Bug 1730388 - Need a way to customize Cert Rotation Period
Summary: Need a way to customize Cert Rotation Period
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: service-ca
Version: 4.1.z
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Stefan Schimanski
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-16 15:11 UTC by Wolfgang Kulhanek
Modified: 2019-07-29 16:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-23 08:59:25 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4271712 None None OpenShift services do not start after being shutdown (within 24hrs after install). 2019-07-22 19:33:13 UTC

Description Wolfgang Kulhanek 2019-07-16 15:11:21 UTC
Description of problem:

Currently after installing an OCP 4.1.z cluster there is an internal certificate rotation after 24 hours. And then again after a month (I think).

We need a way to make this customizable - especially the initial cert rotation period.

We need to shut down clusters after 8 hours in order to save hosting costs. Which means that the next time we start the VMs for the cluster they missed the cert rotation window and the cluster is broken.

While there seems to be a procedure to recover from this we'd need to run this procedure every single time we resume a cluster which would add considerable maintenance overhead.

It would be good to set the initial certificate rotation to 2h (or 4h) after installation. Or postpone it to the 1 month mark.

Most of our clusters are only short lived for training purposes. This applies to both GPTE environments and (in the near future) GLS environments.

Maybe this can be implemented when 1693404 is implemented.

Not having this capability costs Red Hat in excess of $100k/month of hosting costs at AWS at the moment. This cost will only go up.

Comment 1 Judd Maltin 2019-07-18 17:14:03 UTC
Is there a process to trigger cert rotation on demand.  Ideally less involved than: 

https://docs.openshift.com/container-platform/4.1/disaster_recovery/scenario-3-expired-certs.html

Comment 2 Stefan Schimanski 2019-07-23 08:59:25 UTC
This is by design and not a bug. Moved to Jira https://jira.coreos.com/browse/MSTR-786.


Note You need to log in before you can comment on or make changes to this bug.