This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity. If you have further information on the current state of the bug, please update it, otherwise this bug will be automatically closed in 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.
you don't really want to close this
Waiting for master to open. We will fix it then on the release branch.
Using below steps to verify this bug with OCP build 4.5.0-0.nightly-2020-05-31-230932: $ cat scripts/check_secret_expiry.sh FILE="$1" if [ ! -f "$1" ]; then echo "must provide \$1" && exit 0 fi export IFS=$'\n' for i in `cat "$FILE"` do if `echo "$i" | grep "^#" > /dev/null`; then continue fi NS=`echo $i | cut -d ' ' -f 1` SECRET=`echo $i | cut -d ' ' -f 2` rm -f tls.crt; oc extract secret/$SECRET -n $NS --confirm > /dev/null echo "Check cert dates of $SECRET in project $NS:" openssl x509 -noout --dates -in tls.crt; echo done $ cat certs.txt openshift-kube-controller-manager-operator csr-signer-signer openshift-kube-controller-manager-operator csr-signer openshift-kube-controller-manager kube-controller-manager-client-cert-key openshift-kube-apiserver-operator aggregator-client-signer openshift-kube-apiserver aggregator-client openshift-kube-apiserver external-loadbalancer-serving-certkey openshift-kube-apiserver internal-loadbalancer-serving-certkey openshift-kube-apiserver service-network-serving-certkey openshift-config-managed kube-controller-manager-client-cert-key openshift-config-managed kube-scheduler-client-cert-key openshift-kube-scheduler kube-scheduler-client-cert-key Checking the Certs after cluster uptime is more than one day ,they are with one day expiry times, this is as expected. $ oc get nodes NAME STATUS ROLES AGE VERSION ji-0530shared02-w7csx-master-0 Ready master 28h v1.18.3+9e56094 ji-0530shared02-w7csx-master-1 Ready master 28h v1.18.3+9e56094 ji-0530shared02-w7csx-master-2 Ready master 28h v1.18.3+9e56094 ji-0530shared02-w7csx-worker-7cdnj Ready worker 28h v1.18.3+9e56094 ji-0530shared02-w7csx-worker-lrfm5 Ready worker 28h v1.18.3+9e56094 ji-0530shared02-w7csx-worker-v94n5 Ready worker 28h v1.18.3+9e56094 $ bash ./check-secret-expiry.sh cert.txt heck cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator: notBefore=Jun 1 23:49:38 2020 GMT notAfter=Jul 31 23:49:39 2020 GMT Check cert dates of csr-signer in project openshift-kube-controller-manager-operator: notBefore=Jun 1 23:53:55 2020 GMT notAfter=Jul 1 23:53:56 2020 GMT Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager: notBefore=Jun 1 04:59:34 2020 GMT notAfter=Jul 1 04:59:35 2020 GMT Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator: notBefore=Jun 1 23:49:49 2020 GMT notAfter=Jul 1 23:49:50 2020 GMT Check cert dates of aggregator-client in project openshift-kube-apiserver: notBefore=Jun 1 23:53:58 2020 GMT notAfter=Jul 1 23:49:50 2020 GMT Check cert dates of external-loadbalancer-serving-certkey in project openshift-kube-apiserver: notBefore=Jun 1 04:59:25 2020 GMT notAfter=Jul 1 04:59:26 2020 GMT Check cert dates of internal-loadbalancer-serving-certkey in project openshift-kube-apiserver: notBefore=Jun 1 04:59:33 2020 GMT notAfter=Jul 1 04:59:34 2020 GMT Check cert dates of service-network-serving-certkey in project openshift-kube-apiserver: notBefore=Jun 1 04:59:25 2020 GMT notAfter=Jul 1 04:59:26 2020 GMT Check cert dates of kube-controller-manager-client-cert-key in project openshift-config-managed: notBefore=Jun 1 04:59:34 2020 GMT notAfter=Jul 1 04:59:35 2020 GMT Check cert dates of kube-scheduler-client-cert-key in project openshift-config-managed: notBefore=Jun 1 04:59:25 2020 GMT notAfter=Jul 1 04:59:26 2020 GMT Check cert dates of kube-scheduler-client-cert-key in project openshift-kube-scheduler: notBefore=Jun 1 04:59:25 2020 GMT notAfter=Jul 1 04:59:26 2020 GMT The most certs are as expected expiry time 30 days, cert of of csr-signer-signer in project openshift-kube-controller-manager-operator is with 2 * 30 days. Move the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409