Bug 1921139
Summary: | revert "force cert rotation every couple days for development" in 4.8 | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> | |
Component: | kube-apiserver | Assignee: | Stefan Schimanski <sttts> | |
Status: | CLOSED ERRATA | QA Contact: | Ke Wang <kewang> | |
Severity: | high | Docs Contact: | ||
Priority: | medium | |||
Version: | 4.8 | CC: | aos-bugs, cfergeau, kewang, lszaszki, mfojtik, nstielau, prkumar, slaznick, wlewis, xxia | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | 4.9.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | LifecycleFrozen | |||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1883790 | |||
: | 1969404 (view as bug list) | Environment: | ||
Last Closed: | 2021-10-18 17:29:03 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1883790, 1926123 | |||
Bug Blocks: |
Comment 1
Stefan Schimanski
2021-03-16 16:28:08 UTC
The cert rotation should now be on default 30d cadence, moving this to MODIFIED for the QE to verify. The other PR referenced here will merge after we branch 4.9 out. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.9.0-0.nightly-2021-07-06-205913 True False 24h Cluster version is 4.9.0-0.nightly-2021-07-06-205913 $ cat check_secret_expiry_within.sh #!/usr/bin/env bash # usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year WITHIN=${1:-24hours} echo "Checking validity within $WITHIN ..." oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before") \(.metadata.annotations."auth.openshift.io/certificate-not-after") \(.metadata.namespace)\t\(.metadata.name)"' $ ./check_secret_expiry_within.sh 1day Checking validity within 1day ... 2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-config-managed kube-controller-manager-client-cert-key 2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-config-managed kube-scheduler-client-cert-key 2021-07-08T03:29:26Z 2021-07-08T15:29:27Z openshift-kube-apiserver-operator aggregator-client-signer 2021-07-08T04:05:26Z 2021-07-08T15:29:27Z openshift-kube-apiserver aggregator-client 2021-07-08T03:41:56Z 2021-07-08T15:41:57Z openshift-kube-apiserver check-endpoints-client-cert-key 2021-07-08T03:41:54Z 2021-07-08T15:41:55Z openshift-kube-apiserver control-plane-node-admin-client-cert-key 2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver external-loadbalancer-serving-certkey 2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver internal-loadbalancer-serving-certkey 2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver kubelet-client 2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver localhost-serving-cert-certkey 2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver service-network-serving-certkey 2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-kube-controller-manager kube-controller-manager-client-cert-key 2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-kube-scheduler kube-scheduler-client-cert-key Some certs are as expected expiry time after12 hours, Move the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |