Bug 1921139
| Summary: | revert "force cert rotation every couple days for development" in 4.8 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Stefan Schimanski <sttts> | |
| Component: | kube-apiserver | Assignee: | Stefan Schimanski <sttts> | |
| Status: | CLOSED ERRATA | QA Contact: | Ke Wang <kewang> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 4.8 | CC: | aos-bugs, cfergeau, kewang, lszaszki, mfojtik, nstielau, prkumar, slaznick, wlewis, xxia | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | 4.9.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | LifecycleFrozen | |||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1883790 | |||
| : | 1969404 (view as bug list) | Environment: | ||
| Last Closed: | 2021-10-18 17:29:03 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1883790, 1926123 | |||
| Bug Blocks: | ||||
|
Comment 1
Stefan Schimanski
2021-03-16 16:28:08 UTC
The cert rotation should now be on default 30d cadence, moving this to MODIFIED for the QE to verify. The other PR referenced here will merge after we branch 4.9 out. $ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.9.0-0.nightly-2021-07-06-205913 True False 24h Cluster version is 4.9.0-0.nightly-2021-07-06-205913
$ cat check_secret_expiry_within.sh
#!/usr/bin/env bash
# usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
WITHIN=${1:-24hours}
echo "Checking validity within $WITHIN ..."
oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before") \(.metadata.annotations."auth.openshift.io/certificate-not-after") \(.metadata.namespace)\t\(.metadata.name)"'
$ ./check_secret_expiry_within.sh 1day
Checking validity within 1day ...
2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-config-managed kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-config-managed kube-scheduler-client-cert-key
2021-07-08T03:29:26Z 2021-07-08T15:29:27Z openshift-kube-apiserver-operator aggregator-client-signer
2021-07-08T04:05:26Z 2021-07-08T15:29:27Z openshift-kube-apiserver aggregator-client
2021-07-08T03:41:56Z 2021-07-08T15:41:57Z openshift-kube-apiserver check-endpoints-client-cert-key
2021-07-08T03:41:54Z 2021-07-08T15:41:55Z openshift-kube-apiserver control-plane-node-admin-client-cert-key
2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver external-loadbalancer-serving-certkey
2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver internal-loadbalancer-serving-certkey
2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver kubelet-client
2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver localhost-serving-cert-certkey
2021-07-08T03:41:51Z 2021-07-08T15:41:52Z openshift-kube-apiserver service-network-serving-certkey
2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-kube-controller-manager kube-controller-manager-client-cert-key
2021-07-08T03:42:01Z 2021-07-08T15:42:02Z openshift-kube-scheduler kube-scheduler-client-cert-key
Some certs are as expected expiry time after12 hours, Move the bug verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |