extend the validity of the vc certificate

Signed-off-by: Rambohang <[email protected]>
kosmos-io · Oct 16, 2024 · 3da33b9 · 3da33b9
1 parent 0c70a68
commit 3da33b9
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/pkg/kubenest/constants/constant.go b/pkg/kubenest/constants/constant.go
@@ -35,7 +35,7 @@ const (
  RsaKeySize = 2048
  KeyExtension = ".key"
  CertExtension = ".crt"
- CertificateValidity = time.Hour * 24 * 365
+ CertificateValidity = time.Hour * 24 * 365 * 100
  CaCertAndKeyName = "ca"
  VirtualClusterCertAndKeyName = "virtualCluster"
  VirtualClusterSystemNamespace = "virtualCluster-system"

diff --git a/pkg/kubenest/util/cert/certs.go b/pkg/kubenest/util/cert/certs.go
@@ -358,7 +358,7 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
  return nil, fmt.Errorf("unable to create private key while generating CA certificate, err: %w", err)
  }
 
- cert, err := certutil.NewSelfSignedCACert(cc.Config, key)
+ cert, err := NewSelfSignedCACert(cc.Config, key)
  if err != nil {
  return nil, fmt.Errorf("unable to create self-signed CA certificate, err: %w", err)
  }
@@ -376,6 +376,30 @@ func NewCertificateAuthority(cc *CertConfig) (*VirtualClusterCert, error) {
  }, nil
 }
 
+// NewSelfSignedCACert creates a CA certificate
+func NewSelfSignedCACert(cfg certutil.Config, key crypto.Signer) (*x509.Certificate, error) {
+ now := time.Now()
+ tmpl := x509.Certificate{
+ SerialNumber: new(big.Int).SetInt64(0),
+ Subject: pkix.Name{
+ CommonName: cfg.CommonName,
+ Organization: cfg.Organization,
+ },
+ DNSNames: []string{cfg.CommonName},
+ NotBefore: now.UTC(),
+ NotAfter: now.Add(constants.CertificateValidity).UTC(),
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+ BasicConstraintsValid: true,
+ IsCA: true,
+ }
+
+ certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
+ if err != nil {
+ return nil, err
+ }
+ return x509.ParseCertificate(certDERBytes)
+}
+
 func CreateCertAndKeyFilesWithCA(cc *CertConfig, caCertData, caKeyData []byte) (*VirtualClusterCert, error) {
  if len(cc.Config.Usages) == 0 {
  return nil, fmt.Errorf("must specify at least one ExtKeyUsage")