+++ This bug was initially created as a clone of Bug #1820610 +++ Description of problem: KCM recovery side car isn't refreshing csr-signer and csr-signer-signer Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-04-01-141451 How reproducible: always Steps to Reproduce: 1. stop cluster for 25h 2. 3. Actual results: auth.openshift.io/certificate-issuer: kubelet-signer auth.openshift.io/certificate-not-after: "2020-04-02T18:34:29Z" auth.openshift.io/certificate-not-before: "2020-04-01T18:48:01Z" Expected results: auth.openshift.io/certificate-issuer: openshift-kube-controller-manager-operator_csr-signer-signer@1585915545 Additional info:
QA note: this is purely related to auto recovery flow, not the manual steps
Checked with payload 4.4.0-0.nightly-2020-04-13-113747 , the issue has fixed: [root@dhcp-140-138 ~]# oc get secrets csr-signer -o json -n openshift-kube-controller-manager-operator { "apiVersion": "v1", "data": { ... "kind": "Secret", "metadata": { "annotations": { "auth.openshift.io/certificate-issuer": "openshift-kube-controller-manager-operator_csr-signer-signer@1586956289", "auth.openshift.io/certificate-not-after": "2020-05-15T13:11:29Z", "auth.openshift.io/certificate-not-before": "2020-04-15T13:11:28Z"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581