certauthority: tolerate larger clock skew between API server and pinniped

This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager.  This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods.  While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits.  When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2021-09-21 09:19:50 -04:00
parent 43ba6ba686
commit 91c8f747f4
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
3 changed files with 8 additions and 10 deletions

View File

@ -24,12 +24,10 @@ import (
) )
// certBackdate is the amount of time before time.Now() that will be used to set // certBackdate is the amount of time before time.Now() that will be used to set
// a certificate's NotBefore field. // a certificate's NotBefore field. We use the same hard coded and unconfigurable
// // backdate value as used by the Kubernetes controller manager certificate signer:
// This could certainly be made configurable by an installer of pinniped, but we // https://github.com/kubernetes/kubernetes/blob/68d646a101005e95379d84160adf01d146bdd149/pkg/controller/certificates/signer/signer.go#L199
// will see if we can save adding a configuration knob with a reasonable default const certBackdate = 5 * time.Minute
// here.
const certBackdate = 10 * time.Second
type env struct { type env struct {
// secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests). // secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests).

View File

@ -96,7 +96,7 @@ func TestNew(t *testing.T) {
caCert, err := x509.ParseCertificate(ca.caCertBytes) caCert, err := x509.ParseCertificate(ca.caCertBytes)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, "Test CA", caCert.Subject.CommonName) require.Equal(t, "Test CA", caCert.Subject.CommonName)
require.WithinDuration(t, now.Add(-10*time.Second), caCert.NotBefore, 10*time.Second) require.WithinDuration(t, now.Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, now.Add(time.Minute), caCert.NotAfter, 10*time.Second) require.WithinDuration(t, now.Add(time.Minute), caCert.NotAfter, 10*time.Second)
require.NotNil(t, ca.privateKey) require.NotNil(t, ca.privateKey)
@ -153,7 +153,7 @@ func TestNewInternal(t *testing.T) {
}, },
wantCommonName: "Test CA", wantCommonName: "Test CA",
wantNotAfter: now.Add(time.Minute), wantNotAfter: now.Add(time.Minute),
wantNotBefore: now.Add(-10 * time.Second), wantNotBefore: now.Add(-5 * time.Minute),
}, },
} }
for _, tt := range tests { for _, tt := range tests {

View File

@ -1056,7 +1056,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
caCert, err := x509.ParseCertificate(block.Bytes) caCert, err := x509.ParseCertificate(block.Bytes)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName) require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName)
require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second) require.WithinDuration(t, time.Now().Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second) require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second)
return createdCertPEM return createdCertPEM
} }
@ -1077,7 +1077,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
r.NotNil(createdCertPEM) r.NotNil(createdCertPEM)
validCert := testutil.ValidateServerCertificate(t, string(caCert), string(createdCertPEM)) validCert := testutil.ValidateServerCertificate(t, string(caCert), string(createdCertPEM))
validCert.RequireMatchesPrivateKey(string(createdKeyPEM)) validCert.RequireMatchesPrivateKey(string(createdKeyPEM))
validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second) validCert.RequireLifetime(time.Now().Add(-5*time.Minute), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
} }
var requireSigningCertProviderHasLoadedCerts = func(certPEM, keyPEM []byte) { var requireSigningCertProviderHasLoadedCerts = func(certPEM, keyPEM []byte) {