tls: backdate certificate NotBefore by 24 hours to tolerate clock skew

[sdodson]

Problem

When a VM's hardware clock (RTC) stores local time but the OS has no configuration telling it so, Linux reads the hwclock assuming UTC. The resulting system clock is offset behind true UTC by the host's timezone difference—up to several hours—until NTP corrects it.

The certificate's NotBefore is a correct UTC timestamp, but from the VM's skewed perspective it appears to be in the future, so TLS handshakes fail during bootstrap with "certificate not yet valid".

Change

Set NotBefore to time.Now() - 24h in the two places where self-signed certificates are created:

• pkg/asset/tls/tls.go — SelfSignedCertificate
• pkg/asset/imagebased/configimage/ingressoperatorsigner.go — selfSignedCertificate

NotAfter is left unchanged, so the validity window simply shifts: it starts 24 hours earlier and ends at the originally intended expiry time. This tolerates a VM clock up to 24 hours behind true UTC.

SignedCertificate already inherits NotBefore from its signing CA (caCert.NotBefore), so certificates in that path pick up the change automatically with no additional modifications needed.

Testing

• go build ./pkg/asset/tls/... ./pkg/asset/imagebased/configimage/... passes cleanly.

[coderabbitai]

Walkthrough

This PR adjusts the validity window of self-signed certificates by backdating their NotBefore field by 24 hours across two certificate generation implementations in the TLS and ingress operator signer modules.

Changes

Certificate validity backdate

Layer / File(s)	Summary
Backdate certificate NotBefore to 24 hours past pkg/asset/tls/tls.go, pkg/asset/imagebased/configimage/ingressoperatorsigner.go	SelfSignedCertificate and selfSignedCertificate now set NotBefore to time.Now().Add(-24 * time.Hour) instead of time.Now(), extending the backward validity window by 24 hours.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: backdating certificate NotBefore by 24 hours to tolerate clock skew, which directly matches the changeset's core modification to two TLS certificate generation functions.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only TLS certificate generation logic in two production files; no test files or Ginkgo test names are added/modified, so the check is not applicable.
Test Structure And Quality	✅ Passed	Custom check is not applicable: PR tests use standard Go testing (testing.T), not Ginkgo framework.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The changes only modify certificate generation logic by backdating NotBefore by 24 hours. The check is not applicable to non-test code changes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies certificate generation code only; no new Ginkgo e2e tests were added. SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies TLS certificate generation utilities (NotBefore timestamp), not deployment manifests or scheduling constraints. Check is not applicable to this codebase change.
Ote Binary Stdout Contract	✅ Passed	PR only modifies certificate NotBefore timestamp from time.Now() to time.Now().Add(-24*time.Hour) in utility functions; no new stdout writes in process-level code were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. Changes are to TLS certificate generation utility functions only, not test code.
No-Weak-Crypto	✅ Passed	PR only changes certificate NotBefore times (+24hr offset for clock skew); no weak cryptographic algorithms, custom crypto, or token comparisons introduced.
Container-Privileges	✅ Passed	PR modifies only Go source files for TLS certificate generation; no Kubernetes manifests, Docker configurations, or container specs containing privileged settings were changed.
No-Sensitive-Data-In-Logs	✅ Passed	PR changes only affect certificate NotBefore timestamp (adds 24-hour backdate). No new logging is introduced, and existing error logs only contain generic error messages without sensitive data.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sadasu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[patrickdillon]

@sdodson is there a bug for this? if not, we can use no-jira, but curious about context.

[sdodson]

@sdodson is there a bug for this? if not, we can use no-jira, but curious about context.

Not yet, I was mainly interested in using this to start the discussion on Slack. I'd assumed that there was some reasoning why we hadn't done this yet. I can open a bug once we agree we should, I'm not sure given this has been a problem since day 1 that we'd bother backporting but that would at least allow us to do so.

[openshift-ci]

@sdodson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.