From ff33f7e264cda2649203b3f4378db87a61d7a956 Mon Sep 17 00:00:00 2001
From: sheldonhull <sheldonhull@users.noreply.github.com>
Date: Fri, 9 Aug 2024 18:09:09 -0500
Subject: [PATCH] refactor(charts/injector): cert expiration detection and
 automatic recreation

Related to #124

Add expiration check for self-signed certificates in `charts/dsv-injector/templates/webhook.yaml`.

* Add a new variable `recreateSelfSignedCertThreshold` with a default of 90 days.
* Add a check for the expiration of the existing cert in the next n days.
* Update the logic to generate a new self-signed cert if the existing cert is expiring within `recreateSelfSignedCertThreshold` days.
* Update the secret cert value mapping to use the `$tlsCert` value based on it meeting the expiration check requirement.

Expose `webhookCertExpireDays` and `recreateSelfSignedCertThreshold` in `charts/dsv-injector/values.yaml`.

* Expose `webhookCertExpireDays` with a default of 365 days.
* Add `recreateSelfSignedCertThreshold` with a default of 90 days.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/DelineaXPM/dsv-k8s/issues/124?shareId=XXXX-XXXX-XXXX-XXXX).
---
 charts/dsv-injector/templates/webhook.yaml | 12 ++++++++++--
 charts/dsv-injector/values.yaml            |  8 ++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/charts/dsv-injector/templates/webhook.yaml b/charts/dsv-injector/templates/webhook.yaml
index c81f080..1d0e30b 100644
--- a/charts/dsv-injector/templates/webhook.yaml
+++ b/charts/dsv-injector/templates/webhook.yaml
@@ -1,5 +1,13 @@
 {{- $tlsCert := genSelfSignedCert (include "dsv.dnsname" .) nil (list (include "dsv.dnsname" .) (include "dsv.name" .)) (default 365 .Values.webhookCertExpireDays | int) -}}
 {{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
+{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
+{{- $needsRecreate := false -}}
+{{- if $tlsSecret }}
+  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
+  {{- if and $cert (lt (now | date "2006-01-02" | dateAdd (mul $recreateSelfSignedCertThreshold 24h)) ($cert | date "2006-01-02")) }}
+    {{- $needsRecreate = true -}}
+  {{- end -}}
+{{- end -}}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -19,7 +27,7 @@ webhooks:
     clientConfig:
 {{- if eq .Values.service.type "ExternalName" }}
       caBundle: {{ .Values.caBundle }}
-{{- else if $tlsSecret }}
+{{- else if and $tlsSecret (not $needsRecreate) }}
       caBundle: {{ $tlsSecret.data.cert }}
 {{- else }}
       caBundle: {{ $tlsCert.Cert | b64enc }}
@@ -38,7 +46,7 @@ kind: Secret
 metadata:
   name: {{ include "dsv.name" . }}-tls
 data:
-{{- if $tlsSecret }}
+{{- if and $tlsSecret (not $needsRecreate) }}
   cert.pem: {{ $tlsSecret.data.cert }}
   key.pem: {{ $tlsSecret.data.key }}
 {{- else }}
diff --git a/charts/dsv-injector/values.yaml b/charts/dsv-injector/values.yaml
index e1e9a5f..6c7af43 100644
--- a/charts/dsv-injector/values.yaml
+++ b/charts/dsv-injector/values.yaml
@@ -120,3 +120,11 @@ configmap:
   # DSV_CREDENTIALS_JSON:
   # DSV_SERVER_ADDRESS:
   # DSV_DEBUG: 'true'  # Warning: if passing boolean, use quoted string to avoid issues
+
+# -- webhookCertExpireDays specifies the number of days before the webhook certificate expires
+# @default -- 365
+webhookCertExpireDays: 365
+
+# -- recreateSelfSignedCertThreshold specifies the number of days before the self-signed certificate expires
+# @default -- 90
+recreateSelfSignedCertThreshold: 90