kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Address review comment

This commit is contained in:
John Gardiner Myers 2020-06-04 10:34:48 -07:00
parent 7ed41a6d5a
commit 7f050ee44a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/pki/issue.go
View File

@ -26,6 +26,8 @@ import (
"sort" "sort"
"strings" "strings"
"time" "time"
"k8s.io/klog"
) )
var wellKnownCertificateTypes = map[string]string{ var wellKnownCertificateTypes = map[string]string{
@ -142,6 +144,9 @@ func IssueCert(request *IssueCertRequest, keystore Keystore) (issuedCertificate
} }
} }
// Skew the certificate lifetime by up to 30 days based on information about the generating node.
// This is so that different nodes created at the same time have the certificates they generated
// expire at different times, but all certificates on a given node expire around the same time.
if request.MinValidDays != 0 { if request.MinValidDays != 0 {
hash := fnv.New32() hash := fnv.New32()
addrs, err := net.InterfaceAddrs() addrs, err := net.InterfaceAddrs()
@ -152,6 +157,8 @@ func IssueCert(request *IssueCertRequest, keystore Keystore) (issuedCertificate
for _, addr := range addrs { for _, addr := range addrs {
_, _ = hash.Write([]byte(addr.String())) _, _ = hash.Write([]byte(addr.String()))
} }
} else {
klog.Warningf("cannot skew certificate lifetime: failed to get interface addresses: %v", err)
} }
template.NotAfter = time.Now().Add(time.Hour * 24 * time.Duration(request.MinValidDays)).Add(time.Hour * time.Duration(hash.Sum32()%(30*24))).UTC() template.NotAfter = time.Now().Add(time.Hour * 24 * time.Duration(request.MinValidDays)).Add(time.Hour * time.Duration(hash.Sum32()%(30*24))).UTC()
} }