Description of problem: ---------------------- The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR). Version-Release number of selected component (if applicable): ------------------------------------------------------------ 4.9.0-249 How reproducible: ---------------- 100% Steps to Reproduce: ------------------ 1. Modify the HCO CR spec.certconfig to: { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } 2. run the command: $ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout Actual results: -------------- 1. The notAfter is 2 days ahead of notBefore. 2. the notBefore is 1 day earlier from the current date. Expected results: ---------------- 1. The difference should have been 11 minutes. 2. notBefore should be today. Additional info: --------------- $ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig' { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } $ oc get networkaddonsconfig cluster -ojson |jq -C '.spec.selfSignConfiguration' { "caOverlapInterval": "10m0s", "caRotateInterval": "11m0s", "certOverlapInterval": "10m0s", "certRotateInterval": "11m0s" } $ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout notBefore=Oct 25 10:11:19 2021 GMT notAfter=Oct 25 10:11:20 2023 GMT
Lubo, can you take a look?
Dominik, reviewing this BZ, I think the correct component might actually be SSP? What do you think?
Jean-Francois do you expect that customers would use this feature?
Per the conversation with Dominik, HCO team will address this bug in SSP.