From fe4fe0849ec1bf5bcc14769c45d01174d6a21ed0 Mon Sep 17 00:00:00 2001
From: Andrew Rynhard <andrew@andrewrynhard.com>
Date: Sun, 22 Sep 2019 10:53:12 -0700
Subject: [PATCH] fix: generate CA certificates with 1 year expiration

This changes CA certificate generation from 24 hours to 1 year.

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>
---
 pkg/userdata/generate/generate.go          | 12 ++++++++++--
 pkg/userdata/v1alpha1/generate/generate.go | 13 +++++++++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/pkg/userdata/generate/generate.go b/pkg/userdata/generate/generate.go
index 4c55bce88..3ac69d124 100644
--- a/pkg/userdata/generate/generate.go
+++ b/pkg/userdata/generate/generate.go
@@ -240,14 +240,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
diff --git a/pkg/userdata/v1alpha1/generate/generate.go b/pkg/userdata/v1alpha1/generate/generate.go
index 1a0a7f8d1..16139b3ce 100644
--- a/pkg/userdata/v1alpha1/generate/generate.go
+++ b/pkg/userdata/v1alpha1/generate/generate.go
@@ -13,6 +13,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"time"
 
 	"github.com/talos-systems/talos/pkg/constants"
 	"github.com/talos-systems/talos/pkg/crypto/x509"
@@ -252,14 +253,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err