Bug 2017415
| Summary: | [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | ibesso <ibesso> |
| Component: | SSP | Assignee: | João Vilaça <jvilaca> |
| Status: | NEW --- | QA Contact: | Geetika Kapoor <gkapoor> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.9.0 | CC: | dholler, kmajcher, sgott, stirabos |
| Target Milestone: | --- | ||
| Target Release: | future | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: ---------------------- The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR). Version-Release number of selected component (if applicable): ------------------------------------------------------------ 4.9.0-249 How reproducible: ---------------- 100% Steps to Reproduce: ------------------ 1. Modify the HCO CR spec.certconfig to: { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } 2. run the command: $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout Actual results: -------------- 1. The notAfter is 2 years ahead of notBefore. 2. the notBefore is 1 day earlier from the current date. Expected results: ---------------- 1. The difference should have been 11 minutes. 2. notBefore should be today. Additional info: --------------- $ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig' { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } $ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned' { "ca": { "duration": "11m0s", "renewBefore": "10m0s" }, "server": { "duration": "11m0s", "renewBefore": "10m0s" } } $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout notBefore=Oct 25 10:10:02 2021 GMT notAfter=Oct 24 10:10:02 2023 GMT