Bug 1921139 - revert "force cert rotation every couple days for development" in 4.8
Summary: revert "force cert rotation every couple days for development" in 4.8
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.9.0
Assignee: Stefan Schimanski
QA Contact: Ke Wang
URL:
Whiteboard: LifecycleFrozen
: 1925446 (view as bug list)
Depends On: 1883790 1926123
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-27 15:19 UTC by Stefan Schimanski
Modified: 2021-10-18 17:29 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1883790
: 1969404 (view as bug list)
Environment:
Last Closed: 2021-10-18 17:29:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1143 0 None closed Bug 1921139: remove override for fast cert rotation for release 2021-07-06 02:59:08 UTC
Github openshift cluster-kube-apiserver-operator pull 1147 0 None closed Bug 1921139: Revert "remove override for fast cert rotation for release" 2021-07-06 02:59:05 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:29:49 UTC

Comment 1 Stefan Schimanski 2021-03-16 16:28:08 UTC
*** Bug 1925446 has been marked as a duplicate of this bug. ***

Comment 3 Michal Fojtik 2021-06-11 10:25:46 UTC
The cert rotation should now be on default 30d cadence, moving this to MODIFIED for the QE to verify. The other PR referenced here will merge after we branch 4.9 out.

Comment 6 Ke Wang 2021-07-08 10:27:57 UTC
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-07-06-205913   True        False         24h     Cluster version is 4.9.0-0.nightly-2021-07-06-205913

$ cat check_secret_expiry_within.sh 
#!/usr/bin/env bash
# usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
WITHIN=${1:-24hours}
echo "Checking validity within $WITHIN ..."
oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before")  \(.metadata.annotations."auth.openshift.io/certificate-not-after")  \(.metadata.namespace)\t\(.metadata.name)"'

$ ./check_secret_expiry_within.sh 1day
Checking validity within 1day ...
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-scheduler-client-cert-key
2021-07-08T03:29:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver-operator	aggregator-client-signer
2021-07-08T04:05:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver	aggregator-client
2021-07-08T03:41:56Z  2021-07-08T15:41:57Z  openshift-kube-apiserver	check-endpoints-client-cert-key
2021-07-08T03:41:54Z  2021-07-08T15:41:55Z  openshift-kube-apiserver	control-plane-node-admin-client-cert-key
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	external-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	internal-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	kubelet-client
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	localhost-serving-cert-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	service-network-serving-certkey
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-controller-manager	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-scheduler	kube-scheduler-client-cert-key

Some certs are as expected expiry time after12 hours,  Move the bug verified.

Comment 9 errata-xmlrpc 2021-10-18 17:29:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.