Configurable issuer duration and renewBefore Take 2

[Queuecumber]

This is me commandeering #520 because it is clearly not being worked on

Plan right now is to skip 516be06 in favor of validation which disallows duration for ACME issuers.

What this PR does / why we need it:

This pull request makes possible to configure the certificate validity duration and the renewal before duration per issuer.

Which issue this PR fixes

#437

Special notes for your reviewer:

TODO

1. Salvage code from 7230151
2. Make the existing unit and e2e tests work
3. Use duration config in self-signed issuer
4. General code quality updates
5. Validate that duration is not set for ACME certs (w/ unit test)
6. Test everything in a real cluster
7. Validate durations in validation and not issuer setup

Release note:

Configurable certificate duration and renewal duration using fields Certificate.spec.duration and 
Certificate.spec.renewBefore respectively.
The CA Issuer and Self-Signed Isuuer default duration is now 90 days instead of 365 days to make all issuers more consistent when configured without explicit duration.

[Queuecumber]

/hold

This is just to get the ball roling and get some early feedback, e2e tests had a lot of changes since the original commit and need to be reworked. Docs are not updated yet and validation still needs to be written.

[Queuecumber]

A lot of things to do with constants seemed to move since the original commit, so I stuck this here, Is there a better place for it?

[munnerz]

From what I can tell, this var isn't actually used? Unless GitHub is collapsing things in the diff for me! 😄

[Queuecumber]

Yup you're right, this is a holdover from when we were triggering events for stuff (I think) so I'll remove it

[Queuecumber]

I kind of hate this line, and I don't understand it's purpose in the original commit. I know that it is used in the test (next file down), but there must be a better way to handle it.

[munnerz]

/ok-to-test

[Queuecumber]

@munnerz Can you tell me what version of dep the CI server uses? I dont think the new Bazel system prints it out like the old hack script used to and for a while now I get the following error when I run bazel run hack://update-deps

(81/93) Wrote github.com/hashicorp/errwrap@master: hash of vendored tree didn't match digest in Gopkg.lock
grouped write of manifest, lock and vendor: failed to export bitbucket.org/ww/goautoneg: 
        (1) hg is not installed: 
        (2) hg is not installed: 
        (3) hg is not installed: 
        (4) failed to list versions for https://bitbucket.org/ww/goautoneg: fatal: repository 'https://bitbucket.org/ww/goautoneg/' not found
: exit status 128
        (5) failed to list versions for ssh://git@bitbucket.org/ww/goautoneg: not a git repository.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
: exit status 128
        (6) failed to list versions for git://bitbucket.org/ww/goautoneg: fatal: unable to connect to bitbucket.org:
bitbucket.org[0: 18.205.93.2]: errno=Connection timed out
bitbucket.org[1: 18.205.93.0]: errno=Connection timed out
bitbucket.org[2: 18.205.93.1]: errno=Connection timed out

: exit status 128
        (7) failed to list versions for http://bitbucket.org/ww/goautoneg: fatal: repository 'http://bitbucket.org/ww/goautoneg/' not found
: exit status 128

[Queuecumber]

OK well nvm it looks like it really did just need the hg binary to complete I dont know why thats surprising to me

[munnerz]

OK well nvm it looks like it really did just need the hg binary to complete I dont know why thats surprising to me

This is down to that one bitbucket dependency afaict. We've had this issue for a while, and it's really annoying! 😬

Glad you got it resolved. FWIW, I think you need to run:

bazel run //hack:update-bazel
bazel run //hack:update-codegen

😄

[munnerz]

I also DM'd you on slack just now - feel free to reach out directly if you run into more issues. The new Bazel build system is still early on and there could be a few rough edges!

[Queuecumber]

Is this the best place for these constants to go?

[munnerz]

👍 I think so - this ultimately does become part of our public API, and given we are still alpha, it does not preclude a breaking change if needs be 😄

[Queuecumber]

@munnerz Couple of things that I was thinking about that I'd like your opinion on

1. Currently duration and renewBefore are properties of the issuers. Should there also be properties on the certificates that override these? Or do we treat the different issuers as QoS levels, so if you want a longer duration cert then ask for one from the issuer that gives longer durations?

2. Should there be an option to not renew a certificate? For example (real example that I am working on today), I have someone who needs access to our site for a month, so I want to issue him a certificate for one month but not renew it. I could just delete the cert resource and/or not send him the renewed certificate, but maybe there should be options for this?

I think both of these are probably future work in the space of defaulting policies and certificate delivery that you had mentioned in previous discussions.

[Queuecumber]

/hold cancel

This passed a few tests I ran in a real cluster this morning, issued certs correctly have expirations set, etc. and I was able to issue such a client cert to someone who needs short term access to my cluster. So I think this is at your mercy @munnerz

[Queuecumber]

@munnerz Ok well, it seems to pass e2e tests now, but I'm not exactly happy with the solution which was to just not set the duration and renewBefore fields on ACME tests. I still have no idea why it was failing though, and only for HTTP01. DNS01 tests worked fine, and both HTTP01 and DNS01 worked on my live cluster, so its a bit of a mystery. Your call how we proceed.

[Queuecumber]

/hold

cleaning up some of the e2e tests

[Queuecumber]

/hold cancel

I think it's done now

[munnerz]

I added a few commits on top to clean up a few things, to save you having to go through more rounds of review and back-and-forth!

1. I cleaned up the Certificate controller Sync function, fixing up a rebase issue
2. Allowed ACME certificates to specify renewBefore
3. Updated the docs examples
4. Renamed calculateTimeBeforeExpiry

I also removed some dead/irrelevant code that I think has been brought forward from rebases.

Thanks for being so persistent with this, I know it's been a pain!

/lgtm
/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [munnerz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Queuecumber]

Truly a momentous occasion

That's pretty much all I've got for the foreseeable future, good luck with the project

Btw how long until this is available in an image?