Merge pull request #849 from enj/enj/i/clock_skew

certauthority: tolerate larger clock skew between API server and pinniped
This commit is contained in:
Mo Khan 2021-09-21 12:18:49 -04:00 committed by GitHub
commit aa5ff162b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 10 deletions

View File

@ -24,12 +24,10 @@ import (
)
// certBackdate is the amount of time before time.Now() that will be used to set
// a certificate's NotBefore field.
//
// This could certainly be made configurable by an installer of pinniped, but we
// will see if we can save adding a configuration knob with a reasonable default
// here.
const certBackdate = 10 * time.Second
// a certificate's NotBefore field. We use the same hard coded and unconfigurable
// backdate value as used by the Kubernetes controller manager certificate signer:
// https://github.com/kubernetes/kubernetes/blob/68d646a101005e95379d84160adf01d146bdd149/pkg/controller/certificates/signer/signer.go#L199
const certBackdate = 5 * time.Minute
type env struct {
// secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests).

View File

@ -96,7 +96,7 @@ func TestNew(t *testing.T) {
caCert, err := x509.ParseCertificate(ca.caCertBytes)
require.NoError(t, err)
require.Equal(t, "Test CA", caCert.Subject.CommonName)
require.WithinDuration(t, now.Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, now.Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, now.Add(time.Minute), caCert.NotAfter, 10*time.Second)
require.NotNil(t, ca.privateKey)
@ -153,7 +153,7 @@ func TestNewInternal(t *testing.T) {
},
wantCommonName: "Test CA",
wantNotAfter: now.Add(time.Minute),
wantNotBefore: now.Add(-10 * time.Second),
wantNotBefore: now.Add(-5 * time.Minute),
},
}
for _, tt := range tests {

View File

@ -1056,7 +1056,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
caCert, err := x509.ParseCertificate(block.Bytes)
require.NoError(t, err)
require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName)
require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, time.Now().Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second)
return createdCertPEM
}
@ -1077,7 +1077,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
r.NotNil(createdCertPEM)
validCert := testutil.ValidateServerCertificate(t, string(caCert), string(createdCertPEM))
validCert.RequireMatchesPrivateKey(string(createdKeyPEM))
validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
validCert.RequireLifetime(time.Now().Add(-5*time.Minute), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
}
var requireSigningCertProviderHasLoadedCerts = func(certPEM, keyPEM []byte) {