Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add renewBeforePercentage alternative to renewBefore #6987

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add renewBeforePercentage alternative to renewBefore #6987

wants to merge 1 commit into from

Conversation

cbroglie
Copy link

@cbroglie cbroglie commented May 4, 2024
edited

Since the actual duration is unknown until a cert has been issued,
providing an absolute duration for renewBefore can result in accidental
renewal loops. The new renewBeforePercentage field computes the
effective renewBefore using the actual duration, allowing users to
better express intent while maintaining backwards compatibility.

Fixes #4423, resolves #5821

Pull Request Motivation

#4423 (comment)

Kind

/kind feature

Release Note

Add renewBeforePercentage alternative to renewBefore

@cert-manager-prow cert-manager-prow bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 4, 2024
@cert-manager-prow
Copy link
Contributor

Hi @cbroglie. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cert-manager-prow cert-manager-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/testing Issues relating to testing labels May 4, 2024
@cbroglie
Copy link
Author

cbroglie commented May 4, 2024
edited

I can do a pass to update the relevant docs as well if things look reasonable functionality wise.

I considered introducing a DurationOrPercent type, similar to IntOrString. But with all of the logic localized to RenewalTime there was only a single place to update, and unlike IntOrString, both duration and percentages are serialized as strings.

@inteon
Copy link
Member

inteon commented May 5, 2024

Upstream union API type: https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apimachinery/pkg/util/intstr/intstr.go

inteon
inteon reviewed May 5, 2024
View reviewed changes
pkg/util/pki/renewaltime.go Outdated Show resolved Hide resolved
inteon
inteon reviewed May 5, 2024
View reviewed changes
pkg/util/pki/renewaltime.go Outdated Show resolved Hide resolved
@inteon
Copy link
Member

inteon commented May 6, 2024

/ok-to-test

@cert-manager-prow cert-manager-prow bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 6, 2024
@inteon
Copy link
Member

inteon commented May 6, 2024

@cbroglie the tests are failing, could you take a look?

@cbroglie
Copy link
Author

cbroglie commented May 7, 2024

@cbroglie the tests are failing, could you take a look?

Yep, will do. I was only running make test locally; looks like I need to make some fixes to the integration/e2e tests.

@cbroglie cbroglie force-pushed the renew-before-pct branch 3 times, most recently from 4c19cad to 2ada16e Compare May 7, 2024 08:30
@inteon inteon added this to the 1.15 milestone May 8, 2024
@cbroglie cbroglie force-pushed the renew-before-pct branch 2 times, most recently from 6264b5b to 686e461 Compare May 14, 2024 05:55
@cert-manager-prow cert-manager-prow bot added the area/deploy Indicates a PR modifies deployment configuration label May 14, 2024
@inteon
Copy link
Member

inteon commented May 14, 2024

Thank you @cbroglie for this well-written feature!
/approve
/lgtm
/hold for a bit, in case another reviewer wants to add additional comments.

@cert-manager-prow cert-manager-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 14, 2024
@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2024
SgtCoDFish
SgtCoDFish requested changes May 14, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, really appreciate you raising this - it's a great addition and it makes a tonne of sense.

We discussed this today (2024-05-14) and we love the idea but we're scared of the breaking change to our Go API. I've added a comment with a suggested change which wouldn't be breaking; what do you think?

internal/apis/certmanager/types_certificate.go Outdated Show resolved Hide resolved
internal/apis/certmanager/validation/certificate.go Outdated Show resolved Hide resolved
@inteon inteon modified the milestones: 1.15, 1.16 May 14, 2024
@SgtCoDFish SgtCoDFish added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels May 15, 2024
@cert-manager-prow cert-manager-prow bot removed the lgtm Indicates that a PR is ready to be merged. label May 25, 2024
@cert-manager-prow
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@cbroglie cbroglie changed the title feat: Allow renewBefore to be a percentage feat: Add renewBeforePercentage alternative to renewBefore May 25, 2024
@cbroglie
Add renewBeforePercentage alternative to renewBefore
65cfbdf 
Since the actual duration is unknown until a cert has been issued,
providing an absolute duration for renewBefore can result in accidental
renewal loops. The new renewBeforePercentage field computes the
effective renewBefore using the actual duration, allowing users to
better express intent while maintaining backwards compatibility.

Fixes cert-manager#4423, resolves cert-manager#5821

Signed-off-by: Christopher Broglie <cbroglie@cloudflare.com>
@cbroglie cbroglie requested a review from SgtCoDFish May 25, 2024 04:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThatsMrTalbot ThatsMrTalbot ThatsMrTalbot left review comments

@inteon inteon inteon left review comments

@SgtCoDFish SgtCoDFish Awaiting requested review from SgtCoDFish

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
1.16
Development

Successfully merging this pull request may close these issues.

Cert renewal loop Allow renewBefore to be a percentage
4 participants
@cbroglie @inteon @SgtCoDFish @ThatsMrTalbot