2017442 – [certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2017442 - [certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig

Summary: [certificate renewal] virt-template-validator-certs secret certificate is not...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	SSP
Sub Component:
Version:	4.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	future
Assignee:	João Vilaça
QA Contact:	Geetika Kapoor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-26 14:09 UTC by ibesso
Modified:	2023-12-14 16:06 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-14 16:06:00 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CNV-14625	0	None	None	None	2023-12-14 16:05:59 UTC

Internal Links: 2017415

Description ibesso 2021-10-26 14:09:52 UTC

Description of problem:
----------------------
The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.9.0-249


How reproducible:
----------------
100%


Steps to Reproduce:
------------------
1. Modify the HCO CR spec.certconfig to:
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}

2. run the command:
$ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout


Actual results:
--------------
1. The notAfter is 2 days ahead of notBefore.
2. the notBefore is 1 day earlier from the current date.


Expected results:
----------------
1. The difference should have been 11 minutes.
2. notBefore should be today.


Additional info:
---------------
$ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
{
  "ca": {
    "duration": "11m",
    "renewBefore": "10m"
  },
  "server": {
    "duration": "11m",
    "renewBefore": "10m"
  }
}
$ oc get networkaddonsconfig cluster -ojson |jq -C '.spec.selfSignConfiguration'
{
  "caOverlapInterval": "10m0s",
  "caRotateInterval": "11m0s",
  "certOverlapInterval": "10m0s",
  "certRotateInterval": "11m0s"
}

$ oc get secrets -n openshift-cnv virt-template-validator-certs -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
notBefore=Oct 25 10:11:19 2021 GMT
notAfter=Oct 25 10:11:20 2023 GMT

Comment 1 sgott 2021-10-26 16:34:33 UTC

Lubo, can you take a look?

Comment 2 sgott 2021-10-27 14:39:46 UTC

Dominik, reviewing this BZ, I think the correct component might actually be SSP? What do you think?

Comment 3 Dominik Holler 2021-11-24 12:49:18 UTC

Jean-Francois do you expect that customers would use this feature?

Comment 9 Krzysztof Majcher 2022-05-12 09:19:30 UTC

Per the conversation with Dominik, HCO team will address this bug in SSP.

Note You need to log in before you can comment on or make changes to this bug.