ContainerImage.Pinniped/internal/certauthority
Monis Khan 91c8f747f4
certauthority: tolerate larger clock skew between API server and pinniped
This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager.  This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods.  While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits.  When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-21 09:32:24 -04:00
..
dynamiccertauthority dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
testdata Extend certauthority to support loading an existing CA. 2020-07-27 12:33:33 -07:00
certauthority_test.go certauthority: tolerate larger clock skew between API server and pinniped 2021-09-21 09:32:24 -04:00
certauthority.go certauthority: tolerate larger clock skew between API server and pinniped 2021-09-21 09:32:24 -04:00