Skip to content

Handle cert renewal correctly#4040

Merged
jetstack-bot merged 2 commits intocert-manager:masterfrom
irbekrm:3897_fix_cert_renewal
May 21, 2021
Merged

Handle cert renewal correctly#4040
jetstack-bot merged 2 commits intocert-manager:masterfrom
irbekrm:3897_fix_cert_renewal

Conversation

@irbekrm
Copy link
Contributor

@irbekrm irbekrm commented May 20, 2021
edited
Loading

See #3897 for context.

This PR changes cert's renewBefore period to be calculated as min(renewBefore, cert duration / 3) where renewBefore is either cert.spec.renewBefore or 30d.

It fixes a bug, where when cert's duration is very slightly longer than the renewBefore period, we enter a renewal loop.
This has so far hit a number of Vault issuer's users.

The bug:

See the below section of cert status:

nextPrivateKeySecretName: example-com-l2g4c
  notAfter: "2021-06-06T09:06:50Z"
  notBefore: "2021-05-07T09:06:20Z"
  renewalTime: "2021-05-07T09:06:50Z"
  revision: 185

See these functions where we calculate renewal time.

This cert has defaultRenewBefore=30d, actualDuration=30d30s, which means that we return 30d as the renewBefore time here.
We then calculate renewal time here.
In this case the renewal time it will be cert.spec.NotAfter - 30d resulting in renewal time 30s from now and we start renewing every 30s (when I tested this, every cert issued by Vault had the duration with the extra 30s).

This particular case would have also been solved by rounding up the cert duration, but it still seems like min(renewBefore, cert duration / 3) is a more sane formula.

Fixes cert renewal bug for Vault certificates with duration close to renewBefore period. Thanks to @andreas-p for raising the issue.

This PR is based on #4031 , but also refactors the renewal functionality so that these kind of bugs can be more easily spotted in future. I have added two test cases for these error cases and tested with an actual Vault instance.
Fixes #3897
Signed-off-by: irbekrm irbekrm@gmail.com

@irbekrm
Handle cert renewal when renewalBefore slightly less than cert durati…
a357d3d 
…on correctly

Signed-off-by: irbekrm <irbekrm@gmail.com>
@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels May 20, 2021
@jetstack-bot
Copy link
Contributor

jetstack-bot commented May 20, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irbekrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 20, 2021
@irbekrm
Copy link
Contributor Author

irbekrm commented May 20, 2021

/kind bug

@jetstack-bot jetstack-bot added kind/bug Categorizes issue or PR as related to a bug. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels May 20, 2021
@irbekrm irbekrm added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label May 20, 2021
@irbekrm irbekrm requested a review from wallrj May 20, 2021 21:00
james-w
james-w reviewed May 21, 2021
View reviewed changes
@james-w james-w added this to the v1.4 milestone May 21, 2021
james-w
james-w reviewed May 21, 2021
View reviewed changes
@irbekrm
Feedback from code review
6aad750 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm irbekrm force-pushed the 3897_fix_cert_renewal branch from 052642d to 6aad750 Compare May 21, 2021 09:51
@james-w
Copy link
Contributor

james-w commented May 21, 2021

/lgtm

Thanks! This fixes the bug and also makes the code and tests clearer.

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label May 21, 2021
@jetstack-bot jetstack-bot merged commit 966dd0d into cert-manager:master May 21, 2021
@irbekrm irbekrm deleted the 3897_fix_cert_renewal branch May 21, 2021 10:28
This was referenced May 21, 2021
Closed
Closed
Merged
Merged
@irbekrm irbekrm mentioned this pull request Jun 11, 2021
Merged
@maelvls maelvls mentioned this pull request Jun 11, 2021
Closed
13 tasks
@cbroglie cbroglie mentioned this pull request Sep 1, 2021
Closed
@wallrj wallrj mentioned this pull request Sep 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wallrj wallrj Awaiting requested review from wallrj

1 more reviewer

@james-w james-w james-w left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@james-w james-w

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

v1.4

Development

Successfully merging this pull request may close these issues.

Unfortunate cert renew handling of 30d < TTL < 90d

3 participants

@irbekrm @jetstack-bot @james-w