pkg/config: force api.servingCertificate.renewBeforeSeconds to be positive

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

pkg/config/config.go

@@ -64,6 +64,10 @@ func validateAPI(apiConfig *api.APIConfigSpec) error {
 		return constable.Error("durationSeconds cannot be smaller than renewBeforeSeconds")
 	}
 
+	if *apiConfig.ServingCertificateConfig.RenewBeforeSeconds <= 0 {
+		return constable.Error("renewBefore must be positive")
+	}
+
 	return nil
 }
 

pkg/config/config_test.go

@@ -63,6 +63,16 @@ func TestFromPath(t *testing.T) {
 			path:      "testdata/invalid-duration-renew-before.yaml",
 			wantError: "validate api: durationSeconds cannot be smaller than renewBeforeSeconds",
 		},
+		{
+			name:      "NegativeRenewBefore",
+			path:      "testdata/negative-renew-before.yaml",
+			wantError: "validate api: renewBefore must be positive",
+		},
+		{
+			name:      "ZeroRenewBefore",
+			path:      "testdata/zero-renew-before.yaml",
+			wantError: "validate api: renewBefore must be positive",
+		},
 	}
 	for _, test := range tests {
 		test := test

pkg/config/testdata/negative-renew-before.yaml

@@ -0,0 +1,8 @@
+---
+webhook:
+  url: https://tuna.com/fish?marlin
+  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
+api:
+  servingCertificate:
+    durationSeconds: 2400
+    renewBeforeSeconds: -10

pkg/config/testdata/zero-renew-before.yaml

@@ -0,0 +1,8 @@
+---
+webhook:
+  url: https://tuna.com/fish?marlin
+  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tLi4u
+api:
+  servingCertificate:
+    durationSeconds: 2400
+    renewBeforeSeconds: -10

test/integration/api_serving_certs_test.go

@@ -154,7 +154,7 @@ func TestAPIServingCertificateAutoCreationAndRotation(t *testing.T) {
 
 func createExpiredCertificate() ([]byte, error) {
 	return testutil.CreateCertificate(
-		time.Now().Add(-24*time.Hour),
+		time.Now().Add(-24*time.Hour), // notBefore
-		time.Now().Add(-time.Hour),
+		time.Now().Add(-time.Hour),    // notAfter
 	)
 }