This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Tested in fresh env:
$ oc get clusterversion
version   4.7.0-0.nightly-2021-02-09-192846   True        False         87m     Cluster version is 4.7.0-0.nightly-2021-02-09-192846


$ cat scripts/check_secret_expiry_within.sh
#!/bin/bash
# usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
WITHIN=${1:-24hours}
echo "Checking validity within $WITHIN ..."
oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before")  \(.metadata.annotations."auth.openshift.io/certificate-not-after")  \(.metadata.namespace)\t\(.metadata.name)"'

$ scripts/check_secret_expiry_within.sh 
Checking validity within 24hours ...
2021-02-10T05:40:16Z  2021-02-11T05:40:16Z  openshift-kube-apiserver-operator   aggregator-client-signer
2021-02-10T05:52:50Z  2021-02-11T05:40:16Z  openshift-kube-apiserver    aggregator-client
2021-02-10T05:52:40Z  2021-02-11T05:40:18Z  openshift-kube-controller-manager-operator  csr-signer
2021-02-10T05:40:18Z  2021-02-11T05:40:18Z  openshift-kube-controller-manager-operator  csr-signer-signer

$ scripts/check_secret_expiry_within.sh 30day
Checking validity within 30day ...
2021-02-10T05:52:47Z  2021-03-12T05:52:48Z  openshift-config-managed    kube-controller-manager-client-cert-key
2021-02-10T05:52:47Z  2021-03-12T05:52:48Z  openshift-config-managed    kube-scheduler-client-cert-key
2021-02-10T05:40:16Z  2021-02-11T05:40:16Z  openshift-kube-apiserver-operator   aggregator-client-signer
2021-02-10T05:52:50Z  2021-02-11T05:40:16Z  openshift-kube-apiserver    aggregator-client
2021-02-10T05:52:50Z  2021-03-12T05:52:51Z  openshift-kube-apiserver    check-endpoints-client-cert-key
2021-02-10T05:52:49Z  2021-03-12T05:52:50Z  openshift-kube-apiserver    control-plane-node-admin-client-cert-key
2021-02-10T05:52:49Z  2021-03-12T05:52:50Z  openshift-kube-apiserver    external-loadbalancer-serving-certkey
2021-02-10T05:52:50Z  2021-03-12T05:52:51Z  openshift-kube-apiserver    internal-loadbalancer-serving-certkey
2021-02-10T05:52:50Z  2021-03-12T05:52:51Z  openshift-kube-apiserver    kubelet-client
2021-02-10T05:52:50Z  2021-03-12T05:52:51Z  openshift-kube-apiserver    localhost-serving-cert-certkey
2021-02-10T05:52:49Z  2021-03-12T05:52:50Z  openshift-kube-apiserver    service-network-serving-certkey
2021-02-10T05:52:40Z  2021-02-11T05:40:18Z  openshift-kube-controller-manager-operator  csr-signer
2021-02-10T05:40:18Z  2021-02-11T05:40:18Z  openshift-kube-controller-manager-operator  csr-signer-signer
2021-02-10T05:52:47Z  2021-03-12T05:52:48Z  openshift-kube-controller-manager   kube-controller-manager-client-cert-key
2021-02-10T05:52:47Z  2021-03-12T05:52:48Z  openshift-kube-scheduler    kube-scheduler-client-cert-key

The certs' rotation time (i.e. expiry) is not the intentionally-shortened 12h, rather, is reverted to normal time (24h or 30d) now before release

@Xingxing Is it also part of rc.0 bits which is available on http://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.7.0-rc.0/ ?

@Praveen Kumar, this is server side change, instead of "clients". It landed only since https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4.7.0-0.nightly/release/4.7.0-0.nightly-2021-02-09-003138 , while https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4-stable/release/4.7.0-rc.0 "was created from registry.ci.openshift.org/ocp/release:4.7.0-0.nightly-2021-02-06-084550". So 4.7.0-rc.0 does not include it.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633