Rotate cert conf refresh fix (#90)

Signed-off-by: abalamanova <assem.balamanova@yahooinc.com>
Co-authored-by: abalamanova <assem.balamanova@yahooinc.com>

Author: balamanova

deploy/example/example-app.yaml

@@ -76,5 +76,3 @@ spec:
             volumeAttributes:
               csi.cert-manager.athenz.io/pod-subdomain: "my-subdomain"
               csi.cert-manager.athenz.io/pod-hostname: "my-hostname"
-              csi.cert-manager.athenz.io/refresh-interval: "1h"
-

internal/csi/driver/driver.go

@@ -464,27 +464,14 @@ func (d *Driver) writeKeypair(meta metadata.Metadata, key crypto.PrivateKey, cha
 
 	// Calculate the next issuance time before we write any data to file,
 	// so if the write fails, we are not left in a bad state.
-	var nextIssuanceTime time.Time
-
-	// Check if a custom refresh interval is specified in the volume context
+	// Parse refresh interval from volume context, defaults to 24h if not specified or invalid
 	refreshIntervalStr := meta.VolumeContext[attrRefreshInterval]
-	if refreshIntervalStr != "" {
-		// Use the custom refresh interval from volume context
-		refreshInterval, err := parseRefreshInterval(refreshIntervalStr, defaultRefreshInterval)
-		if err != nil {
-			return fmt.Errorf("failed to parse refresh interval: %w", err)
-		}
-		nextIssuanceTime = calculateNextIssuanceTimeWithRefreshInterval(refreshInterval)
-		d.log.Info("using custom refresh interval", "refreshInterval", refreshInterval.String(), "nextIssuanceTime", nextIssuanceTime.Format(time.RFC3339))
-	} else {
-		// Fall back to certificate-based calculation (2/3 of validity period)
-		var err error
-		nextIssuanceTime, err = calculateNextIssuanceTime(chain)
-		if err != nil {
-			return fmt.Errorf("failed to calculate next issuance time: %w", err)
-		}
-		d.log.Info("using certificate-based refresh interval", "nextIssuanceTime", nextIssuanceTime.Format(time.RFC3339))
+	refreshInterval, err := parseRefreshInterval(refreshIntervalStr, defaultRefreshInterval)
+	if err != nil {
+		d.log.Error(err, "invalid refresh interval, using default", "default", defaultRefreshInterval.String())
 	}
+	nextIssuanceTime := calculateNextIssuanceTimeWithRefreshInterval(refreshInterval)
+	d.log.Info("using refresh interval", "refreshInterval", refreshInterval.String(), "nextIssuanceTime", nextIssuanceTime.Format(time.RFC3339))
 
 	data := map[string][]byte{
 		d.certFileName: chain,

internal/csi/driver/util.go

@@ -57,24 +57,6 @@ func signRequest(_ metadata.Metadata, key crypto.PrivateKey, request *x509.Certi
 	}), nil
 }
 
-// calculateNextIssuanceTime returns the time when the certificate should be
-// renewed. This will be 2/3rds the duration of the leaf certificate's validity period.
-func calculateNextIssuanceTime(chain []byte) (time.Time, error) {
-	block, _ := pem.Decode(chain)
-
-	crt, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("parsing issued certificate: %w", err)
-	}
-
-	// Renew once a certificate is 2/3rds of the way through its actual lifetime.
-	actualDuration := crt.NotAfter.Sub(crt.NotBefore)
-
-	renewBeforeNotAfter := actualDuration / 3
-
-	return crt.NotAfter.Add(-renewBeforeNotAfter), nil
-}
-
 // extract domain and service from the service account name
 // e.g. athenz.prod.api -> domain: athenz.prod, service: api
 func extractDomainService(saName string) (string, string) {
@@ -127,23 +109,24 @@ func getDomainFromNamespaceAnnotations(annotations map[string]string) string {
 	return ""
 }
 
-// parseRefreshInterval parses a refresh interval string in hours (e.g., "24h", "12h", "1h")
-// and returns the duration. If the string is empty, it returns the default refresh interval.
-// If the string is invalid or less than 1 hour, it returns an error.
+// parseRefreshInterval parses a refresh interval string (e.g., "60m", "120m", "1h", "2h")
+// and returns the duration. If the string is empty, it returns the default refresh interval with nil error.
+// If invalid, it returns the default interval with an error describing the issue.
+// Minimum allowed interval is 60 minutes.
 func parseRefreshInterval(intervalStr string, defaultInterval time.Duration) (time.Duration, error) {
 	if intervalStr == "" {
-		return defaultInterval, nil
+		return defaultInterval, fmt.Errorf("no refresh interval specified, using default %s", defaultInterval.String())
 	}
 
-	// Parse the hours value (e.g., "24h" -> 24 hours)
+	// Parse the duration value (e.g., "60m" -> 60 minutes, "1h" -> 1 hour)
 	duration, err := time.ParseDuration(intervalStr)
 	if err != nil {
-		return 0, fmt.Errorf("invalid refresh interval %q: %w", intervalStr, err)
+		return defaultInterval, fmt.Errorf("failed to parse refresh interval %q: %w", intervalStr, err)
 	}
 
-	// Ensure the refresh interval is at least 1 hour
-	if duration < time.Hour {
-		return 0, fmt.Errorf("refresh interval %q must be at least 1 hour", intervalStr)
+	// Ensure the refresh interval is at least 60 minutes
+	if duration < 60*time.Minute {
+		return defaultInterval, fmt.Errorf("refresh interval %q is less than minimum 60 minutes", intervalStr)
 	}
 
 	return duration, nil

internal/csi/driver/util_test.go

@@ -198,32 +198,54 @@ func Test_parseRefreshInterval(t *testing.T) {
 		expectError     bool
 	}{
 		{
-			name:            "valid 1h interval (minimum)",
-			intervalStr:     "1h",
+			name:            "valid 60m interval (minimum)",
+			intervalStr:     "60m",
 			defaultInterval: defaultInterval,
-			expected:        1 * time.Hour,
+			expected:        60 * time.Minute,
+			expectError:     false,
+		},
+		{
+			name:            "valid 120m interval",
+			intervalStr:     "120m",
+			defaultInterval: defaultInterval,
+			expected:        120 * time.Minute,
 			expectError:     false,
 		},
 		{
-			name:            "valid 72h interval",
-			intervalStr:     "72h",
+			name:            "valid 1440m interval (24h)",
+			intervalStr:     "1440m",
 			defaultInterval: defaultInterval,
-			expected:        72 * time.Hour,
+			expected:        1440 * time.Minute,
 			expectError:     false,
 		},
 		{
-			name:            "empty interval returns default",
+			name:            "empty interval returns default with info message",
 			intervalStr:     "",
 			defaultInterval: defaultInterval,
 			expected:        defaultInterval,
-			expectError:     false,
+			expectError:     true,
 		},
 		{
-			name:            "invalid string returns error",
-			intervalStr:     "interval",
+			name:            "invalid string returns default with error",
+			intervalStr:     "invalid",
 			defaultInterval: defaultInterval,
+			expected:        defaultInterval,
 			expectError:     true,
 		},
+		{
+			name:            "interval less than 60m returns default with error",
+			intervalStr:     "30m",
+			defaultInterval: defaultInterval,
+			expected:        defaultInterval,
+			expectError:     true,
+		},
+		{
+			name:            "valid 1h interval (hours format also accepted)",
+			intervalStr:     "1h",
+			defaultInterval: defaultInterval,
+			expected:        1 * time.Hour,
+			expectError:     false,
+		},
 	}
 
 	for _, tt := range tests {
@@ -233,8 +255,8 @@ func Test_parseRefreshInterval(t *testing.T) {
 				assert.Error(t, err)
 			} else {
 				assert.NoError(t, err)
-				assert.Equal(t, tt.expected, result)
 			}
+			assert.Equal(t, tt.expected, result)
 		})
 	}
 }

test/e2e/suite/refreshinterval/refreshinterval.go

@@ -19,6 +19,7 @@ package refreshinterval
 import (
 	"bytes"
 	"os/exec"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -32,6 +33,8 @@ import (
 	. "github.com/onsi/gomega"
 )
 
+const csiDriverNamespace = "cert-manager"
+
 var _ = framework.CasesDescribe("RefreshInterval", func() {
 	f := framework.NewDefaultFramework("RefreshInterval")
 
@@ -136,6 +139,129 @@ var _ = framework.CasesDescribe("RefreshInterval", func() {
 		Expect(cmd.Run()).To(Succeed())
 		Expect(buf.Len()).To(BeNumerically(">", 0), "expected certificate file to not be empty")
 
+		By("Verifying CSI driver logs show 1h refresh interval")
+		logBuf := new(bytes.Buffer)
+		logCmd := exec.Command(f.Config().KubectlBinPath, "logs", "-n"+csiDriverNamespace, "-l", "app=csi-driver-athenz", "-c", "csi-driver-athenz", "--tail=100")
+		logCmd.Stdout = logBuf
+		logCmd.Stderr = GinkgoWriter
+		Expect(logCmd.Run()).To(Succeed())
+		Expect(strings.Contains(logBuf.String(), "refreshInterval\"=\"1h0m0s\"")).To(BeTrue(), "expected logs to show 1h refresh interval")
+
+		By("Cleaning up resources")
+		Expect(f.Client().Delete(f.Context(), &pod)).NotTo(HaveOccurred())
+		Expect(f.Client().Delete(f.Context(), &rolebinding)).NotTo(HaveOccurred())
+		Expect(f.Client().Delete(f.Context(), &role)).NotTo(HaveOccurred())
+		Expect(f.Client().Delete(f.Context(), &serviceAccount)).NotTo(HaveOccurred())
+	})
+
+	It("should issue certificate with default refresh interval (24h)", func() {
+		By("Creating service account, role, and rolebinding")
+
+		serviceAccount := corev1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "athenz.default-refresh-test",
+				Namespace: f.Namespace.Name,
+			},
+		}
+		Expect(f.Client().Create(f.Context(), &serviceAccount)).NotTo(HaveOccurred())
+
+		role := rbacv1.Role{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "default-refresh-test",
+				Namespace: f.Namespace.Name,
+			},
+			Rules: []rbacv1.PolicyRule{{
+				Verbs:     []string{"create"},
+				APIGroups: []string{"cert-manager.io"},
+				Resources: []string{"certificaterequests"},
+			}},
+		}
+		Expect(f.Client().Create(f.Context(), &role)).NotTo(HaveOccurred())
+
+		rolebinding := rbacv1.RoleBinding{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "default-refresh-test",
+				Namespace: f.Namespace.Name,
+			},
+			RoleRef: rbacv1.RoleRef{
+				APIGroup: "rbac.authorization.k8s.io",
+				Kind:     "Role",
+				Name:     role.Name,
+			},
+			Subjects: []rbacv1.Subject{{
+				Kind:      "ServiceAccount",
+				Name:      serviceAccount.Name,
+				Namespace: f.Namespace.Name,
+			}},
+		}
+		Expect(f.Client().Create(f.Context(), &rolebinding)).NotTo(HaveOccurred())
+
+		By("Creating pod without refresh-interval (should use default 24h)")
+		pod := corev1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "default-refresh-interval-test",
+				Namespace: f.Namespace.Name,
+			},
+			Spec: corev1.PodSpec{
+				Volumes: []corev1.Volume{{
+					Name: "csi-driver-athenz",
+					VolumeSource: corev1.VolumeSource{
+						CSI: &corev1.CSIVolumeSource{
+							Driver:   "csi.cert-manager.athenz.io",
+							ReadOnly: pointer.Bool(true),
+							// No refresh-interval specified - should use default 24h
+							VolumeAttributes: map[string]string{},
+						},
+					},
+				}},
+				ServiceAccountName: "athenz.default-refresh-test",
+				Containers: []corev1.Container{
+					{
+						Name:    "my-container",
+						Image:   "busybox",
+						Command: []string{"sleep", "10000"},
+						VolumeMounts: []corev1.VolumeMount{
+							{
+								Name:      "csi-driver-athenz",
+								MountPath: "/var/run/secrets/athenz.io",
+							},
+						},
+					},
+				},
+			},
+		}
+		Expect(f.Client().Create(f.Context(), &pod)).NotTo(HaveOccurred())
+
+		By("Waiting for pod to become ready")
+		Eventually(func() bool {
+			var p corev1.Pod
+			Expect(f.Client().Get(f.Context(), client.ObjectKey{Namespace: f.Namespace.Name, Name: pod.Name}, &p)).NotTo(HaveOccurred())
+
+			for _, c := range p.Status.Conditions {
+				if c.Type == corev1.PodReady {
+					return c.Status == corev1.ConditionTrue
+				}
+			}
+
+			return false
+		}, "60s", "1s").Should(BeTrue(), "expected pod to become ready in time")
+
+		By("Verifying certificate was issued")
+		buf := new(bytes.Buffer)
+		cmd := exec.Command(f.Config().KubectlBinPath, "exec", "-n"+f.Namespace.Name, pod.Name, "-cmy-container", "--", "cat", "/var/run/secrets/athenz.io/tls.crt")
+		cmd.Stdout = buf
+		cmd.Stderr = GinkgoWriter
+		Expect(cmd.Run()).To(Succeed())
+		Expect(buf.Len()).To(BeNumerically(">", 0), "expected certificate file to not be empty")
+
+		By("Verifying CSI driver logs show 24h refresh interval (default)")
+		logBuf := new(bytes.Buffer)
+		logCmd := exec.Command(f.Config().KubectlBinPath, "logs", "-n"+csiDriverNamespace, "-l", "app=csi-driver-athenz", "-c", "csi-driver-athenz", "--tail=100")
+		logCmd.Stdout = logBuf
+		logCmd.Stderr = GinkgoWriter
+		Expect(logCmd.Run()).To(Succeed())
+		Expect(strings.Contains(logBuf.String(), "refreshInterval\"=\"24h0m0s\"")).To(BeTrue(), "expected logs to show 24h refresh interval (default)")
+
 		By("Cleaning up resources")
 		Expect(f.Client().Delete(f.Context(), &pod)).NotTo(HaveOccurred())
 		Expect(f.Client().Delete(f.Context(), &rolebinding)).NotTo(HaveOccurred())