From d606148375e34dced3fa8f8fa8c551a2546a5775 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <e.champetier@ateme.com>
Date: Tue, 13 Jun 2023 01:04:28 -0400
Subject: [PATCH] Make CA valid 1 hour in the past

When running kubeadm / installing k8s early during boot,
the CA certificate can be generated before time is synchronised
and time is jumped backward.
Make notBefore 1 hour in the past to accept small clock jump.

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

Kubernetes-commit: e1735b9863777ff11ac35434e047c38dcce4b4f3
---
 util/cert/cert.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/cert/cert.go b/util/cert/cert.go
index 37b023ef..a93613d3 100644
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@@ -71,7 +71,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 			Organization: cfg.Organization,
 		},
 		DNSNames:              []string{cfg.CommonName},
-		NotBefore:             now.UTC(),
+		NotBefore:             now.Add(-time.Hour).UTC(), // valid an hour earlier to avoid flakes
 		NotAfter:              now.Add(duration365d * 10).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,