Comments (7)
+1 this is an important feature we also want.
from cert-manager.
Feel free to create a PR to add this feature.
from cert-manager.
What is the best way to do this? I can think of two possible solution -
-
Adding them as optional fields in Certificate and CertificateRequest apis -
We can add two optional fields, such asNotBefore
andNotAfter
along withDuration
field and add some validation to make sure either Duration orNotAfter
is set. IfNotAfter
field is set andNotBefore
is empty, we can continue to usetime.Now()
in that case as well. -
Providing these through Annotations
We can use annotations in both Certificate and CertificateRequest apis, to provide this information.
from cert-manager.
@inteon - do you have any suggestion on previous comment?
from cert-manager.
I think a new field would be preferable if we want this feature to be widely supported. The logic itself will have to be implemented by each issuer individually, if we only add support to a very limited set of issuers, an annotation might be preferable. Altering the CertificateRequest API is not a decision to be taken without much thought. So, creating a design document first might be desirable.
from cert-manager.
@inteon Can you explain what do you mean by "logic itself will have to be implemented by each issuer individually"? The was I was thinking is to add these as an optional fields to both Certificate and CertificateRequest API and when we create a x509.CertificateRequest here, we can modify this func as follows -
func CertificateTemplateOverrideDuration(duration time.Duration, notBefore, notAfter *metav1.Time) CertificateTemplateValidatorMutator {
return func(req *x509.CertificateRequest, cert *x509.Certificate) error {
if notBefore == nil {
cert.NotBefore = time.Now()
} else {
cert.NotBefore = notBefore.Time
}
if notAfter == nil {
cert.NotAfter = cert.NotBefore.Add(duration)
} else {
cert.NotAfter = notAfter.Time
}
return nil
}
}
from cert-manager.
The example CertificateTemplateOverrideDuration
function would work. "logic itself will have to be implemented by each issuer individually" refers to the fact that cert-manager has 5 in-tree issuers and a lot of out-of-tree issuers (see https://cert-manager.io/docs/configuration/issuers/). Each issuer will have to be updated to support this new field in the CertificateRequest API. That is not a small task. For that reason, I would advise to create a design document.
from cert-manager.
Related Issues (20)
- Cert Manager 503 Error for Domain
- Improvement of OpenSSF Scorecard Score
- "propagation check failed" err="wrong status code '404', expected '200'" HOT 1
- Stale/Stuck Challenges should be deleted after a given timeout HOT 3
- Challenges with not permitted zones in the domain are considered as processing HOT 1
- stale certificates present in metrics after certificate update
- Unhelpful log warning message: Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
- Helm chart conditions for CRDs are commented out
- Allow configuring Secret type
- Error after updating to latest version in webhook
- tls.crt doesn't contain the root but on the other side the trust manager recommends to trust only the root HOT 1
- Rename finalizer to conform to k8s requirements HOT 7
- `error finalizing order` message is light on details
- Proposal: define shortName for ClusterIssuer CRD
- Helm chart broken for helm v3.16.0 HOT 2
- Installation on k3s causes the ec2 t2.micro instance to hang
- Allow adding new fields such as unhealthyPodEvictionPolicy to the PDB
- Certificate Status: Issuing certificate as Secret does not exist
- Missing UID in webhook challenge request
- cert manager pods showing unknown flag HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.