model.go | 5 +++ internal/provisioner/objects/secret/secret.go | 2 +- .../docs/main/config/api-reference.html | 14 ++++++ 11 files changed, 110 insertions(+), 1 deletion(-) diff --git a/apis/projectcontour/v1alpha1/contourdeployment.go b/apis/projectcontour/v1alpha1/contourdeployment.go index b430c2c1ff1..2da9eae7ddd 100644 --- a/apis/projectcontour/v1alpha1/contourdeployment.go +++ b/apis/projectcontour/v1alpha1/contourdeployment.go @@ -140,6 +140,13 @@ type ContourSettings struct { // +kubebuilder:validation:MinItems=1 // +kubebuilder:validation:MaxItems=42 DisabledFeatures []contour_v1.Feature `json:"disabledFeatures,omitempty"` + + // CertLifetime is the number of days for which certificates will be valid. + // defaults to 365. + // + // +kubebuilder:validation:Minimum=0 + // +optional + CertLifetime uint32 `json:"certLifetime,omitempty" yaml:"certLifetime,omitempty"` } // DeploymentSettings contains settings for Deployment resources. diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 0beece5bc51..f7b9cebc12b 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -1416,6 +1416,13 @@ spec: and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods. properties: + certLifetime: + description: |- + CertLifetime is the number of days for which certificates will be valid. + defaults to 365. + format: int32 + minimum: 0 + type: integer deployment: description: Deployment describes the settings for running contour as a `Deployment`. diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 1e085adae27..ba96f2e30e5 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -1636,6 +1636,13 @@ spec: and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods. properties: + certLifetime: + description: |- + CertLifetime is the number of days for which certificates will be valid. + defaults to 365. + format: int32 + minimum: 0 + type: integer deployment: description: Deployment describes the settings for running contour as a `Deployment`. diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index b3633a2e0cd..cdb1fe65f3f 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -1427,6 +1427,13 @@ spec: and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods. properties: + certLifetime: + description: |- + CertLifetime is the number of days for which certificates will be valid. + defaults to 365. + format: int32 + minimum: 0 + type: integer deployment: description: Deployment describes the settings for running contour as a `Deployment`. diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 0db31e989d5..d36cd03c2bc 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -1452,6 +1452,13 @@ spec: and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods. properties: + certLifetime: + description: |- + CertLifetime is the number of days for which certificates will be valid. + defaults to 365. + format: int32 + minimum: 0 + type: integer deployment: description: Deployment describes the settings for running contour as a `Deployment`. diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index d78bac68c7b..23372c5ba44 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -1636,6 +1636,13 @@ spec: and associated resources, including things like replica count for the Deployment, and node placement constraints for the pods. properties: + certLifetime: + description: |- + CertLifetime is the number of days for which certificates will be valid. + defaults to 365. + format: int32 + minimum: 0 + type: integer deployment: description: Deployment describes the settings for running contour as a `Deployment`. diff --git a/internal/provisioner/controller/gateway.go b/internal/provisioner/controller/gateway.go index b1daaf114d1..ac36c173dd0 100644 --- a/internal/provisioner/controller/gateway.go +++ b/internal/provisioner/controller/gateway.go @@ -262,6 +262,11 @@ func (r *gatewayReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct for k, v := range contourParams.PodAnnotations { contourModel.Spec.ContourPodAnnotations[k] = v } + + if contourParams.CertLifetime > 0 { + contourModel.Spec.CertLifetime = contourParams.CertLifetime + } + } if gatewayClassParams.Spec.Envoy != nil { diff --git a/internal/provisioner/controller/gateway_test.go b/internal/provisioner/controller/gateway_test.go index 908ab1094c8..677269d0b52 100644 --- a/internal/provisioner/controller/gateway_test.go +++ b/internal/provisioner/controller/gateway_test.go @@ -15,7 +15,10 @@ package controller import ( "context" + "crypto/x509" + "encoding/pem" "testing" + "time" "github.com/go-logr/logr" "github.com/stretchr/testify/assert" @@ -1396,6 +1399,32 @@ func TestGatewayReconcile(t *testing.T) { } }, }, + "The generated certificates' lifetime is specified": { + gatewayClass: reconcilableGatewayClassWithParams("gatewayclass-1", controller), + gatewayClassParams: &contour_v1alpha1.ContourDeployment{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "projectcontour", + Name: "gatewayclass-1-params", + }, + Spec: contour_v1alpha1.ContourDeploymentSpec{ + Contour: &contour_v1alpha1.ContourSettings{ + CertLifetime: 123, + }, + }, + }, + gateway: makeGateway(), + assertions: func(t *testing.T, r *gatewayReconciler, _ *gatewayapi_v1.Gateway, _ error) { + s := &core_v1.Secret{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "gateway-1", + Name: "contourcert-gateway-1", + }, + } + + require.NoError(t, r.client.Get(context.Background(), keyFor(s), s)) + verifyCert(t, s.Data["ca.crt"], 123) + }, + }, } for name, tc := range tests { @@ -1451,3 +1480,17 @@ func assertEnvoyServiceLoadBalancerIP(t *testing.T, gateway *gatewayapi_v1.Gatew // Verify expected Spec.LoadBalancerIP. assert.Equal(t, want, envoyService.Spec.LoadBalancerIP) } + +func verifyCert(t *testing.T, certPEM []byte, day int) { + block, _ := pem.Decode(certPEM) + if block == nil { + require.FailNow(t, "decode certificate from PEM form is failed") + } + + cert, err := x509.ParseCertificate(block.Bytes) + require.NoError(t, err, "parse certificate is failed") + + if cert.NotAfter.After(time.Now().AddDate(0, 0, day)) { + require.FailNow(t, "certificate is not valid") + } +} diff --git a/internal/provisioner/model/model.go b/internal/provisioner/model/model.go index ea713299bff..28ec1af5f7d 100644 --- a/internal/provisioner/model/model.go +++ b/internal/provisioner/model/model.go @@ -79,6 +79,7 @@ func Default(namespace, name string) *Contour { ResourceAnnotations: map[string]string{}, EnvoyPodAnnotations: map[string]string{}, ContourPodAnnotations: map[string]string{}, + CertLifetime: 365, }, } } @@ -257,6 +258,10 @@ type ContourSpec struct { // DisabledFeatures defines an array of resources that will be ignored by // contour reconciler. DisabledFeatures []contour_v1.Feature + + // CertLifetime is the number of days for which certificates will be valid. + // default to 365 + CertLifetime uint32 } func NamespacesToStrings(ns []contour_v1.Namespace) []string { diff --git a/internal/provisioner/objects/secret/secret.go b/internal/provisioner/objects/secret/secret.go index ef248a908ba..5a458417506 100644 --- a/internal/provisioner/objects/secret/secret.go +++ b/internal/provisioner/objects/secret/secret.go @@ -44,7 +44,7 @@ func EnsureXDSSecrets(ctx context.Context, cli client.Client, contour *model.Con certs, err := certs.GenerateCerts( &certs.Configuration{ - Lifetime: 365, + Lifetime: uint(contour.Spec.CertLifetime), Namespace: contour.Namespace, }, ) diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 57bc87795fd..dad2186f9cf 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -6408,6 +6408,20 @@

ContourSettings contour reconciler.

+ + +certLifetime +
+ +uint32 + + + +(Optional) +

CertLifetime is the number of days for which certificates will be valid. +defaults to 365.

+ +

CustomTag From ab53343b05a7291a5a4378551f03178dd17ead97 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 8 Aug 2024 18:25:29 +0800 Subject: [PATCH 2/5] add changelog Signed-off-by: gang.liu --- changelogs/unreleased/6604-izturn-minor.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelogs/unreleased/6604-izturn-minor.md diff --git a/changelogs/unreleased/6604-izturn-minor.md b/changelogs/unreleased/6604-izturn-minor.md new file mode 100644 index 00000000000..152fb070292 --- /dev/null +++ b/changelogs/unreleased/6604-izturn-minor.md @@ -0,0 +1,4 @@ + +## Customize the certificate's lifetime + +customize the number of days for which certificates will be valid. defaults to 365. \ No newline at end of file From 1f6b1ea580b5bb07ced1ddb978dd8e227606e3df Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Thu, 8 Aug 2024 18:32:18 +0800 Subject: [PATCH 3/5] make lint happy Signed-off-by: gang.liu --- internal/provisioner/controller/gateway_test.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/internal/provisioner/controller/gateway_test.go b/internal/provisioner/controller/gateway_test.go index 677269d0b52..f22e4170b14 100644 --- a/internal/provisioner/controller/gateway_test.go +++ b/internal/provisioner/controller/gateway_test.go @@ -1484,13 +1484,19 @@ func assertEnvoyServiceLoadBalancerIP(t *testing.T, gateway *gatewayapi_v1.Gatew func verifyCert(t *testing.T, certPEM []byte, day int) { block, _ := pem.Decode(certPEM) if block == nil { - require.FailNow(t, "decode certificate from PEM form is failed") + require.FailNow(t, "decode the certificate from PEM form is failed") + return + } + + if block.Bytes == nil { + require.FailNow(t, "the certificate is empty") + return } cert, err := x509.ParseCertificate(block.Bytes) - require.NoError(t, err, "parse certificate is failed") + require.NoError(t, err, "parse the certificate is failed") if cert.NotAfter.After(time.Now().AddDate(0, 0, day)) { - require.FailNow(t, "certificate is not valid") + require.FailNow(t, "the certificate is not valid") } } From 6a8d0ea8a74ed01686b1eb15e7a5d3cf062c99a8 Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 20 Aug 2024 18:03:07 +0800 Subject: [PATCH 4/5] little refactor Signed-off-by: gang.liu --- apis/projectcontour/v1alpha1/contourdeployment.go | 2 +- changelogs/unreleased/6604-izturn-minor.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apis/projectcontour/v1alpha1/contourdeployment.go b/apis/projectcontour/v1alpha1/contourdeployment.go index 2da9eae7ddd..e88bb4a4840 100644 --- a/apis/projectcontour/v1alpha1/contourdeployment.go +++ b/apis/projectcontour/v1alpha1/contourdeployment.go @@ -146,7 +146,7 @@ type ContourSettings struct { // // +kubebuilder:validation:Minimum=0 // +optional - CertLifetime uint32 `json:"certLifetime,omitempty" yaml:"certLifetime,omitempty"` + CertLifetime uint32 `json:"certLifetime,omitempty"` } // DeploymentSettings contains settings for Deployment resources. diff --git a/changelogs/unreleased/6604-izturn-minor.md b/changelogs/unreleased/6604-izturn-minor.md index 152fb070292..a084bd5d620 100644 --- a/changelogs/unreleased/6604-izturn-minor.md +++ b/changelogs/unreleased/6604-izturn-minor.md @@ -1,4 +1,4 @@ ## Customize the certificate's lifetime -customize the number of days for which certificates will be valid. defaults to 365. \ No newline at end of file +By setting `ContourDeployment.Spec.certLifetime`, you can customize the validity period of certificates generated by the `provisioner`. The default value is 365 days. \ No newline at end of file From 1766f9fe8106c472cd830d63da8c26527037fcde Mon Sep 17 00:00:00 2001 From: "gang.liu" Date: Tue, 27 Aug 2024 17:29:31 +0800 Subject: [PATCH 5/5] little refactor Signed-off-by: gang.liu --- apis/projectcontour/v1alpha1/contourdeployment.go | 2 +- changelogs/unreleased/6604-izturn-minor.md | 5 ++--- examples/contour/01-crds.yaml | 2 +- examples/render/contour-deployment.yaml | 2 +- examples/render/contour-gateway-provisioner.yaml | 2 +- examples/render/contour-gateway.yaml | 2 +- examples/render/contour.yaml | 2 +- site/content/docs/main/config/api-reference.html | 2 +- 8 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apis/projectcontour/v1alpha1/contourdeployment.go b/apis/projectcontour/v1alpha1/contourdeployment.go index e88bb4a4840..99de114e76f 100644 --- a/apis/projectcontour/v1alpha1/contourdeployment.go +++ b/apis/projectcontour/v1alpha1/contourdeployment.go @@ -141,7 +141,7 @@ type ContourSettings struct { // +kubebuilder:validation:MaxItems=42 DisabledFeatures []contour_v1.Feature `json:"disabledFeatures,omitempty"` - // CertLifetime is the number of days for which certificates will be valid. + // CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. // defaults to 365. // // +kubebuilder:validation:Minimum=0 diff --git a/changelogs/unreleased/6604-izturn-minor.md b/changelogs/unreleased/6604-izturn-minor.md index a084bd5d620..65fa4f5af34 100644 --- a/changelogs/unreleased/6604-izturn-minor.md +++ b/changelogs/unreleased/6604-izturn-minor.md @@ -1,4 +1,3 @@ +## Customize the xDS certificate's lifetime -## Customize the certificate's lifetime - -By setting `ContourDeployment.Spec.certLifetime`, you can customize the validity period of certificates generated by the `provisioner`. The default value is 365 days. \ No newline at end of file +You can modify the lifetime of certificates used for TLS communication between Contour and Envoy by setting `ContourDeployment.Spec.certLifetime`. This field allows you to specify the validity period of the certificates generated by the Contour Gateway Provisioner. By default, the certificates are valid for 365 days. \ No newline at end of file diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index f7b9cebc12b..45d1e368b89 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -1418,7 +1418,7 @@ spec: properties: certLifetime: description: |- - CertLifetime is the number of days for which certificates will be valid. + CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365. format: int32 minimum: 0 diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index ba96f2e30e5..ef5a7bacb87 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -1638,7 +1638,7 @@ spec: properties: certLifetime: description: |- - CertLifetime is the number of days for which certificates will be valid. + CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365. format: int32 minimum: 0 diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index cdb1fe65f3f..21212c320c5 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -1429,7 +1429,7 @@ spec: properties: certLifetime: description: |- - CertLifetime is the number of days for which certificates will be valid. + CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365. format: int32 minimum: 0 diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index d36cd03c2bc..7cbbbec232e 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -1454,7 +1454,7 @@ spec: properties: certLifetime: description: |- - CertLifetime is the number of days for which certificates will be valid. + CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365. format: int32 minimum: 0 diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 23372c5ba44..53928fd45df 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -1638,7 +1638,7 @@ spec: properties: certLifetime: description: |- - CertLifetime is the number of days for which certificates will be valid. + CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365. format: int32 minimum: 0 diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index dad2186f9cf..45df686ab10 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -6418,7 +6418,7 @@

ContourSettings (Optional) -

CertLifetime is the number of days for which certificates will be valid. +

CertLifetime is the number of days for which certificates for Contour and Envoy will be valid. defaults to 365.