Merge pull request #130047 from HirazawaUi/modify-loopback-cert-valid-period

Extending loopback certificate validity in kube-apiserver Kubernetes-commit: 77667834b072db7e26a69d78c5e9f3181e12959f
2025-02-19 05:30:26 -08:00 · 2025-02-19 05:30:26 -08:00 · 8dd4460107
parent b6fda29776 c533eff8e7
commit 8dd4460107
3 changed files with 14 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@ -53,7 +53,7 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	k8s.io/api v0.0.0-20250218234707-8ce7fe8996bd
 	k8s.io/apimachinery v0.0.0-20250214214420-47e7fa9a40a2
-	k8s.io/client-go v0.0.0-20250219035121-72c2d4d41534
+	k8s.io/client-go v0.0.0-20250219160048-84ec13492bbf
 	k8s.io/component-base v0.0.0-20250219040255-ff8818df2c0e
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/kms v0.0.0-20250106203549-2ea9aec44ce9
--- a/go.sum
+++ b/go.sum
@ -367,8 +367,8 @@ k8s.io/api v0.0.0-20250218234707-8ce7fe8996bd h1:Tj1WKOMX+CxUkl0lhoqS+cavQBDEArJ
 k8s.io/api v0.0.0-20250218234707-8ce7fe8996bd/go.mod h1:j1vwjHcqIjL/8xva/zoPxpzN/saZm5ZqvK7J+cjQJ9A=
 k8s.io/apimachinery v0.0.0-20250214214420-47e7fa9a40a2 h1:+Wh461h0wCf5qF35OJaZlyItfrbgmuRpIcPdohK3qNQ=
 k8s.io/apimachinery v0.0.0-20250214214420-47e7fa9a40a2/go.mod h1:pvurfgWU15pkR11HFlMI9tdxY59XU+Wzo22Rx2iSD+g=
-k8s.io/client-go v0.0.0-20250219035121-72c2d4d41534 h1:yXMWG7w8q39RGe0aTlyLI/UlHbeNzFvr/JHIakDv4l0=
-k8s.io/client-go v0.0.0-20250219035121-72c2d4d41534/go.mod h1:Mcka7vJJHXFC8icS5nAG5q2HWfRH+aiuKDI5KJhdMH8=
+k8s.io/client-go v0.0.0-20250219160048-84ec13492bbf h1:19AG5NxzNDq7MLZsGZBLGTmibtx4eCFi0uPSWMnbPVc=
+k8s.io/client-go v0.0.0-20250219160048-84ec13492bbf/go.mod h1:Mcka7vJJHXFC8icS5nAG5q2HWfRH+aiuKDI5KJhdMH8=
 k8s.io/component-base v0.0.0-20250219040255-ff8818df2c0e h1:bIkD0gtKsaxQRGQwepV6VITNR8BULT9e24XIC30FuoM=
 k8s.io/component-base v0.0.0-20250219040255-ff8818df2c0e/go.mod h1:XZtvQUU9zT0nxKfGFS9eDGnfFe19hGLH3qnA2fNxa9A=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
--- a/pkg/server/options/serving_with_loopback.go
+++ b/pkg/server/options/serving_with_loopback.go
@ -18,6 +18,7 @@ package options

 import (
 	"fmt"
+	"time"

 	"github.com/google/uuid"

@ -49,9 +50,18 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.Se
 		return nil
 	}

+	// Set a validity period of approximately 3 years for the loopback certificate
+	// to avoid kube-apiserver disruptions due to certificate expiration.
+	// When this certificate expires, restarting kube-apiserver will automatically
+	// regenerate a new certificate with fresh validity dates.
+	maxAge := (3*365 + 1) * 24 * time.Hour
+
 	// create self-signed cert+key with the fake server.LoopbackClientServerNameOverride and
 	// let the server return it when the loopback client connects.
-	certPem, keyPem, err := certutil.GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
+	certPem, keyPem, err := certutil.GenerateSelfSignedCertKeyWithOptions(certutil.SelfSignedCertKeyOptions{
+		Host:   server.LoopbackClientServerNameOverride,
+		MaxAge: maxAge,
+	})
 	if err != nil {
 		return fmt.Errorf("failed to generate self-signed certificate for loopback connection: %v", err)
 	}