Skip to content

Commit

Permalink
Merge pull request kosmos-io#739 from Rambohang/fix_crt_expired
Browse files Browse the repository at this point in the history
extend the validity of the vc certificate
  • Loading branch information
duanmengkk authored Oct 17, 2024
2 parents 0c70a68 + 3da33b9 commit 30ad591
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 2 deletions.
2 changes: 1 addition & 1 deletion pkg/kubenest/constants/constant.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ const (
RsaKeySize = 2048
KeyExtension = ".key"
CertExtension = ".crt"
CertificateValidity = time.Hour * 24 * 365
CertificateValidity = time.Hour * 24 * 365 * 100
CaCertAndKeyName = "ca"
VirtualClusterCertAndKeyName = "virtualCluster"
VirtualClusterSystemNamespace = "virtualCluster-system"
Expand Down
26 changes: 25 additions & 1 deletion pkg/kubenest/util/cert/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -358,7 +358,7 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
return nil, fmt.Errorf("unable to create private key while generating CA certificate, err: %w", err)
}

cert, err := certutil.NewSelfSignedCACert(cc.Config, key)
cert, err := NewSelfSignedCACert(cc.Config, key)
if err != nil {
return nil, fmt.Errorf("unable to create self-signed CA certificate, err: %w", err)
}
Expand All @@ -376,6 +376,30 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
}, nil
}

// NewSelfSignedCACert creates a CA certificate
func NewSelfSignedCACert(cfg certutil.Config, key crypto.Signer) (*x509.Certificate, error) {
now := time.Now()
tmpl := x509.Certificate{
SerialNumber: new(big.Int).SetInt64(0),
Subject: pkix.Name{
CommonName: cfg.CommonName,
Organization: cfg.Organization,
},
DNSNames: []string{cfg.CommonName},
NotBefore: now.UTC(),
NotAfter: now.Add(constants.CertificateValidity).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
}

certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
if err != nil {
return nil, err
}
return x509.ParseCertificate(certDERBytes)
}

func CreateCertAndKeyFilesWithCA(cc *CertConfig, caCertData, caKeyData []byte) (*VirtualClusterCert, error) {
if len(cc.Config.Usages) == 0 {
return nil, fmt.Errorf("must specify at least one ExtKeyUsage")
Expand Down

0 comments on commit 30ad591

Please sign in to comment.