Address review comments

Author: Karthik-K-N

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go

@@ -182,12 +182,12 @@ type ClusterConfiguration struct {
 	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 
 	// certificateValidityPeriodDays specifies the validity period for a non-CA certificate generated by kubeadm.
-	// Default value: 3650 days (10 years) set by kubeadm.
+	// If not specified, kubeadm will use a default of 3650 days (10 years).
 	// +optional
 	CertificateValidityPeriodDays *int32 `json:"certificateValidityPeriodDays,omitempty"`
 
 	// caCertificateValidityPeriodDays specifies the validity period for a CA certificate generated by kubeadm.
-	// Default value: 3650 days (10 years) set by kubeadm.
+	// If not specified, kubeadm will use a default of 3650 days (10 years).
 	// +optional
 	CACertificateValidityPeriodDays *int32 `json:"caCertificateValidityPeriodDays,omitempty"`
 }

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigs.yaml

@@ -17,8 +17,11 @@ limitations under the License.
 package upstreamv1beta4
 
 import (
+	"math"
+	"time"
 	"unsafe"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	apimachineryconversion "k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -68,8 +71,8 @@ func Convert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguratio
 	if err := autoConvert_upstreamv1beta4_ClusterConfiguration_To_v1beta2_ClusterConfiguration(in, out, s); err != nil {
 		return err
 	}
-	out.CertificateValidityPeriodDays = clusterv1.ConvertToDays(in.CertificateValidityPeriod)
-	out.CACertificateValidityPeriodDays = clusterv1.ConvertToSeconds(in.CACertificateValidityPeriod)
+	out.CertificateValidityPeriodDays = convertToDays(in.CertificateValidityPeriod)
+	out.CACertificateValidityPeriodDays = convertToDays(in.CACertificateValidityPeriod)
 	return nil
 }
 
@@ -78,8 +81,8 @@ func Convert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguratio
 	if err := autoConvert_v1beta2_ClusterConfiguration_To_upstreamv1beta4_ClusterConfiguration(in, out, s); err != nil {
 		return err
 	}
-	out.CertificateValidityPeriod = clusterv1.ConvertFromDays(in.CertificateValidityPeriodDays)
-	out.CACertificateValidityPeriod = clusterv1.ConvertFromSeconds(in.CACertificateValidityPeriodDays)
+	out.CertificateValidityPeriod = convertFromDays(in.CertificateValidityPeriodDays)
+	out.CACertificateValidityPeriod = convertFromDays(in.CACertificateValidityPeriodDays)
 	return nil
 }
 
@@ -316,3 +319,26 @@ func (src *ClusterConfiguration) GetAdditionalData(data *upstream.AdditionalData
 	// NOTE: for kubeadm v1beta4 types we are not reading ControlPlaneComponentHealthCheckSeconds into additional data
 	// because Cluster API types are aligned with kubeadm's v1beta4 API version.
 }
+
+// convertToDays takes *metav1.Duration and returns a *int32.
+// Durations longer than MaxInt32 are capped.
+// NOTE: this is a util function intended only for usage in API conversions.
+func convertToDays(in *metav1.Duration) *int32 {
+	if in == nil {
+		return nil
+	}
+	days := math.Trunc(in.Hours() / 24)
+	if days > math.MaxInt32 {
+		return ptr.To[int32](math.MaxInt32)
+	}
+	return ptr.To(int32(days))
+}
+
+// convertFromDays takes *int32 and returns a *metav1.Duration.
+// NOTE: this is a util function intended only for usage in API conversions.
+func convertFromDays(in *int32) *metav1.Duration {
+	if in == nil {
+		return nil
+	}
+	return ptr.To(metav1.Duration{Duration: time.Duration(*in) * time.Hour * 24})
+}

bootstrap/kubeadm/config/crd/bases/bootstrap.cluster.x-k8s.io_kubeadmconfigtemplates.yaml

@@ -71,8 +71,8 @@ func NewCertificatesForInitialControlPlane(config *bootstrapv1.ClusterConfigurat
 		if config.CertificatesDir != "" {
 			certificatesDir = config.CertificatesDir
 		}
-		if config.CertificateValidityPeriodDays != nil {
-			validityPeriodDays = config.CertificateValidityPeriodDays
+		if config.CACertificateValidityPeriodDays != nil {
+			validityPeriodDays = config.CACertificateValidityPeriodDays
 		}
 	}
 

bootstrap/kubeadm/types/upstreamv1beta4/conversion.go

@@ -18,10 +18,13 @@ package secret_test
 
 import (
 	"testing"
+	"time"
 
 	. "github.com/onsi/gomega"
+	"k8s.io/utils/ptr"
 
 	bootstrapv1 "sigs.k8s.io/cluster-api/api/bootstrap/kubeadm/v1beta2"
+	"sigs.k8s.io/cluster-api/util/certs"
 	"sigs.k8s.io/cluster-api/util/secret"
 )
 
@@ -53,3 +56,41 @@ func TestNewControlPlaneJoinCertsAsFilesNotPanicsWhenEmpty(t *testing.T) {
 	certs := secret.NewControlPlaneJoinCerts(config)
 	g.Expect(certs.AsFiles()).To(BeEmpty())
 }
+
+func TestNewCertificatesForInitialControlPlane(t *testing.T) {
+	tests := []struct {
+		name                            string
+		expectedExpiry                  time.Time
+		caCertificateValidityPeriodDays *int32
+	}{
+		{
+			name:           "should return default expiry if caCertificateValidityPeriodDays not set",
+			expectedExpiry: time.Now().UTC().Add(time.Hour * 24 * 365 * 10), // 10 years.
+		},
+		{
+			name:                            "should return expiry if caCertificateValidityPeriodDays set",
+			expectedExpiry:                  time.Now().UTC().Add(time.Hour * 24 * 10), // 10 days.
+			caCertificateValidityPeriodDays: ptr.To[int32](10),
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			clusterCerts := secret.NewCertificatesForInitialControlPlane(&bootstrapv1.ClusterConfiguration{
+				CACertificateValidityPeriodDays: test.caCertificateValidityPeriodDays,
+			})
+			g.Expect(clusterCerts.Generate()).To(Succeed())
+			caCert := clusterCerts.GetByPurpose(secret.ClusterCA)
+
+			g.Expect(caCert.KeyPair).NotTo(BeNil())
+			g.Expect(caCert.KeyPair.Cert).NotTo(BeNil())
+
+			// Decode the cert
+			decodedCert, err := certs.DecodeCertPEM(caCert.KeyPair.Cert)
+			g.Expect(err).ToNot(HaveOccurred())
+
+			g.Expect(decodedCert.NotAfter).Should(BeTemporally("~", test.expectedExpiry, 1*time.Minute))
+		})
+	}
+}