autocert: Renew when 80% of the time until expiration is elapsed (#1332)

Currently, the auto generated MinIO certificate is auto renewed before 48 hours of the expiration date. Since the operator does not set an expiry date, some certicates are short lived, therefore the operator will try to renew the certificate all the time. The solution is to renew only when 80% of the time until the certificate expiration date has elapsed. Co-authored-by: Anis Elleuch <[email protected]>
minio · Nov 2, 2022 · f45529d · f45529d
1 parent 0299cc8
commit f45529d
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/pkg/controller/cluster/minio.go b/pkg/controller/cluster/minio.go
@@ -293,7 +293,7 @@ func (c *Controller) checkMinIOCertificatesStatus(ctx context.Context, tenant *m
 }
 
 // certNeedsRenewal - returns true if the TLS certificate from given secret has expired or is
-// about to expire within the next two days.
+// about to expire shortly.
 func (c *Controller) certNeedsRenewal(tlsSecret *corev1.Secret) (bool, error) {
 	var certPublicKey []byte
 	var certPrivateKey []byte
@@ -330,7 +330,10 @@ func (c *Controller) certNeedsRenewal(tlsSecret *corev1.Secret) (bool, error) {
 		}
 	}
 
-	if leaf.NotAfter.Before(time.Now().Add(time.Hour * 48)) {
+	// Renew the certificate when 80% of the time between the creation and expiration date
+	// has elapsed so this can work with short lived certifcates as well.
+	timeElapsedBeforeRenewal := time.Duration(float64(leaf.NotAfter.Sub(leaf.NotBefore)) * 0.8)
+	if leaf.NotBefore.Add(timeElapsedBeforeRenewal).Before(time.Now()) {
 		klog.V(2).Infof("TLS Certificate expiry on %s", leaf.NotAfter.String())
 		return true, nil
 	}