Make CA valid 1 hour in the past

When running kubeadm / installing k8s early during boot,
the CA certificate can be generated before time is synchronised
and time is jumped backward.
Make notBefore 1 hour in the past to accept small clock jump.

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>

staging/src/k8s.io/client-go/util/cert/cert.go

@@ -71,7 +71,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 			Organization: cfg.Organization,
 		},
 		DNSNames:              []string{cfg.CommonName},
-		NotBefore:             now.UTC(),
+		NotBefore:             now.Add(-time.Hour).UTC(), // valid an hour earlier to avoid flakes
 		NotAfter:              now.Add(duration365d * 10).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,