kubernetes-sigs · Karthik-K-N · Jun 12, 2025 · Jun 11, 2025 · Jun 12, 2025 · Jun 12, 2025
diff --git a/api/bootstrap/kubeadm/v1beta1/conversion.go b/api/bootstrap/kubeadm/v1beta1/conversion.go
@@ -63,6 +63,18 @@ func RestoreKubeadmConfigSpec(restored *bootstrapv1.KubeadmConfigSpec, dst *boot
 		}
 		dst.JoinConfiguration.Timeouts = restored.JoinConfiguration.Timeouts
 	}
+	if restored.ClusterConfiguration != nil &&
+		(restored.ClusterConfiguration.CertificateValidityPeriodDays != nil || restored.ClusterConfiguration.CACertificateValidityPeriodDays != nil) {
+		if dst.ClusterConfiguration == nil {
+			dst.ClusterConfiguration = &bootstrapv1.ClusterConfiguration{}
+		}
+		if restored.ClusterConfiguration.CertificateValidityPeriodDays != nil {
+			dst.ClusterConfiguration.CertificateValidityPeriodDays = restored.ClusterConfiguration.CertificateValidityPeriodDays
+		}
+		if restored.ClusterConfiguration.CACertificateValidityPeriodDays != nil {
+			dst.ClusterConfiguration.CACertificateValidityPeriodDays = restored.ClusterConfiguration.CACertificateValidityPeriodDays
+		}
+	}
 }
 
 func (src *KubeadmConfigSpec) ConvertTo(dst *bootstrapv1.KubeadmConfigSpec) {
@@ -329,3 +341,7 @@ func Convert_v1_Condition_To_v1beta1_Condition(in *metav1.Condition, out *cluste
 func Convert_v1beta1_Condition_To_v1_Condition(in *clusterv1beta1.Condition, out *metav1.Condition, s apimachineryconversion.Scope) error {
 	return clusterv1beta1.Convert_v1beta1_Condition_To_v1_Condition(in, out, s)
 }
+
+func Convert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	return autoConvert_v1beta2_ClusterConfiguration_To_v1beta1_ClusterConfiguration(in, out, s)
+}
diff --git a/api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go b/api/bootstrap/kubeadm/v1beta1/zz_generated.conversion.go
diff --git a/api/bootstrap/kubeadm/v1beta2/kubeadm_types.go b/api/bootstrap/kubeadm/v1beta2/kubeadm_types.go
@@ -172,6 +172,16 @@ type ClusterConfiguration struct {
 	// featureGates enabled by the user.
 	// +optional
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
+
+	// certificateValidityPeriodDays specifies the validity period for a non-CA certificate generated by kubeadm.
+	// Default value: 3650 days (10 years) set by kubeadm.
+	// +optional
+	CertificateValidityPeriodDays *int32 `json:"certificateValidityPeriodDays,omitempty"`
+
+	// caCertificateValidityPeriodDays specifies the validity period for a CA certificate generated by kubeadm.
+	// Default value: 3650 days (10 years) set by kubeadm.
+	// +optional
+	CACertificateValidityPeriodDays *int32 `json:"caCertificateValidityPeriodDays,omitempty"`
 }
 
 // ControlPlaneComponent holds settings common to control plane component of the cluster.

diff --git a/api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go b/api/bootstrap/kubeadm/v1beta2/zz_generated.deepcopy.go
diff --git a/api/controlplane/kubeadm/v1beta1/conversion_test.go b/api/controlplane/kubeadm/v1beta1/conversion_test.go
@@ -104,6 +104,10 @@ func hubKubeadmConfigSpec(in *bootstrapv1.KubeadmConfigSpec, c randfill.Continue
 		}
 		in.JoinConfiguration.Timeouts.ControlPlaneComponentHealthCheckSeconds = initControlPlaneComponentHealthCheckSeconds
 	}
+	if in.ClusterConfiguration != nil {
+		in.ClusterConfiguration.CertificateValidityPeriodDays = nil
+		in.ClusterConfiguration.CACertificateValidityPeriodDays = nil
+	}
 }
 
 func hubBootstrapTokenString(in *bootstrapv1.BootstrapTokenString, _ randfill.Continue) {

diff --git a/api/core/v1beta2/conversion.go b/api/core/v1beta2/conversion.go
@@ -55,3 +55,26 @@ func ConvertFromSeconds(in *int32) *metav1.Duration {
 	}
 	return ptr.To(metav1.Duration{Duration: time.Duration(*in) * time.Second})
 }
+
+// ConvertToDays takes *metav1.Duration and returns a *int32.
+// Durations longer than MaxInt32 are capped.
+// NOTE: this is a util function intended only for usage in API conversions.
+func ConvertToDays(in *metav1.Duration) *int32 {
+	if in == nil {
+		return nil
+	}
+	hours := math.Trunc(in.Hours())
+	if hours > math.MaxInt32 {
+		return ptr.To[int32](math.MaxInt32)
+	}
+	return ptr.To(int32(hours / 24))
+}
+
+// ConvertFromDays takes *int32 and returns a *metav1.Duration.
+// NOTE: this is a util function intended only for usage in API conversions.
+func ConvertFromDays(in *int32) *metav1.Duration {
+	if in == nil {
+		return nil
+	}
+	return ptr.To(metav1.Duration{Duration: time.Duration(*in) * time.Hour * 24})
+}
diff --git a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml
diff --git a/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml b/bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml
diff --git a/bootstrap/kubeadm/types/upstreamv1beta3/conversion.go b/bootstrap/kubeadm/types/upstreamv1beta3/conversion.go
@@ -241,3 +241,7 @@ func (src *ClusterConfiguration) GetAdditionalData(data *upstream.AdditionalData
 		data.ControlPlaneComponentHealthCheckSeconds = clusterv1.ConvertToSeconds(src.APIServer.TimeoutForControlPlane)
 	}
 }
+
+func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta3_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	return autoConvert_v1beta2_ClusterConfiguration_To_upstreamv1beta3_ClusterConfiguration(in, out, s)
+}
diff --git a/bootstrap/kubeadm/types/upstreamv1beta3/conversion_test.go b/bootstrap/kubeadm/types/upstreamv1beta3/conversion_test.go
@@ -80,6 +80,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {
 		hubControlPlaneComponentFuzzer,
 		hubLocalEtcdFuzzer,
 		hubNodeRegistrationOptionsFuzzer,
+		hubClusterConfigurationFuzzer,
 	}
 }
 
@@ -195,3 +196,10 @@ func spokeBootstrapToken(in *BootstrapToken, c randfill.Continue) {
 		in.TTL = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31()) * time.Second})
 	}
 }
+
+func hubClusterConfigurationFuzzer(obj *bootstrapv1.ClusterConfiguration, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	obj.CertificateValidityPeriodDays = nil
+	obj.CACertificateValidityPeriodDays = nil
+}
diff --git a/bootstrap/kubeadm/types/upstreamv1beta3/zz_generated.conversion.go b/bootstrap/kubeadm/types/upstreamv1beta3/zz_generated.conversion.go
diff --git a/bootstrap/kubeadm/types/upstreamv1beta4/conversion.go b/bootstrap/kubeadm/types/upstreamv1beta4/conversion.go
@@ -62,9 +62,22 @@ func Convert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguratio
 	// Following fields do not exist in CABPK v1beta1 version:
 	// - Proxy (Not supported yet)
 	// - EncryptionAlgorithm (Not supported yet)
-	// - CertificateValidityPeriod (Not supported yet)
-	// - CACertificateValidityPeriod (Not supported yet)
-	return autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s)
+	if err := autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s); err != nil {
+		return err
+	}
+	out.CertificateValidityPeriodDays = clusterv1.ConvertToDays(in.CertificateValidityPeriod)
+	out.CACertificateValidityPeriodDays = clusterv1.ConvertToSeconds(in.CACertificateValidityPeriod)
+	return nil
+}
+
+// Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration is an autogenerated conversion function.
+func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration(in *bootstrapv1.ClusterConfiguration, out *ClusterConfiguration, s apimachineryconversion.Scope) error {
+	if err := autoConvert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration(in, out, s); err != nil {
+		return err
+	}
+	out.CertificateValidityPeriod = clusterv1.ConvertFromDays(in.CertificateValidityPeriodDays)
+	out.CACertificateValidityPeriod = clusterv1.ConvertFromSeconds(in.CACertificateValidityPeriodDays)
+	return nil
 }
 
 func Convert_upstreamv1beta4_DNS_To_v1beta2_DNS(in *DNS, out *bootstrapv1.DNS, s apimachineryconversion.Scope) error {

diff --git a/bootstrap/kubeadm/types/upstreamv1beta4/conversion_test.go b/bootstrap/kubeadm/types/upstreamv1beta4/conversion_test.go
@@ -77,6 +77,7 @@ func fuzzFuncs(_ runtimeserializer.CodecFactory) []interface{} {
 		spokeJoinControlPlaneFuzzer,
 		spokeTimeoutsFuzzer,
 		hubJoinConfigurationFuzzer,
+		hubClusterConfigurationFuzzer,
 	}
 }
 
@@ -95,8 +96,13 @@ func spokeClusterConfigurationFuzzer(obj *ClusterConfiguration, c randfill.Conti
 
 	obj.Proxy = Proxy{}
 	obj.EncryptionAlgorithm = ""
-	obj.CACertificateValidityPeriod = nil
-	obj.CertificateValidityPeriod = nil
+
+	if obj.CertificateValidityPeriod != nil {
+		obj.CertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31()%24) * time.Hour * 24})
+	}
+	if obj.CACertificateValidityPeriod != nil {
+		obj.CACertificateValidityPeriod = ptr.To[metav1.Duration](metav1.Duration{Duration: time.Duration(c.Int31()%24) * time.Hour * 24})
+	}
 
 	// Drop the following fields as they have been removed in v1beta2, so we don't have to preserve them.
 	obj.Networking.ServiceSubnet = ""
@@ -179,6 +185,18 @@ func hubJoinConfigurationFuzzer(obj *bootstrapv1.JoinConfiguration, c randfill.C
 	}
 }
 
+func hubClusterConfigurationFuzzer(obj *bootstrapv1.ClusterConfiguration, c randfill.Continue) {
+	c.FillNoCustom(obj)
+
+	if obj.CertificateValidityPeriodDays != nil {
+		obj.CertificateValidityPeriodDays = ptr.To[int32](*obj.CertificateValidityPeriodDays % 24)
+	}
+
+	if obj.CACertificateValidityPeriodDays != nil {
+		obj.CACertificateValidityPeriodDays = ptr.To[int32](*obj.CACertificateValidityPeriodDays % 24)
+	}
+}
+
 func spokeBootstrapToken(in *BootstrapToken, c randfill.Continue) {
 	c.FillNoCustom(in)
 

diff --git a/bootstrap/kubeadm/types/upstreamv1beta4/zz_generated.conversion.go b/bootstrap/kubeadm/types/upstreamv1beta4/zz_generated.conversion.go