From 44692a486f96bda80ffd2a2a132a651b47457391 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 28 Jun 2023 00:01:34 -0400 Subject: [PATCH 1/2] client-go: allow to set NotBefore in NewSelfSignedCACert() Signed-off-by: Etienne Champetier --- staging/src/k8s.io/client-go/util/cert/cert.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/client-go/util/cert/cert.go b/staging/src/k8s.io/client-go/util/cert/cert.go index 37b023ef25d..91e171271af 100644 --- a/staging/src/k8s.io/client-go/util/cert/cert.go +++ b/staging/src/k8s.io/client-go/util/cert/cert.go @@ -45,6 +45,7 @@ type Config struct { Organization []string AltNames AltNames Usages []x509.ExtKeyUsage + NotBefore time.Time } // AltNames contains the domain names and IP addresses that will be added @@ -64,6 +65,10 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro return nil, err } serial = new(big.Int).Add(serial, big.NewInt(1)) + notBefore := now.UTC() + if !cfg.NotBefore.IsZero() { + notBefore = cfg.NotBefore.UTC() + } tmpl := x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ @@ -71,7 +76,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro Organization: cfg.Organization, }, DNSNames: []string{cfg.CommonName}, - NotBefore: now.UTC(), + NotBefore: notBefore, NotAfter: now.Add(duration365d * 10).UTC(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, From 812556365b6fca9b3338589a8863ff276111799f Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Wed, 28 Jun 2023 00:04:41 -0400 Subject: [PATCH 2/2] kubeadm: backdate generated CAs by 5 minutes This allow for a small time jump backward after certificates generation. Signed-off-by: Etienne Champetier --- cmd/kubeadm/app/constants/constants.go | 2 ++ cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/cmd/kubeadm/app/constants/constants.go b/cmd/kubeadm/app/constants/constants.go index 62f08a61c3a..8d5cea7a985 100644 --- a/cmd/kubeadm/app/constants/constants.go +++ b/cmd/kubeadm/app/constants/constants.go @@ -44,6 +44,8 @@ const ( // should be joined with KubernetesDir. TempDirForKubeadm = "tmp" + // CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm + CertificateBackdate = time.Minute * 5 // CertificateValidity defines the validity for all the signed certificates generated by kubeadm CertificateValidity = time.Hour * 24 * 365 diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go index 7887a2fbac3..dc78d1b3f6b 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -74,6 +74,8 @@ func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Sign return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate") } + // backdate CA certificate to allow small time jumps + config.Config.NotBefore = time.Now().Add(-kubeadmconstants.CertificateBackdate) cert, err := certutil.NewSelfSignedCACert(config.Config, key) if err != nil { return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")