[installer]: set all internal certs to 90 days duration

gitpod-io · Nov 26, 2021 · ff11b98 · ff11b98
1 parent 19b6154
commit ff11b98
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 21 deletions.
diff --git a/installer/pkg/common/constants.go b/installer/pkg/common/constants.go
@@ -4,6 +4,11 @@
 
 package common
 
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"time"
+)
+
 // This file exists to break cyclic-dependency errors
 
 const (
@@ -35,3 +40,7 @@ const (
 
 	AnnotationConfigChecksum = "gitpod.io/checksum_config"
 )
+
+var (
+	InternalCertDuration = &metav1.Duration{Duration: time.Hour * 24 * 90}
+)
diff --git a/installer/pkg/components/cluster/certmanager.go b/installer/pkg/components/cluster/certmanager.go
@@ -39,6 +39,7 @@ func certmanager(ctx *common.RenderContext) ([]runtime.Object, error) {
 			},
 			Spec: v1.CertificateSpec{
 				IsCA:       true,
+				Duration:   common.InternalCertDuration,
 				CommonName: caName,
 				SecretName: caName,
 				PrivateKey: &v1.CertificatePrivateKey{

diff --git a/installer/pkg/components/docker-registry/certificate.go b/installer/pkg/components/docker-registry/certificate.go
@@ -6,11 +6,9 @@ package dockerregistry
 
 import (
 	"fmt"
+	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
-	"time"
-
-	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/pointer"
@@ -21,8 +19,6 @@ func certificate(ctx *common.RenderContext) ([]runtime.Object, error) {
 		return nil, nil
 	}
 
-	oneYear := &metav1.Duration{Duration: time.Hour * 24 * 365}
-
 	return []runtime.Object{&certmanagerv1.Certificate{
 		TypeMeta: common.TypeMetaCertificate,
 		ObjectMeta: metav1.ObjectMeta{
@@ -31,7 +27,7 @@ func certificate(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Labels:    common.DefaultLabels(Component),
 		},
 		Spec: certmanagerv1.CertificateSpec{
-			Duration:   oneYear,
+			Duration:   common.InternalCertDuration,
 			SecretName: BuiltInRegistryCerts,
 			IssuerRef: cmmeta.ObjectReference{
 				Name:  common.CertManagerCAIssuer,

diff --git a/installer/pkg/components/registry-facade/certificate.go b/installer/pkg/components/registry-facade/certificate.go
@@ -6,8 +6,6 @@ package registryfacade
 
 import (
 	"fmt"
-	"time"
-
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 
@@ -17,8 +15,6 @@ import (
 )
 
 func certificate(ctx *common.RenderContext) ([]runtime.Object, error) {
-	oneYear := &metav1.Duration{Duration: time.Hour * 24 * 365}
-
 	return []runtime.Object{&certmanagerv1.Certificate{
 		TypeMeta: common.TypeMetaCertificate,
 		ObjectMeta: metav1.ObjectMeta{
@@ -27,7 +23,7 @@ func certificate(ctx *common.RenderContext) ([]runtime.Object, error) {
 			Labels:    common.DefaultLabels(Component),
 		},
 		Spec: certmanagerv1.CertificateSpec{
-			Duration:   oneYear,
+			Duration:   common.InternalCertDuration,
 			SecretName: common.RegistryFacadeTLSCertSecret,
 			IssuerRef: cmmeta.ObjectReference{
 				Name:  common.CertManagerCAIssuer,

diff --git a/installer/pkg/components/ws-daemon/tlssecret.go b/installer/pkg/components/ws-daemon/tlssecret.go
@@ -10,14 +10,10 @@ import (
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"time"
-
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
 func tlssecret(ctx *common.RenderContext) ([]runtime.Object, error) {
-	oneYear := &metav1.Duration{Duration: time.Hour * 24 * 365}
-
 	return []runtime.Object{
 		&certmanagerv1.Certificate{
 			TypeMeta: common.TypeMetaCertificate,
@@ -27,7 +23,7 @@ func tlssecret(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Labels:    common.DefaultLabels(Component),
 			},
 			Spec: certmanagerv1.CertificateSpec{
-				Duration:   oneYear,
+				Duration:   common.InternalCertDuration,
 				SecretName: TLSSecretName,
 				DNSNames: []string{
 					fmt.Sprintf("gitpod.%s", ctx.Namespace),

diff --git a/installer/pkg/components/ws-manager/tlssecret.go b/installer/pkg/components/ws-manager/tlssecret.go
@@ -6,8 +6,6 @@ package wsmanager
 
 import (
 	"fmt"
-	"time"
-
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 
 	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
@@ -32,7 +30,6 @@ func tlssecret(ctx *common.RenderContext) ([]runtime.Object, error) {
 		Component,
 	}
 
-	sixMonths := &metav1.Duration{Duration: time.Hour * 4380}
 	issuer := common.CertManagerCAIssuer
 
 	return []runtime.Object{
@@ -44,7 +41,7 @@ func tlssecret(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Labels:    common.DefaultLabels(Component),
 			},
 			Spec: certmanagerv1.CertificateSpec{
-				Duration:   sixMonths,
+				Duration:   common.InternalCertDuration,
 				SecretName: TLSSecretNameSecret,
 				DNSNames:   serverAltNames,
 				IssuerRef: cmmeta.ObjectReference{
@@ -62,7 +59,7 @@ func tlssecret(ctx *common.RenderContext) ([]runtime.Object, error) {
 				Labels:    common.DefaultLabels(Component),
 			},
 			Spec: certmanagerv1.CertificateSpec{
-				Duration:   sixMonths,
+				Duration:   common.InternalCertDuration,
 				SecretName: TLSSecretNameClient,
 				DNSNames:   clientAltNames,
 				IssuerRef: cmmeta.ObjectReference{