Use cert duration from issuer's annotation

slawqo · slawqo · commit 31029e4915be · 2026-05-08T15:02:22.000+02:00
This is test patch. To combine with previous ones if all will work fine.

Signed-off-by: Slawek Kaplonski &lt;skaplons@redhat.com&gt;
diff --git a/internal/controller/ovncontroller_controller.go b/internal/controller/ovncontroller_controller.go
@@ -884,6 +884,32 @@ func (r *OVNControllerReconciler) reconcileNormal(ctx context.Context, instance
 			return ctrl.Result{}, podErr
 		}
 
+		issuer := &certmgrv1.Issuer{}
+		if err := helper.GetClient().Get(ctx, types.NamespacedName{
+			Name:      instance.Spec.OvnIssuerName,
+			Namespace: instance.Namespace,
+		}, issuer); err != nil {
+			return ctrl.Result{}, fmt.Errorf("error getting issuer %s/%s - %w", instance.Spec.OvnIssuerName, instance.Namespace, err)
+		}
+
+		durationString := certmanager.CertDefaultDuration
+		if d, ok := issuer.Annotations[certmanager.CertDurationAnnotation]; ok && d != "" {
+			durationString = d
+		}
+		duration, err := time.ParseDuration(durationString)
+		if err != nil {
+			return ctrl.Result{}, fmt.Errorf("error parsing certificate duration %s - %w", durationString, err)
+		}
+
+		var renewBefore *time.Duration
+		if r, ok := issuer.Annotations[certmanager.CertRenewBeforeAnnotation]; ok && r != "" {
+			rb, err := time.ParseDuration(r)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("error parsing certificate renewBefore %s - %w", r, err)
+			}
+			renewBefore = &rb
+		}
+
 		for _, pod := range ovnPods.Items {
 			nodeName := pod.Spec.NodeName
 			if nodeName == "" {
@@ -894,11 +920,13 @@ func (r *OVNControllerReconciler) reconcileNormal(ctx context.Context, instance
 			nodeSystemIDs[nodeName] = systemID
 
 			_, certResult, certErr := certmanager.EnsureCert(ctx, helper, certmanager.CertificateRequest{
-				IssuerName: instance.Spec.OvnIssuerName,
-				CertName:   certName,
-				CommonName: &systemID,
-				Labels:     ovnServiceLabels,
-				Usages:     []certmgrv1.KeyUsage{certmgrv1.UsageClientAuth, certmgrv1.UsageDigitalSignature},
+				IssuerName:  instance.Spec.OvnIssuerName,
+				CertName:    certName,
+				CommonName:  &systemID,
+				Labels:      ovnServiceLabels,
+				Usages:      []certmgrv1.KeyUsage{certmgrv1.UsageClientAuth, certmgrv1.UsageDigitalSignature},
+				Duration:    &duration,
+				RenewBefore: renewBefore,
 			}, instance)
 			if certErr != nil {
 				return certResult, certErr
