Pull the 30-day skew code into IssueCert

2020-06-16 21:52:05 -07:00 · 2020-06-16 21:52:05 -07:00 · 23e2d14a78
parent 8a2dfeb377
commit 23e2d14a78
3 changed files with 34 additions and 34 deletions
--- a/pkg/pki/issue.go
+++ b/pkg/pki/issue.go
@ -20,14 +20,10 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
-	"hash/fnv"
 	"math/big"
 	"net"
-	"sort"
 	"strings"
 	"time"
-
-	"k8s.io/klog"
 )

 var wellKnownCertificateTypes = map[string]string{
@ -49,10 +45,8 @@ type IssueCertRequest struct {

 	// PrivateKey is the private key for this certificate. If nil, a new private key will be generated.
 	PrivateKey *PrivateKey
-	// MinValidDays is the lower bound on the certificate validity, in days. If specified, up to 30 days
-	// will be added so that certificate generated at the same time on different hosts will be unlikely to
-	// expire at the same time. The default is 10 years (without the up to 30 day skew).
-	MinValidDays int
+	// Validity is the certificate validity. The default is 10 years.
+	Validity time.Duration

 	// Serial is the certificate serial number. If nil, a random number will be generated.
 	Serial *big.Int
@ -144,23 +138,8 @@ func IssueCert(request *IssueCertRequest, keystore Keystore) (issuedCertificate
 		}
 	}

-	// Skew the certificate lifetime by up to 30 days based on information about the generating node.
-	// This is so that different nodes created at the same time have the certificates they generated
-	// expire at different times, but all certificates on a given node expire around the same time.
-	if request.MinValidDays != 0 {
-		hash := fnv.New32()
-		addrs, err := net.InterfaceAddrs()
-		sort.Slice(addrs, func(i, j int) bool {
-			return addrs[i].String() < addrs[j].String()
-		})
-		if err == nil {
-			for _, addr := range addrs {
-				_, _ = hash.Write([]byte(addr.String()))
-			}
-		} else {
-			klog.Warningf("cannot skew certificate lifetime: failed to get interface addresses: %v", err)
-		}
-		template.NotAfter = time.Now().Add(time.Hour * 24 * time.Duration(request.MinValidDays)).Add(time.Hour * time.Duration(hash.Sum32()%(30*24))).UTC()
+	if request.Validity != 0 {
+		template.NotAfter = time.Now().Add(request.Validity).UTC()
 	}

 	certificate, err := signNewCertificate(privateKey, template, signer, caPrivateKey)
--- a/pkg/pki/issue_test.go
+++ b/pkg/pki/issue_test.go
@ -93,7 +93,7 @@ func TestIssueCert(t *testing.T) {
 				Subject: pkix.Name{
 					CommonName: "Test client",
 				},
-				MinValidDays: 365,
+				Validity: time.Hour * 24 * 365,
 			},
 			expectedKeyUsage:    x509.KeyUsageDigitalSignature,
 			expectedExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
@ -133,10 +133,10 @@ func TestIssueCert(t *testing.T) {
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			var minExpectedValidity int64
-			if tc.req.MinValidDays == 0 {
+			if tc.req.Validity == 0 {
 				minExpectedValidity = time.Now().Add(time.Hour * 10 * 365 * 24).Unix()
 			} else {
-				minExpectedValidity = time.Now().Add(time.Hour * 24 * time.Duration(tc.req.MinValidDays)).Unix()
+				minExpectedValidity = time.Now().Add(tc.req.Validity).Unix()
 			}

 			var keystore Keystore
@ -202,10 +202,10 @@ func TestIssueCert(t *testing.T) {

 			// validity
 			var maxExpectedValidity int64
-			if tc.req.MinValidDays == 0 {
+			if tc.req.Validity == 0 {
 				maxExpectedValidity = time.Now().Add(time.Hour * 10 * 365 * 24).Unix()
 			} else {
-				maxExpectedValidity = time.Now().Add(time.Hour * 24 * time.Duration(tc.req.MinValidDays+30)).Unix()
+				maxExpectedValidity = time.Now().Add(tc.req.Validity).Unix()
 			}
 			assert.Less(t, cert.NotBefore.Unix(), time.Now().Add(time.Hour*-47).Unix(), "NotBefore")
 			assert.GreaterOrEqual(t, cert.NotAfter.Unix(), minExpectedValidity, "NotAfter")
--- a/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
+++ b/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
@ -20,8 +20,12 @@ import (
 	"bytes"
 	"crypto/x509/pkix"
 	"fmt"
+	"hash/fnv"
 	"io"
+	"net"
 	"path/filepath"
+	"sort"
+	"time"

 	"k8s.io/klog"
 	"k8s.io/kops/pkg/pki"
@ -120,11 +124,28 @@ func (i *IssueCert) AddFileTasks(c *fi.ModelBuilderContext, dir string, name str
 }

 func (e *IssueCert) Run(c *fi.Context) error {
+	// Skew the certificate lifetime by up to 30 days based on information about the generating node.
+	// This is so that different nodes created at the same time have the certificates they generated
+	// expire at different times, but all certificates on a given node expire around the same time.
+	hash := fnv.New32()
+	addrs, err := net.InterfaceAddrs()
+	sort.Slice(addrs, func(i, j int) bool {
+		return addrs[i].String() < addrs[j].String()
+	})
+	if err == nil {
+		for _, addr := range addrs {
+			_, _ = hash.Write([]byte(addr.String()))
+		}
+	} else {
+		klog.Warningf("cannot skew certificate lifetime: failed to get interface addresses: %v", err)
+	}
+	validHours := (455 * 24) + (hash.Sum32() % (30 * 24))
+
 	req := &pki.IssueCertRequest{
-		Signer:       e.Signer,
-		Type:         e.Type,
-		Subject:      e.Subject.toPKIXName(),
-		MinValidDays: 455,
+		Signer:   e.Signer,
+		Type:     e.Type,
+		Subject:  e.Subject.toPKIXName(),
+		Validity: time.Hour * time.Duration(validHours),
 	}

 	klog.Infof("signing certificate for %q", e.Name)