*** Bug 1925446 has been marked as a duplicate of this bug. ***

4.8 PR - https://github.com/openshift/cluster-kube-apiserver-operator/pull/1143

The cert rotation should now be on default 30d cadence, moving this to MODIFIED for the QE to verify. The other PR referenced here will merge after we branch 4.9 out.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-07-06-205913   True        False         24h     Cluster version is 4.9.0-0.nightly-2021-07-06-205913

$ cat check_secret_expiry_within.sh 
#!/usr/bin/env bash
# usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
WITHIN=${1:-24hours}
echo "Checking validity within $WITHIN ..."
oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before")  \(.metadata.annotations."auth.openshift.io/certificate-not-after")  \(.metadata.namespace)\t\(.metadata.name)"'

$ ./check_secret_expiry_within.sh 1day
Checking validity within 1day ...
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-config-managed	kube-scheduler-client-cert-key
2021-07-08T03:29:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver-operator	aggregator-client-signer
2021-07-08T04:05:26Z  2021-07-08T15:29:27Z  openshift-kube-apiserver	aggregator-client
2021-07-08T03:41:56Z  2021-07-08T15:41:57Z  openshift-kube-apiserver	check-endpoints-client-cert-key
2021-07-08T03:41:54Z  2021-07-08T15:41:55Z  openshift-kube-apiserver	control-plane-node-admin-client-cert-key
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	external-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	internal-loadbalancer-serving-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	kubelet-client
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	localhost-serving-cert-certkey
2021-07-08T03:41:51Z  2021-07-08T15:41:52Z  openshift-kube-apiserver	service-network-serving-certkey
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-controller-manager	kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z  2021-07-08T15:42:02Z  openshift-kube-scheduler	kube-scheduler-client-cert-key

Some certs are as expected expiry time after12 hours,  Move the bug verified.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759