Set correct CA lifetime

sbernauer · sbernauer · commit bdbcee0039c8 · 2025-06-30T15:51:05.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/stackable-certs/src/ca/mod.rs b/crates/stackable-certs/src/ca/mod.rs
@@ -38,7 +38,7 @@ pub enum Error {
     #[snafu(display("failed to generate RSA signing key"))]
     GenerateRsaSigningKey { source: rsa::Error },
 
-    #[snafu(display("failed to generate ECDSA signign key"))]
+    #[snafu(display("failed to generate ECDSA signing key"))]
     GenerateEcdsaSigningKey { source: ecdsa::Error },
 
     #[snafu(display("failed to parse {subject:?} as subject"))]
diff --git a/crates/stackable-certs/src/lib.rs b/crates/stackable-certs/src/lib.rs
@@ -22,7 +22,6 @@
 use std::ops::Deref;
 
 use snafu::Snafu;
-use stackable_operator::time::Duration;
 use x509_cert::{Certificate, spki::EncodePublicKey};
 #[cfg(feature = "rustls")]
 use {
@@ -37,9 +36,6 @@ use crate::keys::CertificateKeypair;
 pub mod ca;
 pub mod keys;
 
-/// The default certificate validity time span
-pub const DEFAULT_CERTIFICATE_VALIDITY: Duration = Duration::from_hours_unchecked(1);
-
 /// Error variants which can be encountered when creating a new
 /// [`CertificatePair`].
 #[derive(Debug, Snafu)]
diff --git a/crates/stackable-webhook/Cargo.toml b/crates/stackable-webhook/Cargo.toml
@@ -19,6 +19,7 @@ hyper.workspace = true
 k8s-openapi.workspace = true
 kube.workspace = true
 opentelemetry.workspace = true
+rand.workspace = true
 serde_json.workspace = true
 snafu.workspace = true
 tokio-rustls.workspace = true
diff --git a/crates/stackable-webhook/src/tls/cert_resolver.rs b/crates/stackable-webhook/src/tls/cert_resolver.rs
@@ -9,7 +9,7 @@ use tokio_rustls::rustls::{
 };
 use x509_cert::Certificate;
 
-use super::WEBHOOK_CERTIFICATE_LIFETIME;
+use super::{WEBHOOK_CA_LIFETIME, WEBHOOK_CERTIFICATE_LIFETIME};
 
 type Result<T, E = CertificateResolverError> = std::result::Result<T, E>;
 
@@ -18,6 +18,9 @@ pub enum CertificateResolverError {
     #[snafu(display("failed send certificate to channel"))]
     SendCertificateToChannel,
 
+    #[snafu(display("failed to generate ECDSA signing key"))]
+    GenerateEcdsaSigningKey { source: ecdsa::Error },
+
     #[snafu(display("failed to generate new certificate"))]
     GenerateNewCertificate {
         #[snafu(source(from(CertificateResolverError, Box::new)))]
@@ -106,8 +109,10 @@ impl CertificateResolver {
         tokio::task::spawn_blocking(move || {
             let tls_provider = default_provider();
 
+            let ca_key = ecdsa::SigningKey::new().context(GenerateEcdsaSigningKeySnafu)?;
             let mut ca =
-                CertificateAuthority::new_ecdsa().context(CreateCertificateAuthoritySnafu)?;
+                CertificateAuthority::new_with(ca_key, rand::random::<u64>(), WEBHOOK_CA_LIFETIME)
+                    .context(CreateCertificateAuthoritySnafu)?;
 
             let certificate = ca
                 .generate_ecdsa_leaf_certificate(
diff --git a/crates/stackable-webhook/src/tls/mod.rs b/crates/stackable-webhook/src/tls/mod.rs
@@ -26,6 +26,7 @@ use x509_cert::Certificate;
 
 mod cert_resolver;
 
+pub const WEBHOOK_CA_LIFETIME: Duration = Duration::from_minutes_unchecked(3);
 pub const WEBHOOK_CERTIFICATE_LIFETIME: Duration = Duration::from_minutes_unchecked(2);
 pub const WEBHOOK_CERTIFICATE_ROTATION_INTERVAL: Duration = Duration::from_minutes_unchecked(1);
 
