Address reveiw comments

Author: Karthik-K-N

controlplane/kubeadm/internal/controllers/upgrade.go

@@ -70,7 +70,8 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
 			workloadCluster.UpdateFeatureGatesInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec, parsedVersion),
 			workloadCluster.UpdateAPIServerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.APIServer),
 			workloadCluster.UpdateControllerManagerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.ControllerManager),
-			workloadCluster.UpdateSchedulerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler))
+			workloadCluster.UpdateSchedulerInKubeadmConfigMap(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Scheduler),
+			workloadCluster.UpdateCertificateValidityPeriodDays(controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays))
 
 		// Etcd local and external are mutually exclusive and they cannot be switched, once set.
 		if controlPlane.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.Etcd.Local != nil {

controlplane/kubeadm/internal/webhooks/kubeadm_control_plane.go

@@ -152,7 +152,10 @@ const (
 	timeouts             = "timeouts"
 )
 
-const minimumCertificatesExpiryDays = 7
+const (
+	minimumCertificatesExpiryDays   = 7
+	defaultCACertificatesExpiryDays = 3650
+)
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
 func (webhook *KubeadmControlPlane) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
@@ -329,6 +332,27 @@ func validateKubeadmControlPlaneSpec(s controlplanev1.KubeadmControlPlaneSpec, p
 		if s.KubeadmConfigSpec.ClusterConfiguration.Etcd.External != nil {
 			externalEtcd = true
 		}
+		path := field.NewPath("spec", "kubeadmConfigSpec", "clusterConfiguration")
+		if s.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays > s.KubeadmConfigSpec.ClusterConfiguration.CACertificateValidityPeriodDays {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					path.Child("certificateValidityPeriodDays"),
+					s.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays,
+					fmt.Sprintf("must be less than or equal to caCertificateValidityPeriodDays %v", s.KubeadmConfigSpec.ClusterConfiguration.CACertificateValidityPeriodDays),
+				),
+			)
+		}
+		if s.KubeadmConfigSpec.ClusterConfiguration.CACertificateValidityPeriodDays == 0 && s.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays > defaultCACertificatesExpiryDays {
+			allErrs = append(
+				allErrs,
+				field.Invalid(
+					path.Child("certificateValidityPeriodDays"),
+					s.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays,
+					fmt.Sprintf("must be less than or equal to default value of caCertificateValidityPeriodDays %v", defaultCACertificatesExpiryDays),
+				),
+			)
+		}
 	}
 
 	if !externalEtcd {
@@ -381,16 +405,17 @@ func validateKubeadmControlPlaneSpec(s controlplanev1.KubeadmControlPlaneSpec, p
 		allErrs = append(allErrs, field.Invalid(pathPrefix.Child("version"), s.Version, "must be a valid semantic version"))
 	}
 
-	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, pathPrefix.Child("rolloutBefore"))...)
+	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, s.KubeadmConfigSpec.ClusterConfiguration, pathPrefix.Child("rolloutBefore"))...)
 	allErrs = append(allErrs, validateRolloutStrategy(s.RolloutStrategy, s.Replicas, pathPrefix.Child("rolloutStrategy"))...)
 
 	if s.MachineNamingStrategy != nil {
 		allErrs = append(allErrs, validateNamingStrategy(s.MachineNamingStrategy, pathPrefix.Child("machineNamingStrategy"))...)
 	}
+
 	return allErrs
 }
 
-func validateRolloutBefore(rolloutBefore *controlplanev1.RolloutBefore, pathPrefix *field.Path) field.ErrorList {
+func validateRolloutBefore(rolloutBefore *controlplanev1.RolloutBefore, clusterConfiguration *bootstrapv1.ClusterConfiguration, pathPrefix *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	if rolloutBefore == nil {
@@ -401,6 +426,16 @@ func validateRolloutBefore(rolloutBefore *controlplanev1.RolloutBefore, pathPref
 		if *rolloutBefore.CertificatesExpiryDays < minimumCertificatesExpiryDays {
 			allErrs = append(allErrs, field.Invalid(pathPrefix.Child("certificatesExpiryDays"), *rolloutBefore.CertificatesExpiryDays, fmt.Sprintf("must be greater than or equal to %v", minimumCertificatesExpiryDays)))
 		}
+
+		if clusterConfiguration == nil {
+			return allErrs
+		}
+
+		if clusterConfiguration.CertificateValidityPeriodDays != 0 {
+			if *rolloutBefore.CertificatesExpiryDays < clusterConfiguration.CertificateValidityPeriodDays {
+				allErrs = append(allErrs, field.Invalid(pathPrefix.Child("certificatesExpiryDays"), *rolloutBefore.CertificatesExpiryDays, fmt.Sprintf("must be greater than or equal to certificateValidityPeriodDays %v", clusterConfiguration.CertificateValidityPeriodDays)))
+			}
+		}
 	}
 
 	return allErrs

controlplane/kubeadm/internal/webhooks/kubeadm_control_plane_test.go

@@ -337,8 +337,8 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 							ImageTag:        "1.6.5",
 						},
 					},
-					CertificateValidityPeriodDays:   365,
-					CACertificateValidityPeriodDays: 365,
+					CertificateValidityPeriodDays:   6,
+					CACertificateValidityPeriodDays: 6,
 				},
 				JoinConfiguration: &bootstrapv1.JoinConfiguration{
 					NodeRegistration: bootstrapv1.NodeRegistrationOptions{
@@ -743,13 +743,23 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 	unsetTimeouts.Spec.KubeadmConfigSpec.JoinConfiguration.Timeouts = nil
 
 	certificateValidityPeriod := before.DeepCopy()
-	certificateValidityPeriod.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays = 23456
+	certificateValidityPeriod.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays = 5
 
 	invalidUpdateCACertificateValidityPeriodDays := before.DeepCopy()
 	invalidUpdateCACertificateValidityPeriodDays.Spec.KubeadmConfigSpec.ClusterConfiguration = &bootstrapv1.ClusterConfiguration{
-		CACertificateValidityPeriodDays: 23456,
+		CACertificateValidityPeriodDays: 4,
 	}
 
+	invalidRolloutBeforeCertificatesExpiryDays := before.DeepCopy()
+	invalidRolloutBeforeCertificatesExpiryDays.Spec.RolloutBefore.CertificatesExpiryDays = ptr.To[int32](2)
+
+	invalidCertificateValidityPeriodDays := before.DeepCopy()
+	invalidCertificateValidityPeriodDays.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays = 300
+
+	invalidCertificateValidityPeriod := before.DeepCopy()
+	invalidCertificateValidityPeriod.Spec.KubeadmConfigSpec.ClusterConfiguration.CACertificateValidityPeriodDays = 0
+	invalidCertificateValidityPeriod.Spec.KubeadmConfigSpec.ClusterConfiguration.CertificateValidityPeriodDays = 3651
+
 	tests := []struct {
 		name                  string
 		enableIgnitionFeature bool
@@ -1119,6 +1129,24 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			before:    before,
 			kcp:       invalidUpdateCACertificateValidityPeriodDays,
 		},
+		{
+			name:      "should return error when rolloutBefore CertificatesExpiryDays less than cluster CertificateValidityPeriodDays",
+			expectErr: true,
+			before:    before,
+			kcp:       invalidRolloutBeforeCertificatesExpiryDays,
+		},
+		{
+			name:      "should return error when CertificateValidityPeriodDays greater than CACertificateValidityPeriodDays",
+			expectErr: true,
+			before:    before,
+			kcp:       invalidCertificateValidityPeriodDays,
+		},
+		{
+			name:      "should return error when CertificateValidityPeriodDays greater than CACertificateValidityPeriodDays",
+			expectErr: true,
+			before:    before,
+			kcp:       invalidCertificateValidityPeriod,
+		},
 	}
 
 	for _, tt := range tests {

controlplane/kubeadm/internal/webhooks/kubeadmcontrolplanetemplate.go

@@ -139,7 +139,7 @@ func (webhook *KubeadmControlPlaneTemplate) ValidateDelete(_ context.Context, _
 func validateKubeadmControlPlaneTemplateResourceSpec(s controlplanev1.KubeadmControlPlaneTemplateResourceSpec, pathPrefix *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, pathPrefix.Child("rolloutBefore"))...)
+	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, s.KubeadmConfigSpec.ClusterConfiguration, pathPrefix.Child("rolloutBefore"))...)
 	allErrs = append(allErrs, validateRolloutStrategy(s.RolloutStrategy, nil, pathPrefix.Child("rolloutStrategy"))...)
 	if s.MachineNamingStrategy != nil {
 		allErrs = append(allErrs, validateNamingStrategy(s.MachineNamingStrategy, pathPrefix.Child("machineNamingStrategy"))...)

controlplane/kubeadm/internal/workload_cluster.go

@@ -94,6 +94,7 @@ type WorkloadCluster interface {
 	UpdateAPIServerInKubeadmConfigMap(apiServer bootstrapv1.APIServer) func(*bootstrapv1.ClusterConfiguration)
 	UpdateControllerManagerInKubeadmConfigMap(controllerManager bootstrapv1.ControllerManager) func(*bootstrapv1.ClusterConfiguration)
 	UpdateSchedulerInKubeadmConfigMap(scheduler bootstrapv1.Scheduler) func(*bootstrapv1.ClusterConfiguration)
+	UpdateCertificateValidityPeriodDays(certificateValidityPeriodDays int32) func(*bootstrapv1.ClusterConfiguration)
 	UpdateKubeProxyImageInfo(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane) error
 	UpdateCoreDNS(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane) error
 	RemoveEtcdMemberForMachine(ctx context.Context, machine *clusterv1.Machine) error
@@ -219,6 +220,13 @@ func (w *Workload) UpdateSchedulerInKubeadmConfigMap(scheduler bootstrapv1.Sched
 	}
 }
 
+// UpdateCertificateValidityPeriodDays updates CertificateValidityPeriodDays in kubeadm config map.
+func (w *Workload) UpdateCertificateValidityPeriodDays(certificateValidityPeriodDays int32) func(*bootstrapv1.ClusterConfiguration) {
+	return func(c *bootstrapv1.ClusterConfiguration) {
+		c.CertificateValidityPeriodDays = certificateValidityPeriodDays
+	}
+}
+
 // UpdateClusterConfiguration gets the ClusterConfiguration kubeadm-config ConfigMap, converts it to the
 // Cluster API representation, and then applies a mutation func; if changes are detected, the
 // data are converted back into the Kubeadm API version in use for the target Kubernetes version and the

controlplane/kubeadm/internal/workload_cluster_test.go

@@ -1025,6 +1025,65 @@ func TestUpdateFeatureGatesInKubeadmConfigMap(t *testing.T) {
 	}
 }
 
+func TestUpdateCertificateValidityPeriodDaysInKubeadmConfigMap(t *testing.T) {
+	tests := []struct {
+		name                     string
+		clusterConfigurationData string
+		certificateValidityDays  int32
+		wantClusterConfiguration string
+	}{
+		{
+			name:                    "it should set the certificateValidityDays in config",
+			certificateValidityDays: int32(5),
+			clusterConfigurationData: utilyaml.Raw(`
+				apiVersion: kubeadm.k8s.io/v1beta3
+				kind: ClusterConfiguration
+				`),
+			wantClusterConfiguration: utilyaml.Raw(`
+				apiServer: {}
+				apiVersion: kubeadm.k8s.io/v1beta4
+				certificateValidityPeriod: 120h0m0s
+				controllerManager: {}
+				dns: {}
+				etcd: {}
+				kind: ClusterConfiguration
+				kubernetesVersion: v1.33.1
+				networking: {}
+				proxy: {}
+				scheduler: {}
+				`),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			fakeClient := fake.NewClientBuilder().WithObjects(&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      kubeadmConfigKey,
+					Namespace: metav1.NamespaceSystem,
+				},
+				Data: map[string]string{
+					clusterConfigurationKey: tt.clusterConfigurationData,
+				},
+			}).Build()
+
+			w := &Workload{
+				Client: fakeClient,
+			}
+			err := w.UpdateClusterConfiguration(ctx, semver.MustParse("1.33.1"), w.UpdateCertificateValidityPeriodDays(tt.certificateValidityDays))
+			g.Expect(err).ToNot(HaveOccurred())
+
+			var actualConfig corev1.ConfigMap
+			g.Expect(w.Client.Get(
+				ctx,
+				client.ObjectKey{Name: kubeadmConfigKey, Namespace: metav1.NamespaceSystem},
+				&actualConfig,
+			)).To(Succeed())
+			g.Expect(actualConfig.Data[clusterConfigurationKey]).Should(Equal(tt.wantClusterConfiguration), cmp.Diff(tt.wantClusterConfiguration, actualConfig.Data[clusterConfigurationKey]))
+		})
+	}
+}
+
 func TestDefaultFeatureGates(t *testing.T) {
 	tests := []struct {
 		name                  string