Description of problem:
Currently after installing an OCP 4.1.z cluster there is an internal certificate rotation after 24 hours. And then again after a month (I think).
We need a way to make this customizable - especially the initial cert rotation period.
We need to shut down clusters after 8 hours in order to save hosting costs. Which means that the next time we start the VMs for the cluster they missed the cert rotation window and the cluster is broken.
While there seems to be a procedure to recover from this we'd need to run this procedure every single time we resume a cluster which would add considerable maintenance overhead.
It would be good to set the initial certificate rotation to 2h (or 4h) after installation. Or postpone it to the 1 month mark.
Most of our clusters are only short lived for training purposes. This applies to both GPTE environments and (in the near future) GLS environments.
Maybe this can be implemented when 1693404 is implemented.
Not having this capability costs Red Hat in excess of $100k/month of hosting costs at AWS at the moment. This cost will only go up.
Is there a process to trigger cert rotation on demand. Ideally less involved than:
This is by design and not a bug. Moved to Jira https://jira.coreos.com/browse/MSTR-786.