scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #118922 from champtar/kubeadm-backdate-ca

Browse Source 
kubeadm: backdate generated CAs
This commit is contained in:
Kubernetes Prow Robot
2023-06-28 12:28:56 -07:00
committed by GitHub
parent 056f3a56b8 812556365b
commit 4036b6fb41
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kubeadm/app/constants/constants.go
View File

@@ -44,6 +44,8 @@ const (
// should be joined with KubernetesDir. // should be joined with KubernetesDir.
TempDirForKubeadm = "tmp" TempDirForKubeadm = "tmp"
// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
CertificateBackdate = time.Minute * 5
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 CertificateValidity = time.Hour * 24 * 365

2
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View File

@@ -74,6 +74,8 @@ func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Sign
return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate") return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate")
} }
// backdate CA certificate to allow small time jumps
config.Config.NotBefore = time.Now().Add(-kubeadmconstants.CertificateBackdate)
cert, err := certutil.NewSelfSignedCACert(config.Config, key) cert, err := certutil.NewSelfSignedCACert(config.Config, key)
if err != nil { if err != nil {
return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate") return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")

7
staging/src/k8s.io/client-go/util/cert/cert.go
View File

@@ -45,6 +45,7 @@ type Config struct {
Organization []string Organization []string
AltNames AltNames AltNames AltNames
Usages []x509.ExtKeyUsage Usages []x509.ExtKeyUsage
NotBefore time.Time
} }
// AltNames contains the domain names and IP addresses that will be added // AltNames contains the domain names and IP addresses that will be added
@@ -64,6 +65,10 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
return nil, err return nil, err
} }
serial = new(big.Int).Add(serial, big.NewInt(1)) serial = new(big.Int).Add(serial, big.NewInt(1))
notBefore := now.UTC()
if !cfg.NotBefore.IsZero() {
notBefore = cfg.NotBefore.UTC()
}
tmpl := x509.Certificate{ tmpl := x509.Certificate{
SerialNumber: serial, SerialNumber: serial,
Subject: pkix.Name{ Subject: pkix.Name{
@@ -71,7 +76,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
Organization: cfg.Organization, Organization: cfg.Organization,
}, },
DNSNames: []string{cfg.CommonName}, DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(), NotBefore: notBefore,
NotAfter: now.Add(duration365d * 10).UTC(), NotAfter: now.Add(duration365d * 10).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true, BasicConstraintsValid: true,