internal/certauthority: backdate certs even further
We are seeing between 1 and 2 minutes of difference between the current time reported in the API server pod and the pinniped pods on one of our testing environments. Hopefully this change makes our tests pass again. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
ed8b1be178
commit
142e9a1583
internal
certauthority
controller/apicerts
@ -22,6 +22,14 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
// certBackdate is the amount of time before time.Now() that will be used to set
|
||||
// a certificate's NotBefore field.
|
||||
//
|
||||
// This could certainly be made configurable by an installer of pinniped, but we
|
||||
// will see if we can save adding a configuration knob with a reasonable default
|
||||
// here.
|
||||
const certBackdate = 5 * time.Minute
|
||||
|
||||
type env struct {
|
||||
// secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests).
|
||||
serialRNG io.Reader
|
||||
@ -96,9 +104,9 @@ func newInternal(subject pkix.Name, env env) (*CA, error) {
|
||||
}
|
||||
ca.signer = privateKey
|
||||
|
||||
// Make a CA certificate valid for 100 years and backdated by one minute.
|
||||
// Make a CA certificate valid for 100 years and backdated by some amount.
|
||||
now := env.clock()
|
||||
notBefore := now.Add(-1 * time.Minute)
|
||||
notBefore := now.Add(-certBackdate)
|
||||
notAfter := now.Add(24 * time.Hour * 365 * 100)
|
||||
|
||||
// Create CA cert template
|
||||
@ -141,9 +149,9 @@ func (c *CA) Issue(subject pkix.Name, dnsNames []string, ttl time.Duration) (*tl
|
||||
return nil, fmt.Errorf("could not generate private key: %w", err)
|
||||
}
|
||||
|
||||
// Make a CA caCert valid for the requested TTL and backdated by one minute.
|
||||
// Make a CA caCert valid for the requested TTL and backdated by some amount.
|
||||
now := c.env.clock()
|
||||
notBefore := now.Add(-1 * time.Minute)
|
||||
notBefore := now.Add(-certBackdate)
|
||||
notAfter := now.Add(ttl)
|
||||
|
||||
// Parse the DER encoded certificate to get an x509.Certificate.
|
||||
|
@ -145,7 +145,7 @@ func TestNewInternal(t *testing.T) {
|
||||
},
|
||||
wantCommonName: "Test CA",
|
||||
wantNotAfter: now.Add(100 * 365 * 24 * time.Hour),
|
||||
wantNotBefore: now.Add(-1 * time.Minute),
|
||||
wantNotBefore: now.Add(-5 * time.Minute),
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
|
@ -146,7 +146,7 @@ func TestCA(t *testing.T) {
|
||||
r.NoError(err)
|
||||
validCert := testutil.ValidateCertificate(t, fakeCertPEM, string(certPEM))
|
||||
validCert.RequireDNSName("example.com")
|
||||
validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute)
|
||||
validCert.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 6*time.Minute)
|
||||
validCert.RequireMatchesPrivateKey(string(keyPEM))
|
||||
|
||||
// Tick the timer and wait for another refresh loop to complete.
|
||||
@ -178,7 +178,7 @@ func TestCA(t *testing.T) {
|
||||
|
||||
validCert2 := testutil.ValidateCertificate(t, fakeCert2PEM, secondCertPEM)
|
||||
validCert2.RequireDNSName("example.com")
|
||||
validCert2.RequireLifetime(time.Now(), time.Now().Add(10*time.Minute), 2*time.Minute)
|
||||
validCert2.RequireLifetime(time.Now(), time.Now().Add(15*time.Minute), 6*time.Minute)
|
||||
validCert2.RequireMatchesPrivateKey(secondKeyPEM)
|
||||
})
|
||||
})
|
||||
|
@ -224,7 +224,7 @@ func TestManagerControllerSync(t *testing.T) {
|
||||
// Validate the created cert using the CA, and also validate the cert's hostname
|
||||
validCert := testutil.ValidateCertificate(t, actualCACert, actualCertChain)
|
||||
validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
|
||||
validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 2*time.Minute)
|
||||
validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
|
||||
validCert.RequireMatchesPrivateKey(actualPrivateKey)
|
||||
|
||||
// Make sure we updated the APIService caBundle and left it otherwise unchanged
|
||||
|
Loading…
Reference in New Issue
Block a user