Feature/add annotation for renewBefore path on ingress / gateway

[titanlien]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:
Partially fix the renew window, we can increase renewBefore from 30days to 60 days.

Which issue(s) this PR fixes:
Related to #475

Special notes for your reviewer:
We can use annotation on ingress / gateway resource to define the renewBefore on certificates

Release note:

• category: feature
• target_group: operator

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign martinweindel for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[CLAassistant]

All committers have signed the CLA.

[gardener-prow]

Welcome @titanlien!

It looks like this is your first PR to gardener/cert-management 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if gardener/cert-management has its own contribution guidelines.

Thank you, and welcome to Gardener. 😃

[gardener-prow]

Hi @titanlien. Thanks for your PR.

I'm waiting for a gardener member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[MartinWeindel]

/ok-to-test

[titanlien]

/test pull-cert-management-e2e-kind

[MartinWeindel]

@titanlien
Thanks for your contribution. Please give us some time to review your PR next week when @marc1404 is available again.

/hold

[marc1404]

Thank you for your contribution, @titanlien! 🙏

I left a few suggestions below. One general feedback: I appreciate that you split up changes into multiple commits. However, the second commit's message says it's about adding test code, while it also adjusts documentation and examples and adds logic to the certman2 code. It would've been nice to separate this more clearly (although it's totally manageable for the size of this changeset).

[titanlien]

/ok-to-test

[titanlien]

/ok-to-test

[marc1404]

Thanks for restructuring the commit history! 🙏

[marc1404]

/unhold
/cla

[gardener-prow]

Successfully reached out to cla-assistant.io to initialize recheck of PR #662

[titanlien]

/ok-to-test

[titanlien]

/ok-to-test

[marc1404]

@titanlien fyi: the ok-to-test label only has to be set once by the maintainers, it's not removed when you push changes afterwards :)

[marc1404]

Hopefully the last feedback round 🤞
Please see my comment here.

ℹ️ One small note: For reviewers, it's convenient if you keep comments unresolved. That way reviewers can easily come back and compare open comments to further changes being made :)

[marc1404]

I don't see this value being used anywhere else, it appears to be unused

[marc1404]

nit: I don't see the local variable renewBefore being used anywhere else. What about inlining it?

Suggested change

	renewBefore := annotations[AnnotRenewBefore]
	certInput.FollowCNAME = followCNAME
	certInput.IssuerName = issuer
	certInput.PreferredChain = preferredChain
	certInput.PrivateKeyAlgorithm = algorithm
	certInput.PrivateKeySize = keySize
	certInput.PrivateKeyEncoding = encoding
	certInput.RenewBefore = renewBefore
	certInput.FollowCNAME = followCNAME
	certInput.IssuerName = issuer
	certInput.PreferredChain = preferredChain
	certInput.PrivateKeyAlgorithm = algorithm
	certInput.PrivateKeySize = keySize
	certInput.PrivateKeyEncoding = encoding
	certInput.RenewBefore = annotations[AnnotRenewBefore]

[marc1404]

This wasn't visible before I approved the workflow runs: There are currently two code branches in this repository. Everything in pkg/certman2 is a rewrite of the project using controller-runtime. Everything outside is the legacy codebase. We've added .import-restrictions files to catch unintentional cross-imports between these branches.

This change violates the import restriction:

ERROR: "github.com/gardener/cert-management/pkg/controller/source" -> "github.com/gardener/cert-management/pkg/certman2/controller/source/common" is forbidden by cert-management/pkg/controller/.import-restrictions
make: *** [check-imports] Error 1

Shared utilities should be moved to pkg/shared

[marc1404]

Please add unit tests for this function

[marc1404]

I'm not too happy with the returned string for the warning message; let's return a proper Go error instead. The callers can then decide what to do with the error value (discard and fallback to default value or log when a logger is available)

Suggested change

	func ParseRenewBefore(renewBeforeStr string) (*metav1.Duration, string) {
	func ParseRenewBefore(renewBeforeStr string) (*metav1.Duration, error) {

[marc1404]

I suggest not storing the raw annotation value in the CertInput struct; instead, parse it directly and handle it as a Duration. This would be aligned with how it was done in the legacy code branch

Suggested change

	RenewBefore string
	RenewBefore *metav1.Duration

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 30d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 14d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as active with /lifecycle active
• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale