This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.
Tested in fresh env: $ oc get clusterversion version 4.7.0-0.nightly-2021-02-09-192846 True False 87m Cluster version is 4.7.0-0.nightly-2021-02-09-192846 $ cat scripts/check_secret_expiry_within.sh #!/bin/bash # usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year WITHIN=${1:-24hours} echo "Checking validity within $WITHIN ..." oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before") \(.metadata.annotations."auth.openshift.io/certificate-not-after") \(.metadata.namespace)\t\(.metadata.name)"' $ scripts/check_secret_expiry_within.sh Checking validity within 24hours ... 2021-02-10T05:40:16Z 2021-02-11T05:40:16Z openshift-kube-apiserver-operator aggregator-client-signer 2021-02-10T05:52:50Z 2021-02-11T05:40:16Z openshift-kube-apiserver aggregator-client 2021-02-10T05:52:40Z 2021-02-11T05:40:18Z openshift-kube-controller-manager-operator csr-signer 2021-02-10T05:40:18Z 2021-02-11T05:40:18Z openshift-kube-controller-manager-operator csr-signer-signer $ scripts/check_secret_expiry_within.sh 30day Checking validity within 30day ... 2021-02-10T05:52:47Z 2021-03-12T05:52:48Z openshift-config-managed kube-controller-manager-client-cert-key 2021-02-10T05:52:47Z 2021-03-12T05:52:48Z openshift-config-managed kube-scheduler-client-cert-key 2021-02-10T05:40:16Z 2021-02-11T05:40:16Z openshift-kube-apiserver-operator aggregator-client-signer 2021-02-10T05:52:50Z 2021-02-11T05:40:16Z openshift-kube-apiserver aggregator-client 2021-02-10T05:52:50Z 2021-03-12T05:52:51Z openshift-kube-apiserver check-endpoints-client-cert-key 2021-02-10T05:52:49Z 2021-03-12T05:52:50Z openshift-kube-apiserver control-plane-node-admin-client-cert-key 2021-02-10T05:52:49Z 2021-03-12T05:52:50Z openshift-kube-apiserver external-loadbalancer-serving-certkey 2021-02-10T05:52:50Z 2021-03-12T05:52:51Z openshift-kube-apiserver internal-loadbalancer-serving-certkey 2021-02-10T05:52:50Z 2021-03-12T05:52:51Z openshift-kube-apiserver kubelet-client 2021-02-10T05:52:50Z 2021-03-12T05:52:51Z openshift-kube-apiserver localhost-serving-cert-certkey 2021-02-10T05:52:49Z 2021-03-12T05:52:50Z openshift-kube-apiserver service-network-serving-certkey 2021-02-10T05:52:40Z 2021-02-11T05:40:18Z openshift-kube-controller-manager-operator csr-signer 2021-02-10T05:40:18Z 2021-02-11T05:40:18Z openshift-kube-controller-manager-operator csr-signer-signer 2021-02-10T05:52:47Z 2021-03-12T05:52:48Z openshift-kube-controller-manager kube-controller-manager-client-cert-key 2021-02-10T05:52:47Z 2021-03-12T05:52:48Z openshift-kube-scheduler kube-scheduler-client-cert-key The certs' rotation time (i.e. expiry) is not the intentionally-shortened 12h, rather, is reverted to normal time (24h or 30d) now before release
@Xingxing Is it also part of rc.0 bits which is available on http://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.7.0-rc.0/ ?
@Praveen Kumar, this is server side change, instead of "clients". It landed only since https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4.7.0-0.nightly/release/4.7.0-0.nightly-2021-02-09-003138 , while https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4-stable/release/4.7.0-rc.0 "was created from registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-02-06-084550". So 4.7.0-rc.0 does not include it.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633