Add --client-cert-expiration-seconds (#443)

Signed-off-by: ohkinozomu <[email protected]>
open-cluster-management-io · Jun 30, 2024 · 316961c · 316961c
1 parent 56e1fc8
commit 316961c
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 18 deletions.
diff --git a/pkg/cmd/join/cmd.go b/pkg/cmd/join/cmd.go
@@ -76,5 +76,6 @@ func NewCmd(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, stream
 	cmd.Flags().StringToStringVar(&o.resourceRequests, "resource-requests", nil, "the resource requests of all the containers managed by the klusterlet and the klusterlet operator, for example: cpu=500m,memory=500Mi")
 	cmd.Flags().BoolVar(&o.createNameSpace, "create-namespace", true, "If true, create the operator namespace(open-cluster-management) and the agent namespace(open-cluster-management-agent for Default mode, <klusterlet-name> for Hosted mode), otherwise use existing one")
 	cmd.Flags().BoolVar(&o.enableSyncLabels, "enable-sync-labels", false, "If true, sync the labels from klusterlet to all agent resources.")
+	cmd.Flags().Int32Var(&o.clientCertExpirationSeconds, "client-cert-expiration-seconds", 31536000, "clientCertExpirationSeconds represents the seconds of a client certificate to expire.")
 	return cmd
 }
diff --git a/pkg/cmd/join/exec.go b/pkg/cmd/join/exec.go
@@ -29,7 +29,6 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/klog/v2"
 	"k8s.io/kubectl/pkg/cmd/util"
-	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 	clusterclient "open-cluster-management.io/api/client/cluster/clientset/versioned"
 	operatorclient "open-cluster-management.io/api/client/operator/clientset/versioned"
 	clusterv1 "open-cluster-management.io/api/cluster/v1"
@@ -143,7 +142,8 @@ func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
 	o.values.ResourceRequirement = *resourceRequirement
 
 	o.values.ManagedKubeconfig = o.managedKubeconfigFile
-	o.values.RegistrationFeatures = genericclioptionsclusteradm.ConvertToFeatureGateAPI(genericclioptionsclusteradm.SpokeMutableFeatureGate, ocmfeature.DefaultSpokeRegistrationFeatureGates)
+	o.values.RegistrationConfiguration.RegistrationFeatures = genericclioptionsclusteradm.ConvertToFeatureGateAPI(genericclioptionsclusteradm.SpokeMutableFeatureGate, ocmfeature.DefaultSpokeRegistrationFeatureGates)
+	o.values.RegistrationConfiguration.ClientCertExpirationSeconds = o.clientCertExpirationSeconds
 	o.values.WorkFeatures = genericclioptionsclusteradm.ConvertToFeatureGateAPI(genericclioptionsclusteradm.SpokeMutableFeatureGate, ocmfeature.DefaultSpokeWorkFeatureGates)
 
 	// set mode based on mode and singleton
@@ -317,7 +317,7 @@ func (o *Options) run() error {
 		if err != nil {
 			return err
 		}
-		f = cmdutil.NewFactory(getter)
+		f = util.NewFactory(getter)
 	}
 
 	_, apiExtensionsClient, _, err := helpers.GetClients(f)

diff --git a/pkg/cmd/join/options.go b/pkg/cmd/join/options.go
@@ -85,6 +85,8 @@ type Options struct {
 
 	// enableSyncLabels is to enable the feature which can sync the labels from klusterlet to all agent resources.
 	enableSyncLabels bool
+
+	clientCertExpirationSeconds int32
 }
 
 func newOptions(clusteradmFlags *genericclioptionsclusteradm.ClusteradmFlags, streams genericclioptions.IOStreams) *Options {

diff --git a/pkg/cmd/join/scenario/join/klusterlets.cr.yaml b/pkg/cmd/join/scenario/join/klusterlets.cr.yaml
@@ -21,13 +21,16 @@ spec:
     resourceRequirements:
       {{ .ResourceRequirement.ResourceRequirements | indent 6 }}
     {{- end }}
-  {{if .RegistrationFeatures}}
+  {{with .RegistrationConfiguration}}
   registrationConfiguration:
+    {{if .RegistrationFeatures}}
     featureGates:
     {{range .RegistrationFeatures }}
     - feature: {{ .Feature }}
       mode: {{ .Mode }}
     {{end}}
+    {{end}}
+    clientCertExpirationSeconds: {{ .ClientCertExpirationSeconds }}
   {{end}}
   {{if .WorkFeatures}}
   workConfiguration:

diff --git a/pkg/cmd/join/scenario/resources.go b/pkg/cmd/join/scenario/resources.go
@@ -33,8 +33,13 @@ type Values struct {
 	// managed kubeconfig
 	ManagedKubeconfig string
 
-	// Features is the slice of feature for registration
-	RegistrationFeatures []operatorv1.FeatureGate
+	RegistrationConfiguration struct {
+		// Features is the slice of feature for registration
+		RegistrationFeatures []operatorv1.FeatureGate
+
+		// clientCertExpirationSeconds is the expiration time for the client certificate
+		ClientCertExpirationSeconds int32
+	}
 
 	// Features is the slice of feature for work
 	WorkFeatures []operatorv1.FeatureGate

diff --git a/pkg/cmd/upgrade/klusterlet/exec.go b/pkg/cmd/upgrade/klusterlet/exec.go
@@ -22,7 +22,7 @@ const (
 	klusterletName = "klusterlet"
 )
 
-func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
+func (o *Options) complete(_ *cobra.Command, _ []string) (err error) {
 	err = o.ClusteradmFlags.ValidateManagedCluster()
 	if err != nil {
 		return err
@@ -69,7 +69,8 @@ func (o *Options) complete(cmd *cobra.Command, args []string) (err error) {
 
 	// reconstruct values from the klusterlet CR.
 	if k.Spec.RegistrationConfiguration != nil {
-		o.values.RegistrationFeatures = k.Spec.RegistrationConfiguration.FeatureGates
+		o.values.RegistrationConfiguration.RegistrationFeatures = k.Spec.RegistrationConfiguration.FeatureGates
+		o.values.RegistrationConfiguration.ClientCertExpirationSeconds = k.Spec.RegistrationConfiguration.ClientCertExpirationSeconds
 	}
 	if k.Spec.WorkConfiguration != nil {
 		o.values.WorkFeatures = k.Spec.WorkConfiguration.FeatureGates

diff --git a/test/e2e/clusteradm/joinhubscenario_skip_approve_test.go b/test/e2e/clusteradm/joinhubscenario_skip_approve_test.go
@@ -73,17 +73,18 @@ var _ = ginkgo.Describe("test clusteradm with manual bootstrap token", func() {
 			}, 30, 1).Should(gomega.BeNil())
 
 			ginkgo.By("managedcluster1 join hub")
-			err = e2e.Clusteradm().Join(
-				"--context", e2e.Cluster().ManagedCluster1().Context(),
-				"--hub-token", token,
-				"--hub-apiserver", e2e.CommandResult().Host(),
-				"--force-internal-endpoint-lookup",
-				"--cluster-name", e2e.Cluster().ManagedCluster1().Name(),
-				"--bundle-version=latest",
-				"--wait",
-			)
+			gomega.Eventually(func() error {
+				return e2e.Clusteradm().Join(
+					"--context", e2e.Cluster().ManagedCluster1().Context(),
+					"--hub-token", token,
+					"--hub-apiserver", e2e.CommandResult().Host(),
+					"--force-internal-endpoint-lookup",
+					"--cluster-name", e2e.Cluster().ManagedCluster1().Name(),
+					"--bundle-version=latest",
+					"--wait",
+				)
+			}, 2*time.Minute, 10*time.Second).Should(gomega.BeNil(), "managedcluster1 join error")
 
-			gomega.Expect(err).NotTo(gomega.HaveOccurred(), "managedcluster1 join error")
 			ginkgo.By("hub accept managedcluster1")
 			err = e2e.Clusteradm().Accept(
 				"--clusters", e2e.Cluster().ManagedCluster1().Name(),