Configurable issuer duration and renewBefore

[vdesjardins]

What this PR does / why we need it:
This pull request makes possible to configure the certificate validity duration and the renewal before duration per issuer.
Which issue this PR fixes:
#437
Special notes for your reviewer:
Split from Vault issuer pull request #292

Release note:

Configurable certificate duration and renewal duration using fields Issuer.spec.duration and 
Issuer.spec.renewBefore respectively.
The CA Issuer default duration is now 90 days instead of 365 days to make all issuers more consistent when configured without explicit duration.

[munnerz]

/ok-to-test

…

On Sat, 28 Apr 2018 at 05:46, jetstack-bot ***@***.***> wrote: [APPROVALNOTIFIER] This PR is *NOT APPROVED* This pull-request has been approved by: To fully approve this pull request, please assign additional approvers. We suggest the following additional approver: *kragniz* Assign the PR to them by writing /assign @kragniz in a comment when ready. The full list of commands accepted by this bot can be found here <https://go.k8s.io/bot-commands>. The pull request process is described here <https://git.k8s.io/community/contributors/guide/owners.md#the-code-review-process> Needs approval from an approver in each of these files: - *OWNERS <https://github.com/jetstack/cert-manager/blob/master/OWNERS>* Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#520 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAMbP-ob4cwRGtV_tFIw2Nn9UB0cyiWmks5ts_Q5gaJpZM4TrPmN> .

[munnerz]

This sounds like a hard error to me - perhaps rephrase to explain that we've instead changed the renewal date?

I'd also make this a non-warning (i.e. EventTypeNormal), as some users will take a warning to be an error and starting opening issues 😬

[munnerz]

Needn't be an ACME specific error. ErrDurationInvalid should suffice, and can be reused across issuers.

[munnerz]

Remove this var - it doesn't really add any context for the user. They are already aware that it is an ACME certificate. We can instead just set the conditions message to err.Error()

[munnerz]

Can get rid of s and just return err here instead.

[munnerz]

Can get rid of both of these vars

[munnerz]

Same comment as ACME issuer

[MadVikingGod]

Hi, this is a feature that I am interested in using. Is there anything that I can do to help shepherd this along it's path?

[vdesjardins]

I just pushed an update to the pull request with fixes for the code review and support for the Vault issuer.

The main remaining issue that I can think of right now is what we should do with the ACMEv2 issuer. The ACMEv2 issuer receives a validation error from Let's Encrypt (Boulder) when a custom notBefore and notAfter is specified in the order request. The reason is that the Boulder server do not implement that particular feature of the spec.

Since Boulder (and Pebble) are the only servers implementing the ACMEv2 protocol that I'm aware of maybe we could do one of these:

• Remove support for custom duration instead of generating an error. We could generate an status condition to let the user know that we do not support custom duration for this issuer.
• Recover from the error and update the certificate status with a warning/info about the fact that the issuer does not support custom duration.

[MadVikingGod]

It's an optional field in the acme spec. I would just put it in as a warning that it's not supported by the ACME server.

[munnerz]

/cc @vdesjardins

[jetstack-bot]

@munnerz: GitHub didn't allow me to request PR reviews from the following users: vdesjardins.

Note that only jetstack members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @vdesjardins

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vdesjardins]

/retest

[jetstack-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: wallrj

Assign the PR to them by writing /assign @wallrj in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jetstack-bot]

@vdesjardins: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
cert-manager-e2e-v1-9	516be06	link	/test e2e v1.9

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[munnerz]

I think we need some way to mark a certification configuration as invalid in order to prevent re-processing of a Certificate in this case, instead of re-attempting to create ourselves.

This will require us somehow hashing the 'input values' (i.e. the Duration field right now) and recording on the Certificate resource that the particular configuration is invalid. When a re-sync happens (i.e. when the resource changes), we will have to compare that hash to the hash of the new resource in order to determine if a user has updated their configuration, in which case we retry CreateOrder with the new configuration.

I think there are a number of places where this could be useful, at least for ACME. Perhaps for other Issuers (or other parts of the ACME issuer) in future too. It's sort of 'runtime validation' against the actual Issuer, and not just validating the resources are valid 😄

[vdesjardins]

Yes I agree. Perhaps we can store it in a label like the hash computed by the deployment resource? In the pod resource this field is called pod-template-hash.

[munnerz]

#761 will allow us to skip processing Certificate resources with particular fields set if they reference ACME issuers.

This should allow us to just blanket not support setting these fields with all ACME issuers. We can then explore at a later time an implementation that's more complex without making a breaking change 😄

[munnerz]

#761 has now merged, so we should be able to add in this check now 😄

@vdesjardins are you still in a position to rebase and get this PR up to date? There's been a few changes that may effect your implementation slightly!

[vdesjardins]

I should have some time hopefully to start looking at it the coming days!

[jetstack-bot]

@vdesjardins: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[munnerz]

Closing this in favour of #893 😄