ATHENS-9030 cert-manager integration to rotate cert by config (#89)

Author: balamanova

deploy/example/example-app.yaml

@@ -76,3 +76,5 @@ spec:
             volumeAttributes:
               csi.cert-manager.athenz.io/pod-subdomain: "my-subdomain"
               csi.cert-manager.athenz.io/pod-hostname: "my-hostname"
+              csi.cert-manager.athenz.io/refresh-interval: "1h"
+

internal/csi/driver/driver.go

@@ -45,12 +45,14 @@ import (
 )
 
 const (
-	cloudMetaEndpoint = "http://169.254.169.254:80"
-	attrPodSubdomain  = "csi.cert-manager.athenz.io/pod-subdomain"
-	attrPodHostname   = "csi.cert-manager.athenz.io/pod-hostname"
-	attrPodService    = "csi.cert-manager.athenz.io/pod-service"
-	attrNSForDomain   = "csi.cert-manager.athenz.io/use-namespace-for-domain"
-	clusterZone       = "cluster.local"
+	cloudMetaEndpoint      = "http://169.254.169.254:80"
+	attrPodSubdomain       = "csi.cert-manager.athenz.io/pod-subdomain"
+	attrPodHostname        = "csi.cert-manager.athenz.io/pod-hostname"
+	attrPodService         = "csi.cert-manager.athenz.io/pod-service"
+	attrNSForDomain        = "csi.cert-manager.athenz.io/use-namespace-for-domain"
+	attrRefreshInterval    = "csi.cert-manager.athenz.io/refresh-interval"
+	clusterZone            = "cluster.local"
+	defaultRefreshInterval = 24 * time.Hour
 )
 
 // Options holds the Options needed for the CSI driver.
@@ -462,9 +464,26 @@ func (d *Driver) writeKeypair(meta metadata.Metadata, key crypto.PrivateKey, cha
 
 	// Calculate the next issuance time before we write any data to file,
 	// so if the write fails, we are not left in a bad state.
-	nextIssuanceTime, err := calculateNextIssuanceTime(chain)
-	if err != nil {
-		return fmt.Errorf("failed to calculate next issuance time: %w", err)
+	var nextIssuanceTime time.Time
+
+	// Check if a custom refresh interval is specified in the volume context
+	refreshIntervalStr := meta.VolumeContext[attrRefreshInterval]
+	if refreshIntervalStr != "" {
+		// Use the custom refresh interval from volume context
+		refreshInterval, err := parseRefreshInterval(refreshIntervalStr, defaultRefreshInterval)
+		if err != nil {
+			return fmt.Errorf("failed to parse refresh interval: %w", err)
+		}
+		nextIssuanceTime = calculateNextIssuanceTimeWithRefreshInterval(refreshInterval)
+		d.log.Info("using custom refresh interval", "refreshInterval", refreshInterval.String(), "nextIssuanceTime", nextIssuanceTime.Format(time.RFC3339))
+	} else {
+		// Fall back to certificate-based calculation (2/3 of validity period)
+		var err error
+		nextIssuanceTime, err = calculateNextIssuanceTime(chain)
+		if err != nil {
+			return fmt.Errorf("failed to calculate next issuance time: %w", err)
+		}
+		d.log.Info("using certificate-based refresh interval", "nextIssuanceTime", nextIssuanceTime.Format(time.RFC3339))
 	}
 
 	data := map[string][]byte{

internal/csi/driver/driver_test.go

@@ -22,13 +22,15 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"testing"
+	"time"
 
 	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	utilpki "github.com/cert-manager/cert-manager/pkg/util/pki"
 	"github.com/cert-manager/csi-lib/metadata"
 	"github.com/cert-manager/csi-lib/storage"
 	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
 	"github.com/stretchr/testify/require"
+	"k8s.io/klog/v2/klogr"
 
 	"github.com/AthenZ/csi-driver-athenz/internal/csi/rootca"
 )
@@ -68,6 +70,7 @@ func Test_writeKeyPair(t *testing.T) {
 
 	store := storage.NewMemoryFS()
 	d := &Driver{
+		log:          klogr.New(),
 		certFileName: "crt.pem",
 		keyFileName:  "key.pem",
 		caFileName:   "ca.pem",
@@ -297,3 +300,141 @@ func Test_generateRequestWithNamespaceDomainFalse(t *testing.T) {
 	expectedSpiffeID := "spiffe://athenz.io/ns/sandbox/sa/athenz.example"
 	require.Equal(t, expectedSpiffeID, certBundle.Annotations["csi.cert-manager.athenz.io/identity"])
 }
+
+func Test_writeKeyPairWithCustomRefreshInterval(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(func() {
+		cancel()
+	})
+
+	capk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	caTmpl, err := utilpki.CertificateTemplateFromCertificate(&cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "my-ca"}})
+	require.NoError(t, err)
+
+	caPEM, ca, err := utilpki.SignCertificate(caTmpl, caTmpl, capk.Public(), capk)
+	require.NoError(t, err)
+
+	leafpk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	leafTmpl, err := utilpki.CertificateTemplateFromCertificate(
+		&cmapi.Certificate{
+			Spec: cmapi.CertificateSpec{URIs: []string{"spiffe://athenz.io/ns/sandbox/sa/default"}},
+		},
+	)
+	require.NoError(t, err)
+
+	leafPEM, _, err := utilpki.SignCertificate(leafTmpl, ca, leafpk.Public(), capk)
+	require.NoError(t, err)
+
+	ch := make(chan []byte)
+	rootCAs := rootca.NewMemory(ctx, ch)
+	ch <- caPEM
+
+	store := storage.NewMemoryFS()
+	d := &Driver{
+		log:          klogr.New(),
+		certFileName: "crt.pem",
+		keyFileName:  "key.pem",
+		caFileName:   "ca.pem",
+		rootCAs:      rootCAs,
+		store:        store,
+	}
+
+	// Test with custom refresh interval of 12 hours
+	volumeContext := map[string]string{
+		"csi.cert-manager.athenz.io/refresh-interval": "12h",
+	}
+	meta := metadata.Metadata{VolumeID: "vol-id-refresh", VolumeContext: volumeContext}
+
+	_, err = store.RegisterMetadata(meta)
+	require.NoError(t, err)
+
+	beforeWrite := time.Now()
+	err = d.writeKeypair(meta, leafpk, leafPEM, nil)
+	require.NoError(t, err)
+	afterWrite := time.Now()
+
+	files, err := store.ReadFiles("vol-id-refresh")
+	require.NoError(t, err)
+
+	_, err = x509svid.Parse(files["crt.pem"], files["key.pem"])
+	require.NoError(t, err)
+
+	// Verify the next issuance time is approximately 12 hours from now
+	updatedMeta, err := store.ReadMetadata("vol-id-refresh")
+	require.NoError(t, err)
+	require.NotNil(t, updatedMeta.NextIssuanceTime)
+
+	expectedMin := beforeWrite.Add(12 * time.Hour)
+	expectedMax := afterWrite.Add(12 * time.Hour)
+	require.True(t, updatedMeta.NextIssuanceTime.After(expectedMin) || updatedMeta.NextIssuanceTime.Equal(expectedMin),
+		"NextIssuanceTime should be >= now + 12h")
+	require.True(t, updatedMeta.NextIssuanceTime.Before(expectedMax) || updatedMeta.NextIssuanceTime.Equal(expectedMax),
+		"NextIssuanceTime should be <= now + 12h")
+}
+
+func Test_writeKeyPairWithDefaultRefreshInterval(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	t.Cleanup(func() {
+		cancel()
+	})
+
+	capk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	caTmpl, err := utilpki.CertificateTemplateFromCertificate(&cmapi.Certificate{Spec: cmapi.CertificateSpec{CommonName: "my-ca"}})
+	require.NoError(t, err)
+
+	caPEM, ca, err := utilpki.SignCertificate(caTmpl, caTmpl, capk.Public(), capk)
+	require.NoError(t, err)
+
+	leafpk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+
+	leafTmpl, err := utilpki.CertificateTemplateFromCertificate(
+		&cmapi.Certificate{
+			Spec: cmapi.CertificateSpec{URIs: []string{"spiffe://athenz.io/ns/sandbox/sa/default"}},
+		},
+	)
+	require.NoError(t, err)
+
+	leafPEM, _, err := utilpki.SignCertificate(leafTmpl, ca, leafpk.Public(), capk)
+	require.NoError(t, err)
+
+	ch := make(chan []byte)
+	rootCAs := rootca.NewMemory(ctx, ch)
+	ch <- caPEM
+
+	store := storage.NewMemoryFS()
+	d := &Driver{
+		log:          klogr.New(),
+		certFileName: "crt.pem",
+		keyFileName:  "key.pem",
+		caFileName:   "ca.pem",
+		rootCAs:      rootCAs,
+		store:        store,
+	}
+
+	// Test without custom refresh interval (should use certificate-based calculation)
+	meta := metadata.Metadata{VolumeID: "vol-id-default"}
+
+	_, err = store.RegisterMetadata(meta)
+	require.NoError(t, err)
+
+	err = d.writeKeypair(meta, leafpk, leafPEM, nil)
+	require.NoError(t, err)
+
+	files, err := store.ReadFiles("vol-id-default")
+	require.NoError(t, err)
+
+	_, err = x509svid.Parse(files["crt.pem"], files["key.pem"])
+	require.NoError(t, err)
+
+	// Verify the next issuance time was set (based on certificate validity)
+	updatedMeta, err := store.ReadMetadata("vol-id-default")
+	require.NoError(t, err)
+	require.NotNil(t, updatedMeta.NextIssuanceTime)
+}

internal/csi/driver/util.go

@@ -126,3 +126,31 @@ func getDomainFromNamespaceAnnotations(annotations map[string]string) string {
 	}
 	return ""
 }
+
+// parseRefreshInterval parses a refresh interval string in hours (e.g., "24h", "12h", "1h")
+// and returns the duration. If the string is empty, it returns the default refresh interval.
+// If the string is invalid or less than 1 hour, it returns an error.
+func parseRefreshInterval(intervalStr string, defaultInterval time.Duration) (time.Duration, error) {
+	if intervalStr == "" {
+		return defaultInterval, nil
+	}
+
+	// Parse the hours value (e.g., "24h" -> 24 hours)
+	duration, err := time.ParseDuration(intervalStr)
+	if err != nil {
+		return 0, fmt.Errorf("invalid refresh interval %q: %w", intervalStr, err)
+	}
+
+	// Ensure the refresh interval is at least 1 hour
+	if duration < time.Hour {
+		return 0, fmt.Errorf("refresh interval %q must be at least 1 hour", intervalStr)
+	}
+
+	return duration, nil
+}
+
+// calculateNextIssuanceTimeWithRefreshInterval returns the time when the certificate
+// should be renewed based on the specified refresh interval from the current time.
+func calculateNextIssuanceTimeWithRefreshInterval(refreshInterval time.Duration) time.Time {
+	return time.Now().Add(refreshInterval)
+}

internal/csi/driver/util_test.go

@@ -18,6 +18,7 @@ package driver
 
 import (
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -185,3 +186,92 @@ func Test_appendUri(t *testing.T) {
 		})
 	}
 }
+
+func Test_parseRefreshInterval(t *testing.T) {
+	defaultInterval := 24 * time.Hour
+
+	tests := []struct {
+		name            string
+		intervalStr     string
+		defaultInterval time.Duration
+		expected        time.Duration
+		expectError     bool
+	}{
+		{
+			name:            "valid 1h interval (minimum)",
+			intervalStr:     "1h",
+			defaultInterval: defaultInterval,
+			expected:        1 * time.Hour,
+			expectError:     false,
+		},
+		{
+			name:            "valid 72h interval",
+			intervalStr:     "72h",
+			defaultInterval: defaultInterval,
+			expected:        72 * time.Hour,
+			expectError:     false,
+		},
+		{
+			name:            "empty interval returns default",
+			intervalStr:     "",
+			defaultInterval: defaultInterval,
+			expected:        defaultInterval,
+			expectError:     false,
+		},
+		{
+			name:            "invalid string returns error",
+			intervalStr:     "interval",
+			defaultInterval: defaultInterval,
+			expectError:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, err := parseRefreshInterval(tt.intervalStr, tt.defaultInterval)
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expected, result)
+			}
+		})
+	}
+}
+
+func Test_calculateNextIssuanceTimeWithRefreshInterval(t *testing.T) {
+	tests := []struct {
+		name            string
+		refreshInterval time.Duration
+	}{
+		{
+			name:            "24h refresh interval",
+			refreshInterval: 24 * time.Hour,
+		},
+		{
+			name:            "1h refresh interval",
+			refreshInterval: 1 * time.Hour,
+		},
+		{
+			name:            "12h refresh interval",
+			refreshInterval: 12 * time.Hour,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			before := time.Now()
+			result := calculateNextIssuanceTimeWithRefreshInterval(tt.refreshInterval)
+			after := time.Now()
+
+			// The result should be approximately now + refreshInterval
+			expectedMin := before.Add(tt.refreshInterval)
+			expectedMax := after.Add(tt.refreshInterval)
+
+			assert.True(t, result.After(expectedMin) || result.Equal(expectedMin),
+				"result %v should be >= %v", result, expectedMin)
+			assert.True(t, result.Before(expectedMax) || result.Equal(expectedMax),
+				"result %v should be <= %v", result, expectedMax)
+		})
+	}
+}

test/e2e/suite/import.go

@@ -21,4 +21,5 @@ import (
 	_ "github.com/AthenZ/csi-driver-athenz/test/e2e/suite/carotation"
 	_ "github.com/AthenZ/csi-driver-athenz/test/e2e/suite/fsgroup"
 	_ "github.com/AthenZ/csi-driver-athenz/test/e2e/suite/namespacedomain"
+	_ "github.com/AthenZ/csi-driver-athenz/test/e2e/suite/refreshinterval"
 )