Certificate validity period configurable

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
zhzhuang-zju · Aug 23, 2024 · 32b2657 · 32b2657
1 parent bcf68fa
commit 32b2657
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/hack/deploy-karmada.sh b/hack/deploy-karmada.sh
@@ -32,6 +32,7 @@ ROOT_CA_FILE=${CERT_DIR}/ca.crt
 ROOT_CA_KEY=${CERT_DIR}/ca.key
 CFSSL_VERSION="v1.6.5"
 LOAD_BALANCER=${LOAD_BALANCER:-false} # whether create a 'LoadBalancer' type service for karmada apiserver
+CERTIFIACATE_EXPIRY=${CERTIFIACATE_EXPIRY:-"43800H"}
 source "${REPO_ROOT}"/hack/util.sh
 
 function usage() {
@@ -148,9 +149,9 @@ interpreter_webhook_example_service_external_ip_address=${interpreter_webhook_ex
 util::cmd_must_exist "openssl"
 util::cmd_must_exist_cfssl ${CFSSL_VERSION}
 # create CA signers
-util::create_signing_certkey "" "${CERT_DIR}" ca karmada '"client auth","server auth"'
-util::create_signing_certkey "" "${CERT_DIR}" front-proxy-ca front-proxy-ca '"client auth","server auth"'
-util::create_signing_certkey "" "${CERT_DIR}" etcd-ca etcd-ca '"client auth","server auth"'
+util::create_signing_certkey "" "${CERT_DIR}" ca karmada '"client auth","server auth"' "${CERTIFIACATE_EXPIRY}"
+util::create_signing_certkey "" "${CERT_DIR}" front-proxy-ca front-proxy-ca '"client auth","server auth"' "${CERTIFIACATE_EXPIRY}"
+util::create_signing_certkey "" "${CERT_DIR}" etcd-ca etcd-ca '"client auth","server auth"' "${CERTIFIACATE_EXPIRY}"
 # signs a certificate
 util::create_certkey "" "${CERT_DIR}" "ca" karmada system:admin "system:masters" kubernetes.default.svc "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" "${interpreter_webhook_example_service_external_ip_address}"
 util::create_certkey "" "${CERT_DIR}" "ca" apiserver karmada-apiserver "" "*.etcd.karmada-system.svc.cluster.local" "*.karmada-system.svc.cluster.local" "*.karmada-system.svc" "localhost" "127.0.0.1" $(util::get_apiserver_ip_from_kubeconfig "${HOST_CLUSTER_NAME}")

diff --git a/hack/util.sh b/hack/util.sh
@@ -209,12 +209,13 @@ function util::create_signing_certkey {
     local id=$3
     local cn=$4
     local purpose=$5
+    local expiry=$6
     OPENSSL_BIN=$(command -v openssl)
     # Create ca
     ${sudo} /usr/bin/env bash -e <<EOF
     rm -f "${dest_dir}/${id}.crt" "${dest_dir}/${id}.key"
     ${OPENSSL_BIN} req -x509 -sha256 -new -nodes -days 3650 -newkey rsa:3072 -keyout "${dest_dir}/${id}.key" -out "${dest_dir}/${id}.crt" -subj "/CN=${cn}/"
-    echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment",${purpose}]}}}' > "${dest_dir}/${id}-config.json"
+    echo '{"signing":{"default":{"expiry":"${expiry}","usages":["signing","key encipherment",${purpose}]}}}' > "${dest_dir}/${id}-config.json"
 EOF
 }