refactor(charts/injector): improve self-signed certificate expiration…

… detection and recreation logic

charts/dsv-injector/templates/NOTES.txt

@@ -23,4 +23,18 @@
 ⚙️ ConfigMap created: {{ include "dsv.fullname" . }}-configmap
 {{ else }}
 ➖ no configmap detected, defaults used for logging level and any other configmap values
-{{ end }}
+{{ end }}
+
+
+{{- $tlsSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "dsv.name" .)) -}}
+{{- $recreateSelfSignedCertThreshold := default 90 .Values.recreateSelfSignedCertThreshold | int -}}
+{{- $needsRecreate := false -}}
+{{- if $tlsSecret }}
+  {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
+  {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }}
+    {{- $needsRecreate = true -}}
+    ❗❗❗ Cert expiration shows expiring within threshold: [$recreateSelfSignedCertThreshold] days, so will be recreated.
+  {{- else -}}
+    ✔️ Cert shows expiration greater than threshold of [$recreateSelfSignedCertThreshold].
+  {{- end -}}
+{{- end -}}

charts/dsv-injector/templates/webhook.yaml

@@ -4,7 +4,7 @@
 {{- $needsRecreate := false -}}
 {{- if $tlsSecret }}
   {{- $cert := $tlsSecret.data.cert | b64dec | fromYaml -}}
-  {{- if and $cert (lt (now | date "2006-01-02" | dateAdd (mul $recreateSelfSignedCertThreshold 24h)) ($cert | date "2006-01-02")) }}
+  {{- if and $cert (lt (now | date "2006-01-02") (dateModify (now | date "2006-01-02") (printf "+%dh" (mul $recreateSelfSignedCertThreshold 24)))) }}
     {{- $needsRecreate = true -}}
   {{- end -}}
 {{- end -}}

cmd/injector/main.go

@@ -2,7 +2,9 @@ package main
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net/http"
@@ -96,12 +98,37 @@ func Run(args []string) error { //nolint:funlen,cyclop // ok for Run
 	if cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile); err == nil {
 		tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
 		log.Info().Str("cert", cfg.CertFile).Str("key", cfg.KeyFile).Msg("LoadX509KeyPair")
+
+		// Parse the certificate to get the expiration date
+		certData, err := os.ReadFile(cfg.CertFile)
+		if err != nil {
+			log.Error().Err(err).Msg("unable to read certificate file")
+			return fmt.Errorf("unable to read certificate file: %w", err)
+		}
+		block, _ := pem.Decode(certData)
+		if block == nil {
+			log.Error().Msg("failed to parse certificate PEM")
+			return fmt.Errorf("failed to parse certificate PEM")
+		}
+		parsedCert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			log.Error().Err(err).Msg("failed to parse certificate")
+			return fmt.Errorf("failed to parse certificate: %w", err)
+		}
+
+		// Calculate the number of days until the certificate expires
+		daysUntilExpiry := int(time.Until(parsedCert.NotAfter).Hours() / 24)
+
+		log.Info().
+			Str("cert", cfg.CertFile).
+			Str("key", cfg.KeyFile).
+			Int("days_until_expiry", daysUntilExpiry).
+			Msg("LoadX509KeyPair")
 	} else {
 		log.Error().Err(err).Msgf("unable to load keypair for TLS: %s", err)
 		return fmt.Errorf("unable to load keypair for TLS: %w", err)
 	}
 	log.Info().Msgf("success loading keypair for TLS: [public: '%s', private: '%s']", cfg.CertFile, cfg.KeyFile)
-
 	server := http.Server{
 		Addr:              cfg.ServerAddress,
 		TLSConfig:         tlsConfig, // optional

go.mod

@@ -2,8 +2,6 @@ module github.com/DelineaXPM/dsv-k8s/v2
 
 go 1.21
 
-toolchain go1.21.6
-
 require (
 	github.com/DelineaXPM/dsv-sdk-go/v2 v2.1.0
 	github.com/bitfield/script v0.22.0