stackabletech · nightkr · Feb 1, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 31, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,11 +14,13 @@ All notable changes to this project will be documented in this file.
 - Use new annotation builder ([#341]).
 - `autoTLS` certificate authorities will now be rotated regularly ([#350]).
   - [BREAKING] This changes the format of the CA secrets. Old secrets will be migrated automatically, but manual intervention will be required to downgrade back to 23.11.x.
+- `autoTLS` certificate authority lifetimes are now configurable ([#357]).
 
 [#333]: https://github.com/stackabletech/secret-operator/pull/333
 [#341]: https://github.com/stackabletech/secret-operator/pull/341
 [#350]: https://github.com/stackabletech/secret-operator/pull/350
 [#352]: https://github.com/stackabletech/secret-operator/pull/352
+[#357]: https://github.com/stackabletech/secret-operator/pull/357
 
 
 ## [23.11.0] - 2023-11-24

diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml
@@ -47,6 +47,13 @@ spec:
                               default: false
                               description: Whether the certificate authority should be managed by Secret Operator, including being generated if it does not already exist.
                               type: boolean
+                            caLifetime:
+                              default: 730d
+                              description: |-
+                                The lifetime of each generated certificate authority.
+
+                                Ignored if `autoGenerate: false`. Should always be more than double `maxCertificateLifetime`.
+                              type: string
                             secret:
                               description: Reference (name and namespace) to a Kubernetes Secret object where the CA certificate and key is stored in the keys `ca.crt` and `ca.key` respectively.
                               properties:

diff --git a/rust/operator-binary/src/backend/dynamic.rs b/rust/operator-binary/src/backend/dynamic.rs
@@ -101,17 +101,12 @@ pub async fn from_class(
             })
         }
         crd::SecretClassBackend::AutoTls(crd::AutoTlsBackend {
-            ca:
-                crd::AutoTlsCa {
-                    secret,
-                    auto_generate,
-                },
+            ca,
             max_certificate_lifetime,
         }) => from(
             super::TlsGenerate::get_or_create_k8s_certificate(
                 client,
-                &secret,
-                auto_generate,
+                &ca,
                 max_certificate_lifetime,
             )
             .await?,

diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
@@ -24,10 +24,10 @@ use stackable_operator::{
     k8s_openapi::chrono::{self, FixedOffset, TimeZone},
     time::Duration,
 };
-use stackable_secret_operator_crd_utils::SecretReference;
 use time::OffsetDateTime;
 
 use crate::{
+    crd,
     format::{well_known, SecretData, WellKnownSecretData},
     utils::iterator_try_concat_bytes,
 };
@@ -130,18 +130,21 @@ impl TlsGenerate {
     /// an independent self-signed CA.
     pub async fn get_or_create_k8s_certificate(
         client: &stackable_operator::client::Client,
-        secret_ref: &SecretReference,
-        auto_generate: bool,
+        crd::AutoTlsCa {
+            secret: ca_secret,
+            auto_generate: auto_generate_ca,
+            ca_lifetime,
+        }: &crd::AutoTlsCa,
         max_cert_lifetime: Duration,
     ) -> Result<Self> {
         Ok(Self {
             ca_manager: ca::Manager::load_or_create(
                 client,
-                secret_ref,
+                ca_secret,
                 &ca::Config {
-                    manage_ca: auto_generate,
-                    ca_lifetime: Duration::from_days_unchecked(2 * 365),
-                    rotate_if_ca_expires_before: Some(Duration::from_days_unchecked(365)),
+                    manage_ca: *auto_generate_ca,
+                    ca_lifetime: *ca_lifetime,
+                    rotate_if_ca_expires_before: Some(*ca_lifetime / 2),
                 },
             )
             .await

diff --git a/rust/operator-binary/src/crd.rs b/rust/operator-binary/src/crd.rs
@@ -82,12 +82,14 @@ pub struct AutoTlsBackend {
     /// In case consumers request a longer lifetime than allowed by this setting,
     /// the lifetime will be the minimum of both, so this setting takes precedence.
     /// The default value is 15 days.
-    #[serde(default = "default_max_certificate_lifetime")]
+    #[serde(default = "AutoTlsBackend::default_max_certificate_lifetime")]
     pub max_certificate_lifetime: Duration,
 }
 
-fn default_max_certificate_lifetime() -> Duration {
-    DEFAULT_MAX_CERT_LIFETIME
+impl AutoTlsBackend {
+    fn default_max_certificate_lifetime() -> Duration {
+        DEFAULT_MAX_CERT_LIFETIME
+    }
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]
@@ -102,6 +104,18 @@ pub struct AutoTlsCa {
     // TODO: Consider renaming to `manage` for v1alpha2
     #[serde(default)]
     pub auto_generate: bool,
+
+    /// The lifetime of each generated certificate authority.
+    ///
+    /// Ignored if `autoGenerate: false`. Should always be more than double `maxCertificateLifetime`.
+    #[serde(default = "AutoTlsCa::default_ca_lifetime")]
+    pub ca_lifetime: Duration,
+}
+
+impl AutoTlsCa {
+    fn default_ca_lifetime() -> Duration {
+        Duration::from_days_unchecked(365 * 2)
+    }
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug, PartialEq, JsonSchema)]