-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add renewBeforePercentage alternative to renewBefore #6987
base: master
Are you sure you want to change the base?
Conversation
Hi @cbroglie. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I can do a pass to update the relevant docs as well if things look reasonable functionality wise. I considered introducing a |
/ok-to-test |
@cbroglie the tests are failing, could you take a look? |
Yep, will do. I was only running |
4c19cad
to
2ada16e
Compare
6264b5b
to
686e461
Compare
Thank you @cbroglie for this well-written feature! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, really appreciate you raising this - it's a great addition and it makes a tonne of sense.
We discussed this today (2024-05-14) and we love the idea but we're scared of the breaking change to our Go API. I've added a comment with a suggested change which wouldn't be breaking; what do you think?
686e461
to
b4c2e2d
Compare
b4c2e2d
to
65cfbdf
Compare
@SgtCoDFish @inteon Just checking in, is there anything else you'd like to see here? |
The changes look good to me, i'll mention it during the cert-manager standup tomorrow and we can look at getting this merged /lgtm |
// | ||
// Cannot be set if the `renewBefore` field is set. | ||
// +optional | ||
RenewBeforePercentage *int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should discuss whether this should be a string or int value. Let's do that in tomorrow's stand-up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all: sorry if you saw a review from me I then deleted!
We've discussed this in standup and the number one concern is that this cannot be an int
; see this doc for justification.
All public integer fields MUST use the Go int32 or Go int64 types, not int (which is ambiguously sized, depending on target platform). Internal types may use int.
So the last change we need here is to change int
in these API types to int32
to match that guide. We've made this mistake already in our resources and we don't want to add any new fields with the plain int
type.
Could you make that change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've discussed this in standup and the number one concern is that this cannot be an int; see this doc for justification.
Makes sense - updated to use int32
!
Since the actual duration is unknown until a cert has been issued, providing an absolute duration for renewBefore can result in accidental renewal loops. The new renewBeforePercentage field computes the effective renewBefore using the actual duration, allowing users to better express intent while maintaining backwards compatibility. Fixes cert-manager#4423, resolves cert-manager#5821 Signed-off-by: Christopher Broglie <[email protected]>
65cfbdf
to
e98dd3e
Compare
New changes are detected. LGTM label has been removed. |
@@ -167,9 +167,24 @@ type CertificateSpec struct { | |||
// If unset, this defaults to 1/3 of the issued certificate's lifetime. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this comment should be moved to RenewBeforePercentage
. It now makes more sense to say that RenewBeforePercentage
defaults to 33%.
// renewal time. If an issuer returns a certificate with a different lifetime than | ||
// the one requested, cert-manager will use the lifetime of the issued certificate. | ||
// | ||
// Cannot be set if the `renewBefore` field is set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add something about minimum and maximum values here?
Since the actual duration is unknown until a cert has been issued,
providing an absolute duration for renewBefore can result in accidental
renewal loops. The new renewBeforePercentage field computes the
effective renewBefore using the actual duration, allowing users to
better express intent while maintaining backwards compatibility.
Fixes #4423, resolves #5821
Pull Request Motivation
#4423 (comment)
Kind
/kind feature
Release Note