Bug 1837594 - cluster-etcd-operator: TLS certs should be signed for 3 years not 10
Summary: cluster-etcd-operator: TLS certs should be signed for 3 years not 10
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Etcd
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.5.0
Assignee: Sam Batschelet
QA Contact: ge liu
URL:
Whiteboard:
Depends On:
Blocks: 1837630
TreeView+ depends on / blocked
 
Reported: 2020-05-19 17:28 UTC by Sam Batschelet
Modified: 2020-07-13 17:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The TLS certs are by mistake signed for 10 years Consequence: The TLS certs are valid for 10 years although docs say they should be valid only for 3 years. Fix: Fix the value to sign them only for 3 years. Result: The TLS certs are signed such that they expire after 3 years.
Clone Of:
: 1837630 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:40:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-etcd-operator pull 356 0 None closed Bug 1837594: pkg/operator/etcdcertsigner: sign etcd certs for 3 years 2020-07-13 20:23:55 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:40:22 UTC

Description Sam Batschelet 2020-05-19 17:28:27 UTC
Description of problem: etcdcertsignercontroller defines signing period of 10 years[1]. But this is a regression as we defined these certs for 3 years in the past[2].

[1] https://github.com/openshift/cluster-etcd-operator/blob/master/pkg/operator/etcdcertsigner/etcdcertsignercontroller.go#L36

[2]https://github.com/openshift/installer/blob/release-4.3/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template#L295

Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
1.
2.
3.

Actual results: certs are signed for 10 years.


Expected results: certs are signed for the documented duration of 3 years.


Additional info:

Comment 4 errata-xmlrpc 2020-07-13 17:40:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.