kubeadm: backdate generated CAs by 5 minutes

This allow for a small time jump backward after certificates generation. Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2025-08-30 23:57:46 +00:00 · 2023-06-28 00:04:41 -04:00 · 2023-06-28 00:04:41 -04:00 · 812556365b
commit 812556365b
parent 44692a486f
2 changed files with 4 additions and 0 deletions
--- a/cmd/kubeadm/app/constants/constants.go
+++ b/cmd/kubeadm/app/constants/constants.go
@ -44,6 +44,8 @@ const (
 	// should be joined with KubernetesDir.
 	TempDirForKubeadm = "tmp"

+	// CertificateBackdate defines the offset applied to notBefore for CA certificates generated by kubeadm
+	CertificateBackdate = time.Minute * 5
 	// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
 	CertificateValidity = time.Hour * 24 * 365

--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@ -74,6 +74,8 @@ func NewCertificateAuthority(config *CertConfig) (*x509.Certificate, crypto.Sign
 		return nil, nil, errors.Wrap(err, "unable to create private key while generating CA certificate")
 	}

+	// backdate CA certificate to allow small time jumps
+	config.Config.NotBefore = time.Now().Add(-kubeadmconstants.CertificateBackdate)
 	cert, err := certutil.NewSelfSignedCACert(config.Config, key)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "unable to create self-signed CA certificate")