-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update serial number to a valid non-zero number in ca certificate #117791
Conversation
/retest |
/cc @liggitt @mikedanese |
/lgtm |
LGTM label has been added. Git tree hash: 6f729f348175d20a88bad55f7701ac72c15e50da
|
@@ -57,8 +58,12 @@ type AltNames struct { | |||
// NewSelfSignedCACert creates a CA certificate | |||
func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { | |||
now := time.Now() | |||
serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually, can't this still return zero?
Int returns a uniform random value in [0, max). It panics if max <= 0.
/hold
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah fun!
@liggitt this snippet was copied from elsewhere in our repo :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could fix the existing problem as part of this PR in a separate commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could someone help take a look at the update? if it is good, I will fix the existing problem in a separate commit with similar code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: 35b2fa6560837e8ba82b28b940e448dbc515982d
|
/release-note-none @liggitt 's concern in #117791 (comment) has been fixed. (for all locations the same kind of snippet is used!) |
lgtm |
/triage accepted |
Created the cherry pick PRs for this PR as I get a git conflict while trying to backport #118922 |
/priority important-soon |
…7791-upstream-release-1.25 Automated cherry pick of #117791: update serial number to a valid non-zero number in ca
…7791-upstream-release-1.27 Automated cherry pick of #117791: update serial number to a valid non-zero number in ca
…7791-upstream-release-1.26 Automated cherry pick of #117791: update serial number to a valid non-zero number in ca
…bernetes#117791) * update serial number to a valid non-zero number in ca certificate * fix the existing problem (0 SerialNumber in all certificate) as part of this PR in a separate commit
What type of PR is this?
/kind bug
What this PR does / why we need it:
EKS customer complains all cluster CA certificates created when an EKS cluster is created have an empty Serial number.
Which issue(s) this PR fixes:
fixes #117790
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: