[backport] cherry-pick a016262 to release-v1.1

cert rotation now ignores monotonic clock readings when checking expiration (openservicemesh#5012)
Signed-off-by: Sean Teeling <[email protected]>
Signed-off-by: Shalier Xia <[email protected]>

Author: steeling

pkg/certificate/certificate.go

@@ -56,5 +56,11 @@ func (c *Certificate) ShouldRotate() bool {
 
 	intNoise := rand.Intn(noiseSeconds) // #nosec G404
 	secondsNoise := time.Duration(intNoise) * time.Second
-	return time.Until(c.GetExpiration()) <= (RenewBeforeCertExpires + secondsNoise)
+	renewBefore := RenewBeforeCertExpires + secondsNoise
+	// Round is called to truncate monotonic clock to the nearest second. This is done to avoid environments where the
+	// CPU clock may stop, resulting in a time measurement that differs significantly from the x509 timestamp.
+	// See https://github.com/openservicemesh/osm/issues/5000#issuecomment-1218539412 for more details.
+	expiration := c.GetExpiration().Round(0)
+
+	return time.Until(expiration) <= renewBefore
 }

pkg/certificate/manager.go

@@ -58,7 +58,11 @@ func (m *manager) IssueCertificate(cn CommonName, validityPeriod time.Duration)
 	start := time.Now()
 
 	if cert := m.getFromCache(cn); cert != nil {
-		return cert, nil
+		// check if cert needs to be rotated
+		rotate := cert.ShouldRotate()
+		if !rotate {
+			return cert, nil
+		}
 	}
 
 	cert, err := m.client.IssueCertificate(cn, validityPeriod)

pkg/debugger/certificate.go

@@ -28,15 +28,15 @@ func (ds DebugConfig) getCertHandler() http.Handler {
 
 			_, _ = fmt.Fprintf(w, "---[ %d ]---\n", idx)
 			_, _ = fmt.Fprintf(w, "\t Common Name: %q\n", cert.GetCommonName())
-			_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration()))
+			_, _ = fmt.Fprintf(w, "\t Valid Until: %+v (%+v remaining)\n", cert.GetExpiration(), time.Until(cert.GetExpiration().Round(0)))
 			_, _ = fmt.Fprintf(w, "\t Issuing CA (SHA256): %x\n", sha256.Sum256(ca))
 			_, _ = fmt.Fprintf(w, "\t Cert Chain (SHA256): %x\n", sha256.Sum256(chain))
 
 			// Show only some x509 fields to keep the output clean
 			_, _ = fmt.Fprintf(w, "\t x509.SignatureAlgorithm: %+v\n", x509.SignatureAlgorithm)
 			_, _ = fmt.Fprintf(w, "\t x509.PublicKeyAlgorithm: %+v\n", x509.PublicKeyAlgorithm)
 			_, _ = fmt.Fprintf(w, "\t x509.Version: %+v\n", x509.Version)
-			_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %x\n", x509.SerialNumber)
+			_, _ = fmt.Fprintf(w, "\t x509.SerialNumber: %s\n", x509.SerialNumber)
 			_, _ = fmt.Fprintf(w, "\t x509.Issuer: %+v\n", x509.Issuer)
 			_, _ = fmt.Fprintf(w, "\t x509.Subject: %+v\n", x509.Subject)
 			_, _ = fmt.Fprintf(w, "\t x509.NotBefore (begin): %+v (%+v ago)\n", x509.NotBefore, time.Since(x509.NotBefore))