fix: generate CA certificates with 1 year expiration

This changes CA certificate generation from 24 hours to 1 year.

Signed-off-by: Andrew Rynhard <andrew@andrewrynhard.com>

pkg/userdata/generate/generate.go

@@ -240,14 +240,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err

pkg/userdata/v1alpha1/generate/generate.go

@@ -13,6 +13,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"time"
 
 	"github.com/talos-systems/talos/pkg/constants"
 	"github.com/talos-systems/talos/pkg/crypto/x509"
@@ -252,14 +253,22 @@ func NewInput(clustername string, masterIPs []string) (input *Input, err error)
 	}
 
 	// Generate Kubernetes CA.
-	opts := []x509.Option{x509.RSA(true), x509.Organization("talos-k8s")}
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Organization("talos-k8s"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	k8sCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err
 	}
 
 	// Generate Talos CA.
-	opts = []x509.Option{x509.RSA(false), x509.Organization("talos-os")}
+	opts = []x509.Option{
+		x509.RSA(false),
+		x509.Organization("talos-os"),
+		x509.NotAfter(time.Now().Add(8760 * time.Hour)),
+	}
 	osCert, err := x509.NewSelfSignedCertificateAuthority(opts...)
 	if err != nil {
 		return nil, err