github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-31 16:46:54 +00:00
Code Issues Projects Releases Wiki Activity

kubeadm: backdate generated CAs by 5 minutes

Browse Source 
This allow for a small time jump backward after
certificates generation.

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
This commit is contained in:
Etienne Champetier
2023-06-28 00:04:41 -04:00
parent 44692a486f
commit 812556365b
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kubeadm/app/constants/constants.go
View File

@@ -44,6 +44,8 @@ const (
// should be joined with KubernetesDir. // should be joined with KubernetesDir.
TempDirForKubeadm = "tmp" TempDirForKubeadm = "tmp"
// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
CertificateBackdate = time.Minute * 5
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
CertificateValidity = time.Hour * 24 * 365 CertificateValidity = time.Hour * 24 * 365

2
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View File

@@ -74,6 +74,8 @@ func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Sign
return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate") return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate")
} }
// backdate CA certificate to allow small time jumps
config.Config.NotBefore = time.Now().Add(-kubeadmconstants.CertificateBackdate)
cert, err := certutil.NewSelfSignedCACert(config.Config, key) cert, err := certutil.NewSelfSignedCACert(config.Config, key)
if err != nil { if err != nil {
return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate") return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")