autocert: Renew when 80% of the time until expiration is elapsed (#1332)

Currently, the auto generated MinIO certificate is auto renewed before
48 hours of the expiration date. Since the operator does not set an
expiry date, some certicates are short lived, therefore the operator
will try to renew the certificate all the time.

The solution is to renew only when 80% of the time until the certificate
expiration date has elapsed.

Co-authored-by: Anis Elleuch <[email protected]>

Author: vadmeste

pkg/controller/cluster/minio.go

@@ -293,7 +293,7 @@ func (c *Controller) checkMinIOCertificatesStatus(ctx context.Context, tenant *m
 }
 
 // certNeedsRenewal - returns true if the TLS certificate from given secret has expired or is
-// about to expire within the next two days.
+// about to expire shortly.
 func (c *Controller) certNeedsRenewal(tlsSecret *corev1.Secret) (bool, error) {
 	var certPublicKey []byte
 	var certPrivateKey []byte
@@ -330,7 +330,10 @@ func (c *Controller) certNeedsRenewal(tlsSecret *corev1.Secret) (bool, error) {
 		}
 	}
 
-	if leaf.NotAfter.Before(time.Now().Add(time.Hour * 48)) {
+	// Renew the certificate when 80% of the time between the creation and expiration date
+	// has elapsed so this can work with short lived certifcates as well.
+	timeElapsedBeforeRenewal := time.Duration(float64(leaf.NotAfter.Sub(leaf.NotBefore)) * 0.8)
+	if leaf.NotBefore.Add(timeElapsedBeforeRenewal).Before(time.Now()) {
 		klog.V(2).Infof("TLS Certificate expiry on %s", leaf.NotAfter.String())
 		return true, nil
 	}