Bug 1730388

Summary: Need a way to customize Cert Rotation Period
Product: OpenShift Container Platform Reporter: Wolfgang Kulhanek <wkulhane>
Component: service-caAssignee: Stefan Schimanski <sttts>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.zCC: aos-bugs, clasohm, erich, judd, mfojtik
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-23 08:59:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wolfgang Kulhanek 2019-07-16 15:11:21 UTC 
Description of problem:

Currently after installing an OCP 4.1.z cluster there is an internal certificate rotation after 24 hours. And then again after a month (I think).

We need a way to make this customizable - especially the initial cert rotation period.

We need to shut down clusters after 8 hours in order to save hosting costs. Which means that the next time we start the VMs for the cluster they missed the cert rotation window and the cluster is broken.

While there seems to be a procedure to recover from this we'd need to run this procedure every single time we resume a cluster which would add considerable maintenance overhead.

It would be good to set the initial certificate rotation to 2h (or 4h) after installation. Or postpone it to the 1 month mark.

Most of our clusters are only short lived for training purposes. This applies to both GPTE environments and (in the near future) GLS environments.

Maybe this can be implemented when 1693404 is implemented.

Not having this capability costs Red Hat in excess of $100k/month of hosting costs at AWS at the moment. This cost will only go up.
Comment 1 Judd Maltin 2019-07-18 17:14:03 UTC 
Is there a process to trigger cert rotation on demand.  Ideally less involved than: 

https://docs.openshift.com/container-platform/4.1/disaster_recovery/scenario-3-expired-certs.html
Comment 2 Stefan Schimanski 2019-07-23 08:59:25 UTC 
This is by design and not a bug. Moved to Jira https://jira.coreos.com/browse/MSTR-786.