diff --git a/pkg/config/config.go b/pkg/config/config.go index 061e7d3d..8e08cd7b 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -64,6 +64,10 @@ func validateAPI(apiConfig *api.APIConfigSpec) error { return constable.Error("durationSeconds cannot be smaller than renewBeforeSeconds") } + if *apiConfig.ServingCertificateConfig.RenewBeforeSeconds <= 0 { + return constable.Error("renewBefore must be positive") + } + return nil } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index f790d0dd..e22a1255 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -63,6 +63,16 @@ func TestFromPath(t *testing.T) { path: "testdata/invalid-duration-renew-before.yaml", wantError: "validate api: durationSeconds cannot be smaller than renewBeforeSeconds", }, + { + name: "NegativeRenewBefore", + path: "testdata/negative-renew-before.yaml", + wantError: "validate api: renewBefore must be positive", + }, + { + name: "ZeroRenewBefore", + path: "testdata/zero-renew-before.yaml", + wantError: "validate api: renewBefore must be positive", + }, } for _, test := range tests { test := test diff --git a/pkg/config/testdata/negative-renew-before.yaml b/pkg/config/testdata/negative-renew-before.yaml new file mode 100644 index 00000000..97481414 --- /dev/null +++ b/pkg/config/testdata/negative-renew-before.yaml @@ -0,0 +1,8 @@ +--- +webhook: + url: https://tuna.com/fish?marlin + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u +api: + servingCertificate: + durationSeconds: 2400 + renewBeforeSeconds: -10 diff --git a/pkg/config/testdata/zero-renew-before.yaml b/pkg/config/testdata/zero-renew-before.yaml new file mode 100644 index 00000000..97481414 --- /dev/null +++ b/pkg/config/testdata/zero-renew-before.yaml @@ -0,0 +1,8 @@ +--- +webhook: + url: https://tuna.com/fish?marlin + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u +api: + servingCertificate: + durationSeconds: 2400 + renewBeforeSeconds: -10 diff --git a/test/integration/api_serving_certs_test.go b/test/integration/api_serving_certs_test.go index 8e0b2af1..ec1ca3e2 100644 --- a/test/integration/api_serving_certs_test.go +++ b/test/integration/api_serving_certs_test.go @@ -154,7 +154,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) { func createExpiredCertificate() ([]byte, error) { return testutil.CreateCertificate( - time.Now().Add(-24*time.Hour), - time.Now().Add(-time.Hour), + time.Now().Add(-24*time.Hour), // notBefore + time.Now().Add(-time.Hour), // notAfter ) }