Revert TLS CA rotation (#1008)

Also, remove authority/subject key id generation as that is
done by crypto/x509 library since go1.15.

Author: Nuckal777

pkg/util/certificates.go

@@ -3,10 +3,8 @@ package util
 import (
 	cryptorand "crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -15,7 +13,6 @@ import (
 	"math/big"
 	"net"
 	"reflect"
-	"slices"
 	"strings"
 	"time"
 
@@ -79,10 +76,6 @@ type AltNames struct {
 	IPs      []net.IP
 }
 
-type authorityKeyId struct {
-	KeyIdentifier []byte `asn1:"optional,tag:0"`
-}
-
 func (ca Bundle) Sign(config Config) (*Bundle, error) {
 	if !ca.Certificate.IsCA {
 		return nil, errors.New("You can't use this certificate for signing. It's not a CA...")
@@ -102,17 +95,6 @@ func (ca Bundle) Sign(config Config) (*Bundle, error) {
 		notBefore = ca.Certificate.NotBefore
 	}
 
-	var authorityKeyIdent []byte
-	if ca.Certificate.SubjectKeyId != nil {
-		var err error
-		authorityKeyIdent, err = asn1.Marshal(authorityKeyId{
-			KeyIdentifier: ca.Certificate.SubjectKeyId,
-		})
-		if err != nil {
-			return nil, fmt.Errorf("Failed to marshal authority key id: %s", err)
-		}
-	}
-
 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
 			CommonName:         config.Sign,
@@ -121,14 +103,13 @@ func (ca Bundle) Sign(config Config) (*Bundle, error) {
 			Province:           config.Province,
 			Locality:           config.Locality,
 		},
-		DNSNames:       config.AltNames.DNSNames,
-		IPAddresses:    config.AltNames.IPs,
-		SerialNumber:   serial,
-		NotBefore:      notBefore,
-		NotAfter:       time.Now().Add(config.ValidFor).UTC(),
-		KeyUsage:       x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:    config.Usages,
-		AuthorityKeyId: authorityKeyIdent,
+		DNSNames:     config.AltNames.DNSNames,
+		IPAddresses:  config.AltNames.IPs,
+		SerialNumber: serial,
+		NotBefore:    notBefore,
+		NotAfter:     time.Now().Add(config.ValidFor).UTC(),
+		KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  config.Usages,
 	}
 
 	certDERBytes, _ := x509.CreateCertificate(cryptorand.Reader, &certTmpl, ca.Certificate, key.Public(), ca.PrivateKey)
@@ -394,21 +375,7 @@ func (cf *CertificateFactory) UserCert(principal *models.Principal, apiURL strin
 }
 
 func loadOrCreateCA(kluster *v1.Kluster, name string, cert, key *string, certUpdates *[]CertUpdates) (*Bundle, error) {
-	regenerate := false
-	if name == "TLS" && *cert != "" {
-		block, _ := pem.Decode([]byte(*cert))
-		if block == nil {
-			return nil, fmt.Errorf("Failed to decode TLS CA certificate")
-		}
-		caCert, err := x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return nil, fmt.Errorf("Failed to parse TLS CA certificate: %s", err)
-		}
-		if caCert.SubjectKeyId == nil {
-			regenerate = true
-		}
-	}
-	if *cert != "" && *key != "" && !regenerate {
+	if *cert != "" && *key != "" {
 		return NewBundle([]byte(*key), []byte(*cert))
 	}
 	caBundle, err := createCA(kluster.Name, name)
@@ -522,9 +489,6 @@ func createCA(klusterName, name string) (*Bundle, error) {
 		return nil, fmt.Errorf("Failed to generate private key for %s ca: %s", name, err)
 	}
 
-	keyBytes := x509.MarshalPKCS1PublicKey(&privateKey.PublicKey)
-	keyHash := sha1.Sum(keyBytes)
-
 	now := time.Now()
 	tmpl := x509.Certificate{
 		SerialNumber: new(big.Int).SetInt64(0),
@@ -537,7 +501,6 @@ func createCA(klusterName, name string) (*Bundle, error) {
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
-		SubjectKeyId:          keyHash[:],
 	}
 
 	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, privateKey.Public(), privateKey)
@@ -560,10 +523,6 @@ func isCertChangedOrExpires(origCert, newCert, caCert *x509.Certificate, duratio
 		return "SAN IP changes: " + strings.Join(IPSliceDiff(origCert.IPAddresses, newCert.IPAddresses), " "), true
 	}
 
-	if !slices.Equal(origCert.AuthorityKeyId, newCert.AuthorityKeyId) {
-		return "AuthorityKeyId changed", true
-	}
-
 	expire := time.Now().Add(duration)
 	if expire.After(origCert.NotAfter) {
 		return fmt.Sprintf("Certificate expires at %s", origCert.NotAfter), true