Bug 1494671

Summary: RFE: auto-renew etcd, openshift CAs
Product: OpenShift Container Platform Reporter: Sten Turpin <sten>
Component: RFEAssignee: Sam Batschelet <sbatsche>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.1CC: aos-bugs, eparis, erich, haowang, jialiu, jokerman, mmccomas, nraghava, scuppett
Target Milestone: ---Keywords: OpsBlocker, RFE
Target Release: 4.1.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-12 11:54:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sten Turpin 2017-09-22 19:00:29 UTC 
Description of problem: etcd, openshift generate SSL certificate authorities, certificates and client certificates during install. These certificates expire, and, on expiration, cause the cluster to shut down. 


Version-Release number of selected component (if applicable): all 3.x


How reproducible: Always


Steps to Reproduce:
1. Create a new cluster
2. Set system time to after CA expiration 


Actual results:
Cluster API shuts down and will not start

Expected results:
OpenShift should manage the renewal/replacement of these items automatically and without interrupting user activity. 

Additional info:
Recent changes to the default set the expiration to 5 years up from 1 year. This helps, but could still burn a customer badly if they left a cluster running for 5 years, or if they changed the expiry setting from the default. Operators should not have to spend human time maintaining certificates created and used only by the cluster itself. Emerging best practice around SSL keys and certs is to generate them with a short lifetime and rotate them automatically: 

https://letsencrypt.org/2015/11/09/why-90-days.html
http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-shortlived.html
Comment 6 Kirsten Newcomer 2019-06-12 11:54:45 UTC 
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.