internal/certauthority: backdate certs even further

We are seeing between 1 and 2 minutes of difference between the current time
reported in the API server pod and the pinniped pods on one of our testing
environments. Hopefully this change makes our tests pass again.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>

internal/certauthority/certauthority.go

@@ -22,6 +22,14 @@ import (
 	"time"
 )
 
+// certBackdate is the amount of time before time.Now() that will be used to set
+// a certificate's NotBefore field.
+//
+// This could certainly be made configurable by an installer of pinniped, but we
+// will see if we can save adding a configuration knob with a reasonable default
+// here.
+const certBackdate = 5 * time.Minute
+
 type env struct {
 	// secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests).
 	serialRNG  io.Reader
@@ -96,9 +104,9 @@ func newInternal(subject pkix.Name, env env) (*CA, error) {
 	}
 	ca.signer = privateKey
 
-	// Make a CA certificate valid for 100 years and backdated by one minute.
+	// Make a CA certificate valid for 100 years and backdated by some amount.
 	now := env.clock()
-	notBefore := now.Add(-1 * time.Minute)
+	notBefore := now.Add(-certBackdate)
 	notAfter := now.Add(24 * time.Hour * 365 * 100)
 
 	// Create CA cert template
@@ -141,9 +149,9 @@ func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tl
 		return nil, fmt.Errorf("could not generate private key: %w", err)
 	}
 
-	// Make a CA caCert valid for the requested TTL and backdated by one minute.
+	// Make a CA caCert valid for the requested TTL and backdated by some amount.
 	now := c.env.clock()
-	notBefore := now.Add(-1 * time.Minute)
+	notBefore := now.Add(-certBackdate)
 	notAfter := now.Add(ttl)
 
 	// Parse the DER encoded certificate to get an x509.Certificate.

internal/certauthority/certauthority_test.go

@@ -145,7 +145,7 @@ func TestNewInternal(t *testing.T) {
 			},
 			wantCommonName: "Test CA",
 			wantNotAfter:   now.Add(100 * 365 * 24 * time.Hour),
-			wantNotBefore:  now.Add(-1 * time.Minute),
+			wantNotBefore:  now.Add(-5 * time.Minute),
 		},
 	}
 	for _, tt := range tests {

internal/certauthority/kubecertauthority/kubecertauthority_test.go

@@ -146,7 +146,7 @@ func TestCA(t *testing.T) {
 					r.NoError(err)
 					validCert := testutil.ValidateCertificate(t, fakeCertPEM, string(certPEM))
 					validCert.RequireDNSName("example.com")
-					validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute)
+					validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 6*time.Minute)
 					validCert.RequireMatchesPrivateKey(string(keyPEM))
 
 					// Tick the timer and wait for another refresh loop to complete.
@@ -178,7 +178,7 @@ func TestCA(t *testing.T) {
 
 					validCert2 := testutil.ValidateCertificate(t, fakeCert2PEM, secondCertPEM)
 					validCert2.RequireDNSName("example.com")
-					validCert2.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute)
+					validCert2.RequireLifetime(time.Now(), time.Now().Add(15*time.Minute), 6*time.Minute)
 					validCert2.RequireMatchesPrivateKey(secondKeyPEM)
 				})
 			})

internal/controller/apicerts/certs_manager_test.go

@@ -224,7 +224,7 @@ func TestManagerControllerSync(t *testing.T) {
 					// Validate the created cert using the CA, and also validate the cert's hostname
 					validCert := testutil.ValidateCertificate(t, actualCACert, actualCertChain)
 					validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
-					validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 2*time.Minute)
+					validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
 					validCert.RequireMatchesPrivateKey(actualPrivateKey)
 
 					// Make sure we updated the APIService caBundle and left it otherwise unchanged