Bug 1806980 - revert "force cert rotation every couple days for development" in 4.5
Summary: revert "force cert rotation every couple days for development" in 4.5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.5.0
Assignee: David Eads
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On:
Blocks: 1840597
TreeView+ depends on / blocked
 
Reported: 2020-02-25 11:57 UTC by Stefan Schimanski
Modified: 2020-07-13 17:21 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1840116 1840597 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:21:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 863 0 None closed Bug 1806980: remove override for fast cert rotation 2021-01-28 10:06:03 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:21:40 UTC

Comment 2 Michal Fojtik 2020-05-12 10:45:25 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet.

As such, we're marking this bug as "LifecycleStale" and decreasing the severity. 

If you have further information on the current state of the bug, please update it, otherwise this bug will be automatically closed in 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.

Comment 3 Standa Laznicka 2020-05-12 12:53:12 UTC
you don't really want to close this

Comment 4 Stefan Schimanski 2020-05-19 11:11:00 UTC
Waiting for master to open. We will fix it then on the release branch.

Comment 7 Ke Wang 2020-06-02 09:17:45 UTC
Using below steps to verify this bug with OCP build 4.5.0-0.nightly-2020-05-31-230932:

$ cat scripts/check_secret_expiry.sh
FILE="$1"
if [ ! -f "$1" ]; then
  echo "must provide \$1" && exit 0
fi
export IFS=$'\n'
for i in `cat "$FILE"`
do
  if `echo "$i" | grep "^#" > /dev/null`; then
    continue
  fi
  NS=`echo $i | cut -d ' ' -f 1`
  SECRET=`echo $i | cut -d ' ' -f 2`
  rm -f tls.crt; oc extract secret/$SECRET -n $NS --confirm > /dev/null
  echo "Check cert dates of $SECRET in project $NS:"
  openssl x509 -noout --dates -in tls.crt; echo
done

$ cat certs.txt
openshift-kube-controller-manager-operator csr-signer-signer
openshift-kube-controller-manager-operator csr-signer
openshift-kube-controller-manager kube-controller-manager-client-cert-key
openshift-kube-apiserver-operator aggregator-client-signer
openshift-kube-apiserver aggregator-client
openshift-kube-apiserver external-loadbalancer-serving-certkey
openshift-kube-apiserver internal-loadbalancer-serving-certkey
openshift-kube-apiserver service-network-serving-certkey
openshift-config-managed kube-controller-manager-client-cert-key
openshift-config-managed kube-scheduler-client-cert-key
openshift-kube-scheduler kube-scheduler-client-cert-key

Checking the Certs after cluster uptime is more than one day ,they are with one day expiry times, this is as expected.
$ oc get nodes 
NAME                                   STATUS   ROLES    AGE   VERSION
ji-0530shared02-w7csx-master-0       Ready    master   28h   v1.18.3+9e56094
ji-0530shared02-w7csx-master-1       Ready    master   28h   v1.18.3+9e56094
ji-0530shared02-w7csx-master-2       Ready    master   28h   v1.18.3+9e56094
ji-0530shared02-w7csx-worker-7cdnj   Ready    worker   28h   v1.18.3+9e56094
ji-0530shared02-w7csx-worker-lrfm5   Ready    worker   28h   v1.18.3+9e56094
ji-0530shared02-w7csx-worker-v94n5   Ready    worker   28h   v1.18.3+9e56094

$ bash ./check-secret-expiry.sh cert.txt
heck cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator:
notBefore=Jun  1 23:49:38 2020 GMT
notAfter=Jul 31 23:49:39 2020 GMT

Check cert dates of csr-signer in project openshift-kube-controller-manager-operator:
notBefore=Jun  1 23:53:55 2020 GMT
notAfter=Jul  1 23:53:56 2020 GMT

Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager:
notBefore=Jun  1 04:59:34 2020 GMT
notAfter=Jul  1 04:59:35 2020 GMT

Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator:
notBefore=Jun  1 23:49:49 2020 GMT
notAfter=Jul  1 23:49:50 2020 GMT

Check cert dates of aggregator-client in project openshift-kube-apiserver:
notBefore=Jun  1 23:53:58 2020 GMT
notAfter=Jul  1 23:49:50 2020 GMT

Check cert dates of external-loadbalancer-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun  1 04:59:25 2020 GMT
notAfter=Jul  1 04:59:26 2020 GMT

Check cert dates of internal-loadbalancer-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun  1 04:59:33 2020 GMT
notAfter=Jul  1 04:59:34 2020 GMT

Check cert dates of service-network-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun  1 04:59:25 2020 GMT
notAfter=Jul  1 04:59:26 2020 GMT

Check cert dates of kube-controller-manager-client-cert-key in project openshift-config-managed:
notBefore=Jun  1 04:59:34 2020 GMT
notAfter=Jul  1 04:59:35 2020 GMT

Check cert dates of kube-scheduler-client-cert-key in project openshift-config-managed:
notBefore=Jun  1 04:59:25 2020 GMT
notAfter=Jul  1 04:59:26 2020 GMT

Check cert dates of kube-scheduler-client-cert-key in project openshift-kube-scheduler:
notBefore=Jun  1 04:59:25 2020 GMT
notAfter=Jul  1 04:59:26 2020 GMT


The most certs are as expected expiry time 30 days, cert of of csr-signer-signer in project openshift-kube-controller-manager-operator is with 2 * 30 days. Move the bug verified.

Comment 9 errata-xmlrpc 2020-07-13 17:21:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.