Skip to content

✨ Add CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig #12335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

✨ Add CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig #12335

wants to merge 4 commits into from
+273 −84

Conversation

Karthik-K-N
Copy link
Contributor

@Karthik-K-N Karthik-K-N commented Jun 9, 2025
edited
Loading

What this PR does / why we need it:

Adds CertificateValidityPeriod and CACertificateValidityPeriod to KubeadmConfig

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #12289

/area provider/bootstrap-kubeadm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 9, 2025
@k8s-ci-robot k8s-ci-robot added do-not-merge/needs-area PR is missing an area label size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 9, 2025
Karthik-K-N
Karthik-K-N commented Jun 9, 2025
View reviewed changes
@Karthik-K-N
Copy link
Contributor Author

/hold

Added CertificateValidityPeriod to KubeadmConfig if the changes (especially conversions) are in right direction will do the similar changes for CACertificateValidityPeriod as well.

@sbueringer Please let me know your opinion. Thanks.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 9, 2025
Karthik-K-N
Karthik-K-N commented Jun 9, 2025
View reviewed changes
api/bootstrap/kubeadm/v1beta2/kubeadm_types.go Outdated
@@ -207,6 +207,11 @@ type ClusterConfiguration struct {
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=63
ClusterName string `json:"clusterName,omitempty"`

// CertificateValidityPeriod specifies the validity period for a non-CA certificate generated by kubeadm.
// Default value: 8760h (365 days * 24 hours = 1 year)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just copied the Default value from kubeadm, Should we add a logic to add default value or is it implicitly taken care by kubeadm and remove it from here?

Copy link
Member

@sbueringer sbueringer Jun 12, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. I definitely want to document the default value here and I don't want to default directly on the API via OpenAPI defaulting or mutating webhook. So that we still know what the user set (if they set it)

I think maybe we just let kubeadm default it, but no strong opinion

@fabriziopandini WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Talked to Fabrizio, I'll suggest the full godoc comments after the next review

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 10, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 11, 2025
@sbueringer sbueringer mentioned this pull request Jun 11, 2025
Merged
@Karthik-K-N
Copy link
Contributor Author

Added both the fields, Need to make changes to honor those fields while generating CA.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 11, 2025
@sbueringer
Copy link
Member

@Karthik-K-N Sorry can you rebase again? I think now we got all PRs merged for now. I'll look into the PR afterwards

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 12, 2025
@Karthik-K-N
Copy link
Contributor Author

@Karthik-K-N Sorry can you rebase again? I think now we got all PRs merged for now. I'll look into the PR afterwards

No issues, Thanks, I just rebased the PR, I have added both the fields with their conversions, I will just try to work on how to use these fields while generating certificate

@Karthik-K-N
Copy link
Contributor Author

/hold cancel

Ready for initial review, UT is pending

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 12, 2025
@sbueringer sbueringer added area/provider/control-plane-kubeadm Issues or PRs related to KCP area/provider/bootstrap-kubeadm Issues or PRs related to CAPBK labels Jun 12, 2025
@k8s-ci-robot k8s-ci-robot removed do-not-merge/needs-area PR is missing an area label labels Jun 12, 2025
@sbueringer
Copy link
Member

/test pull-cluster-api-verify-main
/test pull-cluster-api-e2e-main

Karthik-K-N
Karthik-K-N commented Jun 12, 2025
View reviewed changes
sbueringer
sbueringer reviewed Jun 12, 2025
View reviewed changes
Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this

bootstrap/kubeadm/types/upstreamv1beta4/conversion_test.go Outdated
obj.CertificateValidityPeriod = nil

if obj.CertificateValidityPeriod != nil {
obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31()) * time.Second})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be changed to time.Days when we change the fields on the v1beta2 api to *Days

Please check if max of c.Int31() * time.Days is already more than max of Duration. Then we don't have to do anything here.

We only had to add this for other cases because it was possible to have a Duration which was to high to be converted to Seconds int32

Karthik-K-N
Karthik-K-N commented Jun 13, 2025
View reviewed changes
bootstrap/kubeadm/types/upstreamv1beta4/conversion_test.go
obj.CertificateValidityPeriod = nil

if obj.CertificateValidityPeriod != nil {
obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31()%24) * time.Hour * 24})
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there is no built in methods in time package to use time.Days(), I was facing round trip errors while converting hours to Days back and forth due to round off of minute field.
So added this way to always get whole hours rather than in minutes.

Please suggest if there are any better ways to handle this.

@Karthik-K-N
Copy link
Contributor Author

Address all the review comments, The PR is ready for next review. Thanks.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 13, 2025
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer left review comments

@enxebre enxebre Awaiting requested review from enxebre

@richardcase richardcase Awaiting requested review from richardcase

Assignees
No one assigned
Labels
area/provider/bootstrap-kubeadm Issues or PRs related to CAPBK area/provider/control-plane-kubeadm Issues or PRs related to KCP cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow users to set CertificateValidityPeriod
3 participants
@Karthik-K-N @k8s-ci-robot @sbueringer