During development, we want to exercise the rotation code paths, so we go from 30 days down to 12 hours of validity.
Referencing bug 1688610, using below steps to verify this bug: $ cat scripts/check_secret_expiry.sh FILE="$1" if [ ! -f "$1" ]; then echo "must provide \$1" && exit 0 fi export IFS=$'\n' for i in `cat "$FILE"` do if `echo "$i" | grep "^#" > /dev/null`; then continue fi NS=`echo $i | cut -d ' ' -f 1` SECRET=`echo $i | cut -d ' ' -f 2` rm -f tls.crt; oc extract secret/$SECRET -n $NS --confirm > /dev/null echo "Check cert dates of $SECRET in project $NS:" openssl x509 -noout --dates -in tls.crt; echo done $ cat certs.txt openshift-kube-controller-manager-operator csr-signer-signer openshift-kube-controller-manager-operator csr-signer openshift-kube-controller-manager kube-controller-manager-client-cert-key openshift-kube-apiserver-operator aggregator-client-signer openshift-kube-apiserver aggregator-client openshift-kube-apiserver external-loadbalancer-serving-certkey openshift-kube-apiserver internal-loadbalancer-serving-certkey openshift-kube-apiserver service-network-serving-certkey openshift-config-managed kube-controller-manager-client-cert-key openshift-config-managed kube-scheduler-client-cert-key openshift-kube-scheduler kube-scheduler-client-cert-key In a fresh latest 4.4.0-0.nightly-2020-02-16-221315 env, run $ scripts/check_secret_expiry.sh certs.txt # got: Check cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator: notBefore=Feb 17 02:31:12 2020 GMT notAfter=Feb 18 02:31:12 2020 GMT Check cert dates of csr-signer in project openshift-kube-controller-manager-operator: notBefore=Feb 17 02:48:18 2020 GMT notAfter=Feb 18 02:31:12 2020 GMT Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager: notBefore=Feb 17 02:48:22 2020 GMT notAfter=Feb 17 14:48:23 2020 GMT Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator: notBefore=Feb 17 02:31:06 2020 GMT notAfter=Feb 18 02:31:06 2020 GMT ... Like bug 1688610#c4, most of these certs have above PR's (30 days / 60) = 12 hours validity, except csr-signer-signer, csr-signer and aggregator-client-signer.
Then, check like bug 1688610#c5 , even in a longer running cluster (e.g. another 4.4 env running 1 day), still got csr-signer-signer, csr-signer and aggregator-client-signer validity != 12 hours: $ scripts/check_secret_expiry.sh certs.txt Check cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator: notBefore=Feb 17 03:05:57 2020 GMT notAfter=Apr 17 03:05:58 2020 GMT Check cert dates of csr-signer in project openshift-kube-controller-manager-operator: notBefore=Feb 17 03:09:27 2020 GMT notAfter=Mar 18 03:09:28 2020 GMT Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager: notBefore=Feb 17 02:11:13 2020 GMT notAfter=Feb 17 14:11:14 2020 GMT Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator: notBefore=Feb 17 03:06:04 2020 GMT notAfter=Mar 18 03:06:05 2020 GMT ... So assigning back for csr-signer-signer, csr-signer and aggregator-client-signer
kcm bits are good, they were not shortened as were kas-o. Since kas-o short interval is tracked already in https://bugzilla.redhat.com/show_bug.cgi?id=1797593 I'm moving this back to qa.
Refer https://bugzilla.redhat.com/show_bug.cgi?id=1797601#c11, will move to verified.