refactor(charts/injector): cert expiration detection and automatic re…

…creation Related to #124 Add expiration check for self-signed certificates in `charts/dsv-injector/templates/webhook.yaml`. * Add a new variable `recreateSelfSignedCertThreshold` with a default of 90 days. * Add a check for the expiration of the existing cert in the next n days. * Update the logic to generate a new self-signed cert if the existing cert is expiring within `recreateSelfSignedCertThreshold` days. * Update the secret cert value mapping to use the `$tlsCert` value based on it meeting the expiration check requirement. Expose `webhookCertExpireDays` and `recreateSelfSignedCertThreshold` in `charts/dsv-injector/values.yaml`. * Expose `webhookCertExpireDays` with a default of 365 days. * Add `recreateSelfSignedCertThreshold` with a default of 90 days. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/DelineaXPM/dsv-k8s/issues/124?shareId=XXXX-XXXX-XXXX-XXXX).
DelineaXPM · Aug 9, 2024 · ff33f7e · ff33f7e
1 parent 619291e
commit ff33f7e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml
@@ -1,5 +1,13 @@
 {{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
 {{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
+{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
+{{- $needsRecreate := false -}}
+{{- if $tlsSecret }}
+  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
+  {{- if and $cert (lt (now | date "2006-01-02" | dateAdd (mul $recreateSelfSignedCertThreshold 24h)) ($cert | date "2006-01-02")) }}
+    {{- $needsRecreate = true -}}
+  {{- end -}}
+{{- end -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -19,7 +27,7 @@ webhooks:
     clientConfig:
 {{- if eq .Values.service.type "ExternalName" }}
       caBundle: {{ .Values.caBundle }}
-{{- else if $tlsSecret }}
+{{- else if and $tlsSecret (not $needsRecreate) }}
       caBundle: {{ $tlsSecret.data.cert }}
 {{- else }}
       caBundle: {{ $tlsCert.Cert | b64enc }}
@@ -38,7 +46,7 @@ kind: Secret
 metadata:
   name: {{ include "dsv.name" . }}-tls
 data:
-{{- if $tlsSecret }}
+{{- if and $tlsSecret (not $needsRecreate) }}
   cert.pem: {{ $tlsSecret.data.cert }}
   key.pem: {{ $tlsSecret.data.key }}
 {{- else }}

diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml
@@ -120,3 +120,11 @@ configmap:
   # DSV_CREDENTIALS_JSON:
   # DSV_SERVER_ADDRESS:
   # DSV_DEBUG: 'true'  # Warning: if passing boolean, use quoted string to avoid issues
+
+# -- webhookCertExpireDays specifies the number of days before the webhook certificate expires
+# @default -- 365
+webhookCertExpireDays: 365
+
+# -- recreateSelfSignedCertThreshold specifies the number of days before the self-signed certificate expires
+# @default -- 90
+recreateSelfSignedCertThreshold: 90