Skip to content

feat: Add duration and renewBefore configuration for TLS certificates#942

Merged
Skarlso merged 1 commit into
open-component-model:mainfrom
Melonbun233:feat/certificate-renewal-config
Jun 10, 2026
Merged

feat: Add duration and renewBefore configuration for TLS certificates#942
Skarlso merged 1 commit into
open-component-model:mainfrom
Melonbun233:feat/certificate-renewal-config

Conversation

@Melonbun233

@Melonbun233 Melonbun233 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Add configurable duration and renewBefore fields to both the root CA and leaf Certificate resources in the Helm chart
  • Set sensible defaults: root CA (90d duration, renew 30d before expiry), leaf (30d duration, renew 12d before expiry)
  • Ensures leaf certificates cannot outlive the root CA after renewal timing drift

Motivation

Without explicit duration/renewBefore, certificates rely on cert-manager defaults. This can lead to a scenario where the leaf certificate's validity extends beyond the root CA's expiry — at which point the leaf is considered invalid regardless of its own NotAfter date, causing TLS failures.

The defaults follow a proven pattern:

  • Leaf expiry = root CA's renewal window (90 - 60 = 30 days)
  • Leaf renewBefore = 40% safety margin on the renewal window (40% × 30 = 12 days)

Changes

  • deploy/values.yaml: Added duration and renewBefore under tlsCert.bootstrap (root CA) and tlsCert (leaf)
  • deploy/templates/cert.yaml: Render the new values into both Certificate specs

Test plan

  • helm template with tlsCert.generateTlsCert=true renders both certificates with correct duration/renewBefore values

Closes open-component-model/ocm#1998

@Melonbun233 Melonbun233 requested a review from a team as a code owner June 9, 2026 19:56
@Melonbun233
feat: add duration and renewBefore to TLS certificate configuration
f054f2f 
Without explicit duration/renewBefore fields, certificates rely on
cert-manager defaults which can lead to leaf certificates outliving
the root CA after renewal timing drift, causing TLS failures.

Add configurable duration and renewBefore values for both the root CA
and leaf certificates with sensible defaults:
- Root CA: 90 days duration, renew 30 days before expiry
- Leaf: 30 days duration, renew 12 days before expiry

This ensures the leaf certificate is always renewed well before the
root CA expires, with a 40% safety margin on the renewal window.

Ref: open-component-model/ocm#1998
Signed-off-by: Melonbun233 <zeng_zh@foxmail.com>
@Melonbun233 Melonbun233 force-pushed the feat/certificate-renewal-config branch from e666f81 to f054f2f Compare June 9, 2026 20:14
dee0
dee0 approved these changes Jun 9, 2026
View reviewed changes

@dee0 dee0 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Skarlso Skarlso merged commit d8e43ca into open-component-model:main Jun 10, 2026
9 checks passed
@Melonbun233

Melonbun233 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Hi @Skarlso ,
Could you please help release a new version of OCM controller as the certificates are expired in production and we would need this new version to set the correct rotation for them?
Thanks a lot

@Skarlso

Skarlso commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Yes I will

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

+1 more reviewer

@dee0 dee0 dee0 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add duration and renewBefore configuration for TLS certificates in ocm-controller

3 participants

@Melonbun233 @Skarlso @dee0