ContainerImage.Pinniped/internal/controller/impersonatorconfig
Monis Khan 91c8f747f4
certauthority: tolerate larger clock skew between API server and pinniped
This change updates our certificate code to use the same 5 minute
backdate that is used by the Kubernetes controller manager.  This
helps to account for clock skews between the API servers and the
kubelets that are running the pinniped pods.  While this backdating
reflects a large percentage of the lifetime of our short lived
certificates (100% for the 5 minute client certificates), even a 10
minute irrevocable client certificate is within our limits.  When
we move to the CSR based short lived certificates, they will always
have at least a 15 minute lifetime (5 minute backdating plus 10 minute
minimum valid duration).

Signed-off-by: Monis Khan <mok@vmware.com>
2021-09-21 09:32:24 -04:00
..
impersonator_config_test.go certauthority: tolerate larger clock skew between API server and pinniped 2021-09-21 09:32:24 -04:00
impersonator_config.go impersonatorconfig: only unload dynamiccert when proxy is disabled 2021-08-16 16:07:46 -04:00