Bug 2017442

Summary: [certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig
Product: Container Native Virtualization (CNV) Reporter: ibesso <ibesso>
Component: SSPAssignee: João Vilaça <jvilaca>
Status: NEW --- QA Contact: Geetika Kapoor <gkapoor>
Severity: low Docs Contact:
Priority: medium    
Version: 4.9.0CC: dholler, jsaucier, kmajcher, rnetser, sgott, snikolov, stirabos
Target Milestone: ---   
Target Release: future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ibesso 2021-10-26 14:09:52 UTC 
Description of problem:
----------------------
The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.9.0-249


How reproducible:
----------------
100%


Steps to Reproduce:
------------------
1. Modify the HCO CR spec.certconfig to:
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

2. run the command:
$ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout


Actual results:
--------------
1. The notAfter is 2 days ahead of notBefore.
2. the notBefore is 1 day earlier from the current date.


Expected results:
----------------
1. The difference should have been 11 minutes.
2. notBefore should be today.


Additional info:
---------------
$ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}
$ oc get networkaddonsconfig cluster -ojson |jq -C '.spec.selfSignConfiguration'
{
  "caOverlapInterval": "10m0s",
  "caRotateInterval": "11m0s",
  "certOverlapInterval": "10m0s",
  "certRotateInterval": "11m0s"
}

$ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
notBefore=Oct 25 10:11:19 2021 GMT
notAfter=Oct 25 10:11:20 2023 GMT
Comment 1 sgott 2021-10-26 16:34:33 UTC 
Lubo, can you take a look?
Comment 2 sgott 2021-10-27 14:39:46 UTC 
Dominik, reviewing this BZ, I think the correct component might actually be SSP? What do you think?
Comment 3 Dominik Holler 2021-11-24 12:49:18 UTC 
Jean-Francois do you expect that customers would use this feature?
Comment 9 Krzysztof Majcher 2022-05-12 09:19:30 UTC 
Per the conversation with Dominik, HCO team will address this bug in SSP.