2017415 – [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2017415 - [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig

Summary: [certificate renewal] ssp-operator-service-cert secret certificate is not upd...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	SSP
Sub Component:
Version:	4.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	future
Assignee:	João Vilaça
QA Contact:	Geetika Kapoor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-26 13:32 UTC by ibesso
Modified:	2023-12-14 16:05 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-14 16:05:56 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2017442	1	medium	CLOSED	[certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig	2023-12-14 16:06:07 UTC
Red Hat Issue Tracker	CNV-15131	0	None	None	None	2023-12-14 16:05:55 UTC

Description ibesso 2021-10-26 13:32:45 UTC

Description of problem:
----------------------
The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.9.0-249


How reproducible:
----------------
100%


Steps to Reproduce:
------------------
1. Modify the HCO CR spec.certconfig to:
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

2. run the command:
$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout


Actual results:
--------------
1. The notAfter is 2 years ahead of notBefore.
2. the notBefore is 1 day earlier from the current date.


Expected results:
----------------
1. The difference should have been 11 minutes.
2. notBefore should be today.


Additional info:
---------------
$ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

$ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned'
{
  "ca": {
    "duration": "11m0s",
    "renewBefore": "10m0s"
  },
  "server": {
    "duration": "11m0s",
    "renewBefore": "10m0s"
  }
}

$ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
notBefore=Oct 25 10:10:02 2021 GMT
notAfter=Oct 24 10:10:02 2023 GMT

Note You need to log in before you can comment on or make changes to this bug.