2017415 – [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig

Bug 2017415 - [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig

Summary: [certificate renewal] ssp-operator-service-cert secret certificate is not upd...

Keywords:
Status:	NEW
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	SSP
Sub Component:
Version:	4.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	future
Assignee:	João Vilaça
QA Contact:	Geetika Kapoor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-26 13:32 UTC by ibesso
Modified:	2023-08-09 13:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2017442	1	medium	NEW	[certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig	2023-08-09 13:58:59 UTC
Red Hat Issue Tracker	CNV-15131	0	None	None	None	2022-06-02 07:02:13 UTC

Description ibesso 2021-10-26 13:32:45 UTC

Description of problem:
----------------------
The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.9.0-249


How reproducible:
----------------
100%


Steps to Reproduce:
------------------
1. Modify the HCO CR spec.certconfig to:
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

2. run the command:
$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout


Actual results:
--------------
1. The notAfter is 2 years ahead of notBefore.
2. the notBefore is 1 day earlier from the current date.


Expected results:
----------------
1. The difference should have been 11 minutes.
2. notBefore should be today.


Additional info:
---------------
$ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned'
{
  "ca": {
    "duration": "11m0s",
    "renewBefore": "10m0s"
  },
  "server": {
    "duration": "11m0s",
    "renewBefore": "10m0s"
  }
}

$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
notBefore=Oct 25 10:10:02 2021 GMT
notAfter=Oct 24 10:10:02 2023 GMT

Note You need to log in before you can comment on or make changes to this bug.