Skip to content

Commit 70763c5

Browse files
vrutkovsvrutkovs
committed
certrotation: update reasons in getValidityFromAnnotations
1 parent db1a930 commit 70763c5

File tree

2 files changed

+11
-10
lines changed

2 files changed

+11
-10
lines changed

pkg/operator/certrotation/signer.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -158,9 +158,6 @@ func ensureOwnerReference(meta *metav1.ObjectMeta, owner *metav1.OwnerReference)
158158
func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, refreshOnlyWhenExpired bool) (bool, string) {
159159
annotations := secret.Annotations
160160
notBefore, notAfter, reason := getValidityFromAnnotations(annotations)
161-
if len(reason) > 0 {
162-
return true, reason
163-
}
164161

165162
if time.Now().After(notAfter) {
166163
return true, "already expired"
@@ -170,6 +167,10 @@ func needNewSigningCertKeyPair(secret *corev1.Secret, refresh time.Duration, ref
170167
return false, ""
171168
}
172169

170+
if len(reason) > 0 {
171+
return true, reason
172+
}
173+
173174
validity := notAfter.Sub(notBefore)
174175
at80Percent := notAfter.Add(-validity / 5)
175176
if time.Now().After(at80Percent) {
@@ -191,15 +192,15 @@ func getValidityFromAnnotations(annotations map[string]string) (notBefore time.T
191192
}
192193
notAfter, err := time.Parse(time.RFC3339, notAfterString)
193194
if err != nil {
194-
return notBefore, notAfter, fmt.Sprintf("bad expiry: %q", notAfterString)
195+
return notBefore, notAfter, fmt.Sprintf("bad notAfter expiry: %q", notAfterString)
195196
}
196197
notBeforeString := annotations[CertificateNotBeforeAnnotation]
197-
if len(notAfterString) == 0 {
198+
if len(notBeforeString) == 0 {
198199
return notBefore, notAfter, "missing notBefore"
199200
}
200201
notBefore, err = time.Parse(time.RFC3339, notBeforeString)
201202
if err != nil {
202-
return notBefore, notAfter, fmt.Sprintf("bad expiry: %q", notBeforeString)
203+
return notBefore, notAfter, fmt.Sprintf("bad notBefore expiry: %q", notBeforeString)
203204
}
204205

205206
return notBefore, notAfter, ""

pkg/operator/certrotation/target.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -204,10 +204,6 @@ func needNewTargetCertKeyPair(secret *corev1.Secret, signer *crypto.CA, caBundle
204204
// So with a cert percentage of 75% and equally long CA and cert validities at the worst case we start at 85% of the cert to renew, trying again every minute.
205205
func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *crypto.CA, refresh time.Duration, refreshOnlyWhenExpired bool) string {
206206
notBefore, notAfter, reason := getValidityFromAnnotations(annotations)
207-
if len(reason) > 0 {
208-
return reason
209-
}
210-
211207
// Is cert expired?
212208
if time.Now().After(notAfter) {
213209
return "already expired"
@@ -217,6 +213,10 @@ func needNewTargetCertKeyPairForTime(annotations map[string]string, signer *cryp
217213
return ""
218214
}
219215

216+
if len(reason) > 0 {
217+
return reason
218+
}
219+
220220
// Are we at 80% of validity?
221221
validity := notAfter.Sub(notBefore)
222222
at80Percent := notAfter.Add(-validity / 5)

0 commit comments

Comments
 (0)