Merge pull request #118922 from champtar/kubeadm-backdate-ca

kubeadm: backdate generated CAs
2025-08-07 11:13:48 +00:00 · 2023-06-28 12:28:56 -07:00 · 2023-06-28 12:28:56 -07:00 · 4036b6fb41
commit 4036b6fb41
parent 056f3a56b8 812556365b
3 changed files with 10 additions and 1 deletions
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@ -44,6 +44,8 @@ const (
 	// should be joined with KubernetesDir.
 	TempDirForKubeadm = "tmp"

+	// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
+	CertificateBackdate = time.Minute * 5
 	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
 	CertificateValidity = time.Hour * 24 * 365

--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@ -74,6 +74,8 @@ func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Sign
 		return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate")
 	}

+	// backdate CA certificate to allow small time jumps
+	config.Config.NotBefore = time.Now().Add(-kubeadmconstants.CertificateBackdate)
 	cert, err := certutil.NewSelfSignedCACert(config.Config, key)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@ -45,6 +45,7 @@ type Config struct {
 	Organization []string
 	AltNames     AltNames
 	Usages       []x509.ExtKeyUsage
+	NotBefore    time.Time
 }

 // AltNames contains the domain names and IP addresses that will be added
@ -64,6 +65,10 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 		return nil, err
 	}
 	serial = new(big.Int).Add(serial, big.NewInt(1))
+	notBefore := now.UTC()
+	if !cfg.NotBefore.IsZero() {
+		notBefore = cfg.NotBefore.UTC()
+	}
 	tmpl := x509.Certificate{
 		SerialNumber: serial,
 		Subject: pkix.Name{
@ -71,7 +76,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 			Organization: cfg.Organization,
 		},
 		DNSNames:              []string{cfg.CommonName},
-		NotBefore:             now.UTC(),
+		NotBefore:             notBefore,
 		NotAfter:              now.Add(duration365d * 10).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,