Description of problem: We stole the idea of Duration and RenewBefore from cert-manager. See here for interpretation: https://github.com/kubevirt/containerized-data-importer/blob/main/pkg/apis/core/v1beta1/types.go#L388-L393 We were not handling RenewBefore correctly. It is supposed to be time before a cert's "not after." But we were treating it is time from "not before". Conversion is easy and will be done automatically on all certs after upgrade. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Set explicit params for certs like this: k edit cdi cdi and add: spec: certConfig: ca: duration: 10h renewBefore: 2h server: duration: 5h renewBefore: 1h 2. Actual results: Check following secrets/annotations: cdi-apiserver-signer -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"2h0m0s"}'" cdi-uploadproxy-signer -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"2h0m0s"}'" cdi-apiserver-server-cert -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"1h0m0s"}'" cdi-uploadproxy-server-cert -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"5h0m0s","refresh":"1h0m0s"}'" Expected results: Check following secrets/annotations: cdi-apiserver-signer -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"8h0m0s"}'" cdi-uploadproxy-signer -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"8h0m0s"}'" cdi-apiserver-server-cert -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"4h0m0s"}'" cdi-uploadproxy-server-cert -> "operator.cdi.kubevirt.io/certConfig: '{"lifetime":"5h0m0s","refresh":"4h0m0s"}'" Additional info: Notice the different refresh values
Test on OCP4.8 with virt-cdi-operator-container-v4.8.0-19, issue have been fixed. After setting params for certs in hco: cdi-apiserver-signer -> operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"8h0m0s"}' cdi-uploadproxy-signer -> operator.cdi.kubevirt.io/certConfig: '{"lifetime":"10h0m0s","refresh":"8h0m0s"}' cdi-apiserver-server-cert -> operator.cdi.kubevirt.io/certConfig: '{"lifetime":"5h0m0s","refresh":"4h0m0s"}' cdi-uploadproxy-server-cert -> operator.cdi.kubevirt.io/certConfig: '{"lifetime":"5h0m0s","refresh":"4h0m0s"}'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.8.0 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2920