Merge pull request cert-manager#1075 from gparvin/adding-not-after-to…

…-certificate-status changes to add a NotAfter field to the cert status
lrsmith · Nov 16, 2018 · 9975ff4 · 9975ff4
2 parents 9a64cfa + acc0fa8
commit 9975ff4
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 0 deletions.
diff --git a/docs/generated/reference/output/reference/api-docs/index.html b/docs/generated/reference/output/reference/api-docs/index.html
@@ -154,6 +154,10 @@ <h3 id="certificatestatus-v1alpha1">CertificateStatus v1alpha1</h3>
 <td><code>lastFailureTime</code><br /> <em><a href="#time-v1">Time</a></em></td>
 <td></td>
 </tr>
+<tr>
+<td><code>notAfter</code><br /> <em><a href="#time-v1">Time</a></em></td>
+<td>The expiration time of the certificate stored in the secret named by this resource in spec.secretName.</td>
+</tr>
 </tbody>
 </table>
 <hr>

diff --git a/pkg/apis/certmanager/v1alpha1/types_certificate.go b/pkg/apis/certmanager/v1alpha1/types_certificate.go
@@ -109,6 +109,10 @@ type ACMECertificateConfig struct {
 type CertificateStatus struct {
 	Conditions      []CertificateCondition `json:"conditions,omitempty"`
 	LastFailureTime *metav1.Time           `json:"lastFailureTime,omitempty"`
+
+	// The expiration time of the certificate stored in the secret named
+	// by this resource in spec.secretName.
+	NotAfter *metav1.Time `json:"notAfter,omitempty"`
 }
 
 // CertificateCondition contains condition information for an Certificate.

diff --git a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go
@@ -533,6 +533,15 @@ func (in *CertificateStatus) DeepCopyInto(out *CertificateStatus) {
 			(*in).DeepCopyInto(*out)
 		}
 	}
+	if in.NotAfter != nil {
+		in, out := &in.NotAfter, &out.NotAfter
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }
 

diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go
@@ -160,6 +160,9 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (reque
 		return false, err
 	}
 
+	metaNotAfter := metav1.NewTime(cert.NotAfter)
+	crtCopy.Status.NotAfter = &metaNotAfter
+
 	// begin checking if the TLS certificate is valid/needs a re-issue or renew
 
 	// check if the private key is the corresponding pair to the certificate

diff --git a/test/util/util.go b/test/util/util.go
@@ -283,6 +283,15 @@ func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secre
 				return false, nil
 			}
 
+			if certificate.Status.NotAfter == nil {
+				glog.Infof("No certificate expiration found for Certificate %q", name)
+				return false, nil
+			}
+			if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) {
+				glog.Info("Expected certificate expire date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter)
+				return false, nil
+			}
+
 			label, ok := secret.Labels[v1alpha1.CertificateNameKey]
 			if !ok {
 				return false, fmt.Errorf("Expected secret to have certificate-name label, but had none")