Added parameters notBefore and notAfter to the certificate requests s…

…end to the NCM. They are calculated based on the Duration parameter defined in cert-manager.io/v1 Certificate object kind (notBefore is set to the current time when cert is being enrolled).
nokia · Jan 7, 2025 · 3f49ece · 3f49ece
1 parent 6b233c2
commit 3f49ece
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/pkg/ncmapi/client.go b/pkg/ncmapi/client.go
@@ -25,7 +25,7 @@ import (
 type ExternalClient interface {
 	GetCAs() (*CAsResponse, error)
 	GetCA(path string) (*CAResponse, error)
-	SendCSR(pem []byte, CA *CAResponse, profileID string) (*CSRResponse, error)
+	SendCSR(pem []byte, CA *CAResponse,duration *metav1.Duration, profileID string) (*CSRResponse, error)
 	CheckCSRStatus(path string) (*CSRStatusResponse, error)
 	DownloadCertificate(path string) (*CertificateDownloadResponse, error)
 	DownloadCertificateInPEM(path string) ([]byte, error)

diff --git a/pkg/ncmapi/ncmapi.go b/pkg/ncmapi/ncmapi.go
@@ -403,15 +403,24 @@ func (c *Client) GetCA(path string) (*CAResponse, error) {
 	return &ca, nil
 }
 
-func (c *Client) SendCSR(pem []byte, CA *CAResponse, profileID string) (*CSRResponse, error) {
+func (c *Client) SendCSR(pem []byte, CA *CAResponse, duration *metav1.Duration, profileID string) (*CSRResponse, error) {
 	filePath, err := ncmutil.WritePEMToTempFile(pem)
 	c.log.V(2).Info("Wrote certificate to temp PEM file", "path", filePath)
 	if err != nil {
 		return nil, &ClientError{Reason: "cannot write PEM to file", ErrorMessage: err}
 	}
 
+	certDuration := cmapi.DefaultCertificateDuration
+	if duration != nil {
+		certDuration = duration.Duration
+	}
+	notBefore := time.Now()
+	notAfter := notBefore.Add(certDuration)
+
 	params := map[string]string{
-		"ca": CA.Href,
+		"ca":        CA.Href,
+		"notBefore": notBefore.Format(time.RFC3339),
+		"notAfter":  notAfter.Format(time.RFC3339),	
 	}
 
 	if profileID != "" {

diff --git a/pkg/provisioner/ncm.go b/pkg/provisioner/ncm.go
@@ -143,7 +143,7 @@ func (p *Provisioner) Sign(cr *cmapi.CertificateRequest) ([]byte, []byte, string
 		return p.handleAlreadySentCSR(cr.Namespace, cr.Annotations[cmapi.CertificateNameKey], certChain, wantedCA)
 	}
 
-	csrResp, err := p.NCMClient.SendCSR(cr.Spec.Request, signingCA, p.NCMConfig.ProfileID)
+	csrResp, err := p.NCMClient.SendCSR(cr.Spec.Request, signingCA, cr.Spec.Duration, p.NCMConfig.ProfileID)
 	if err != nil {
 		return nil, nil, "", fmt.Errorf("failed to send CSR, err: %w", err)
 	}

diff --git a/test/unit/gen/ncmapi.go b/test/unit/gen/ncmapi.go
@@ -202,7 +202,7 @@ func (fc *FakeClient) GetCA(path string) (*ncmapi.CAResponse, error) {
 	return fc.GetCAFn(path)
 }
 
-func (fc *FakeClient) SendCSR([]byte, *ncmapi.CAResponse, string) (*ncmapi.CSRResponse, error) {
+func (fc *FakeClient) SendCSR([]byte, *ncmapi.CAResponse, *metav1.Duration, string) (*ncmapi.CSRResponse, error) {
 	return fc.SendCSRFn()
 }