Use the provisioner controller in Nebula renewals

authority/provisioner/nebula.go

@@ -260,10 +260,7 @@ func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOpti
 
 // AuthorizeRenew returns an error if the renewal is disabled.
 func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) error {
-	if p.ctl.Claimer.IsDisableRenewal() {
+	return p.ctl.AuthorizeRenew(ctx, crt)
-		return errs.Unauthorized("renew is disabled for nebula provisioner '%s'", p.GetName())
-	}
-	return nil
 }
 
 // AuthorizeRevoke returns an error if the token is not valid.

authority/provisioner/nebula_test.go

@@ -549,6 +549,8 @@ func TestNebula_AuthorizeSSHSign(t *testing.T) {
 
 func TestNebula_AuthorizeRenew(t *testing.T) {
 	ctx := context.TODO()
+	now := time.Now().Truncate(time.Second)
+
 	// Ok provisioner
 	p, _, _ := mustNebulaProvisioner(t)
 
@@ -567,8 +569,14 @@ func TestNebula_AuthorizeRenew(t *testing.T) {
 		args    args
 		wantErr bool
 	}{
-		{"ok", p, args{ctx, &x509.Certificate{}}, false},
+		{"ok", p, args{ctx, &x509.Certificate{
-		{"fail disabled", pDisabled, args{ctx, &x509.Certificate{}}, true},
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, false},
+		{"fail disabled", pDisabled, args{ctx, &x509.Certificate{
+			NotBefore: now,
+			NotAfter:  now.Add(time.Hour),
+		}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {