Merge pull request #130047 from HirazawaUi/modify-loopback-cert-valid-period

Extending loopback certificate validity in kube-apiserver
2025-07-30 06:54:01 +00:00 · 2025-02-19 05:30:26 -08:00 · 2025-02-19 05:30:26 -08:00 · 77667834b0
commit 77667834b0
parent 7fc8a86381 553e9bf84d
2 changed files with 57 additions and 3 deletions
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
@ -18,6 +18,7 @@ package options

 import (
 	"fmt"
+	"time"

 	"github.com/google/uuid"

@ -49,9 +50,18 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.Se
 		return nil
 	}

+	// Set a validity period of approximately 3 years for the loopback certificate
+	// to avoid kube-apiserver disruptions due to certificate expiration.
+	// When this certificate expires, restarting kube-apiserver will automatically
+	// regenerate a new certificate with fresh validity dates.
+	maxAge := (3*365 + 1) * 24 * time.Hour
+
 	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
 	// let the server return it when the loopback client connects.
-	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
+	certPem, keyPem, err := certutil.GenerateSelfSignedCertKeyWithOptions(certutil.SelfSignedCertKeyOptions{
+		Host:   server.LoopbackClientServerNameOverride,
+		MaxAge: maxAge,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
 	}
--- a/staging/src/k8s.io/client-go/util/cert/cert.go
+++ b/staging/src/k8s.io/client-go/util/cert/cert.go
@ -90,11 +90,37 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 	return x509.ParseCertificate(certDERBytes)
 }

+// SelfSignedCertKeyOptions contains configuration parameters for generating self-signed certificates.
+type SelfSignedCertKeyOptions struct {
+	// Host is required, and identifies the host of the serving certificate. Can be a DNS name or IP address.
+	Host string
+	// AlternateIPs is optional, and identifies additional IPs the serving certificate should be valid for.
+	AlternateIPs []net.IP
+	// AlternateDNS is optional, and identifies additional DNS names the serving certificate should be valid for.
+	AlternateDNS []string
+
+	// MaxAge controls the duration of the issued certificate.
+	// Defaults to 1 year if unset.
+	// Ignored if FixtureDirectory is set.
+	MaxAge time.Duration
+
+	// FixtureDirectory is intended for use in tests.
+	// If non-empty, it is a directory path which can contain pre-generated certs. The format is:
+	// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
+	// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
+	// Certs/keys not existing in that directory are created with a duration of 100 years.
+	FixtureDirectory string
+}
+
 // GenerateSelfSignedCertKey creates a self-signed certificate and key for the given host.
 // Host may be an IP or a DNS name
 // You may also specify additional subject alt names (either ip or dns names) for the certificate.
 func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS []string) ([]byte, []byte, error) {
-	return GenerateSelfSignedCertKeyWithFixtures(host, alternateIPs, alternateDNS, "")
+	return GenerateSelfSignedCertKeyWithOptions(SelfSignedCertKeyOptions{
+		Host:         host,
+		AlternateIPs: alternateIPs,
+		AlternateDNS: alternateDNS,
+	})
 }

 // GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
@ -106,8 +132,26 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 // <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
 // Certs/keys not existing in that directory are created.
 func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
+	return GenerateSelfSignedCertKeyWithOptions(SelfSignedCertKeyOptions{
+		Host:             host,
+		AlternateIPs:     alternateIPs,
+		AlternateDNS:     alternateDNS,
+		FixtureDirectory: fixtureDirectory,
+	})
+}
+
+// GenerateSelfSignedCertKeyWithOptions generates a self-signed certificate and key based on the provided options.
+func GenerateSelfSignedCertKeyWithOptions(opts SelfSignedCertKeyOptions) ([]byte, []byte, error) {
+	host := opts.Host
+	alternateIPs := opts.AlternateIPs
+	alternateDNS := opts.AlternateDNS
+	fixtureDirectory := opts.FixtureDirectory
+	maxAge := opts.MaxAge
+	if maxAge == 0 {
+		maxAge = 365 * 24 * time.Hour
+	}
+
 	validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
-	maxAge := time.Hour * 24 * 365          // one year self-signed certs

 	baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
 	certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")