Fix default certificate validity

vesoft-inc · Jun 11, 2024 · ca222ec · ca222ec
1 parent a9d3251
commit ca222ec
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/charts/nebula-operator/templates/controller-manager-deployment.yaml b/charts/nebula-operator/templates/controller-manager-deployment.yaml
@@ -45,7 +45,7 @@ spec:
             - --webhook-server-name={{ template "admission-webhook.name" . }}-validating
             - --webhook-names={{ template "controller-manager-admission-webhook.name" . }}-service,{{ template "autoscaler-admission-webhook.name" . }}-service
             - --certificate-dir=/tmp/k8s-webhook-server/serving-certs
-            - --certificate-validity=5
+            - --certificate-validity=1
             - --secret-namespace={{ template "nebula-operator.namespace" . }}
             - --secret-name={{ template "admission-webhook.name" . }}-secret
             - --kube-domain={{ default "cluster.local" .Values.kubernetesClusterDomain }}

diff --git a/cmd/certificate-generator/app/certificate-generator.go b/cmd/certificate-generator/app/certificate-generator.go
@@ -135,12 +135,12 @@ func Run(ctx context.Context, opts *options.Options) error {
 }
 
 func rotateCertificate(clientset *kubernetes.Clientset, opts *options.Options) error {
-	//opts.CertValidity = opts.CertValidity * 24 * 60
+	opts.CertValidity = opts.CertValidity * 24 * 60
 
 	klog.Infof("Starting cert rotation cron job for webhook [%v/%v]", opts.WebhookNamespace, opts.WebhookServerName)
 	c := cron.New()
 	// rotate cert 1 hour before expiration date
-	c.AddFunc(fmt.Sprintf("@every %vm", opts.CertValidity-1), func() {
+	c.AddFunc(fmt.Sprintf("@every %vm", opts.CertValidity-60), func() {
 		err := doCertRotation(clientset, opts)
 		if err != nil {
 			klog.Errorf("Error rotating certificate for webhook [%v/%v]: %v", opts.WebhookNamespace, opts.WebhookServerName, err)