Bug 1921139

Summary: revert "force cert rotation every couple days for development" in 4.8
Product: OpenShift Container Platform Reporter: Stefan Schimanski <sttts>
Component: kube-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: high Docs Contact:
Priority: medium    
Version: 4.8CC: aos-bugs, cfergeau, kewang, lszaszki, mfojtik, nstielau, prkumar, slaznick, wlewis, xxia
Target Milestone: ---Keywords: Reopened
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: LifecycleFrozen
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1883790
: 1969404 (view as bug list) Environment:
Last Closed: 2021-10-18 17:29:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1883790, 1926123    
Bug Blocks:    

Comment 1 Stefan Schimanski 2021-03-16 16:28:08 UTC
*** Bug 1925446 has been marked as a duplicate of this bug. ***

Comment 3 Michal Fojtik 2021-06-11 10:25:46 UTC
The cert rotation should now be on default 30d cadence, moving this to MODIFIED for the QE to verify. The other PR referenced here will merge after we branch 4.9 out.

Comment 6 Ke Wang 2021-07-08 10:27:57 UTC
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-07-06-205913   True        False         24h     Cluster version is 4.9.0-0.nightly-2021-07-06-205913

$ cat check_secret_expiry_within.sh 
#!/usr/bin/env bash
# usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
WITHIN=${1:-24hours}
echo "Checking validity within $WITHIN ..."
oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before")  \(.metadata.annotations."auth.openshift.io/certificate-not-after")  \(.metadata.namespace)\t\(.metadata.name)"'

$ ./check_secret_expiry_within.sh 1day
Checking validity within 1day ...
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-scheduler-client-cert-key
2021-07-08T03:29:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver-operator	aggregator-client-signer
2021-07-08T04:05:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver	aggregator-client
2021-07-08T03:41:56Z  2021-07-08T15:41:57Z  openshift-kube-apiserver	check-endpoints-client-cert-key
2021-07-08T03:41:54Z  2021-07-08T15:41:55Z  openshift-kube-apiserver	control-plane-node-admin-client-cert-key
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	external-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	internal-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	kubelet-client
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	localhost-serving-cert-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	service-network-serving-certkey
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-controller-manager	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-scheduler	kube-scheduler-client-cert-key

Some certs are as expected expiry time after12 hours,  Move the bug verified.

Comment 9 errata-xmlrpc 2021-10-18 17:29:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759