Bug 1806980
| Summary: | revert "force cert rotation every couple days for development" in 4.5 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> | |
| Component: | kube-apiserver | Assignee: | David Eads <deads> | |
| Status: | CLOSED ERRATA | QA Contact: | Ke Wang <kewang> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.4 | CC: | aos-bugs, mfojtik, slaznick, xxia | |
| Target Milestone: | --- | |||
| Target Release: | 4.5.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1840116 1840597 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-13 17:21:14 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1840597 | |||
|
Comment 2
Michal Fojtik
2020-05-12 10:45:25 UTC
you don't really want to close this Waiting for master to open. We will fix it then on the release branch. Using below steps to verify this bug with OCP build 4.5.0-0.nightly-2020-05-31-230932:
$ cat scripts/check_secret_expiry.sh
FILE="$1"
if [ ! -f "$1" ]; then
echo "must provide \$1" && exit 0
fi
export IFS=$'\n'
for i in `cat "$FILE"`
do
if `echo "$i" | grep "^#" > /dev/null`; then
continue
fi
NS=`echo $i | cut -d ' ' -f 1`
SECRET=`echo $i | cut -d ' ' -f 2`
rm -f tls.crt; oc extract secret/$SECRET -n $NS --confirm > /dev/null
echo "Check cert dates of $SECRET in project $NS:"
openssl x509 -noout --dates -in tls.crt; echo
done
$ cat certs.txt
openshift-kube-controller-manager-operator csr-signer-signer
openshift-kube-controller-manager-operator csr-signer
openshift-kube-controller-manager kube-controller-manager-client-cert-key
openshift-kube-apiserver-operator aggregator-client-signer
openshift-kube-apiserver aggregator-client
openshift-kube-apiserver external-loadbalancer-serving-certkey
openshift-kube-apiserver internal-loadbalancer-serving-certkey
openshift-kube-apiserver service-network-serving-certkey
openshift-config-managed kube-controller-manager-client-cert-key
openshift-config-managed kube-scheduler-client-cert-key
openshift-kube-scheduler kube-scheduler-client-cert-key
Checking the Certs after cluster uptime is more than one day ,they are with one day expiry times, this is as expected.
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ji-0530shared02-w7csx-master-0 Ready master 28h v1.18.3+9e56094
ji-0530shared02-w7csx-master-1 Ready master 28h v1.18.3+9e56094
ji-0530shared02-w7csx-master-2 Ready master 28h v1.18.3+9e56094
ji-0530shared02-w7csx-worker-7cdnj Ready worker 28h v1.18.3+9e56094
ji-0530shared02-w7csx-worker-lrfm5 Ready worker 28h v1.18.3+9e56094
ji-0530shared02-w7csx-worker-v94n5 Ready worker 28h v1.18.3+9e56094
$ bash ./check-secret-expiry.sh cert.txt
heck cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator:
notBefore=Jun 1 23:49:38 2020 GMT
notAfter=Jul 31 23:49:39 2020 GMT
Check cert dates of csr-signer in project openshift-kube-controller-manager-operator:
notBefore=Jun 1 23:53:55 2020 GMT
notAfter=Jul 1 23:53:56 2020 GMT
Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager:
notBefore=Jun 1 04:59:34 2020 GMT
notAfter=Jul 1 04:59:35 2020 GMT
Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator:
notBefore=Jun 1 23:49:49 2020 GMT
notAfter=Jul 1 23:49:50 2020 GMT
Check cert dates of aggregator-client in project openshift-kube-apiserver:
notBefore=Jun 1 23:53:58 2020 GMT
notAfter=Jul 1 23:49:50 2020 GMT
Check cert dates of external-loadbalancer-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun 1 04:59:25 2020 GMT
notAfter=Jul 1 04:59:26 2020 GMT
Check cert dates of internal-loadbalancer-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun 1 04:59:33 2020 GMT
notAfter=Jul 1 04:59:34 2020 GMT
Check cert dates of service-network-serving-certkey in project openshift-kube-apiserver:
notBefore=Jun 1 04:59:25 2020 GMT
notAfter=Jul 1 04:59:26 2020 GMT
Check cert dates of kube-controller-manager-client-cert-key in project openshift-config-managed:
notBefore=Jun 1 04:59:34 2020 GMT
notAfter=Jul 1 04:59:35 2020 GMT
Check cert dates of kube-scheduler-client-cert-key in project openshift-config-managed:
notBefore=Jun 1 04:59:25 2020 GMT
notAfter=Jul 1 04:59:26 2020 GMT
Check cert dates of kube-scheduler-client-cert-key in project openshift-kube-scheduler:
notBefore=Jun 1 04:59:25 2020 GMT
notAfter=Jul 1 04:59:26 2020 GMT
The most certs are as expected expiry time 30 days, cert of of csr-signer-signer in project openshift-kube-controller-manager-operator is with 2 * 30 days. Move the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |