Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39575

revert "force cert rotation every couple days for development" in 4.18

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.18.0
    • kube-apiserver
    • Critical
    • None
    • Approved
    • False
    • Hide

      None

      Show
      None
    • NA

      Description of problem:

      revert "force cert rotation every couple days for development" in 4.16
      
      Below is the steps to verify this bug:
      
      # oc adm release info --commits registry.ci.openshift.org/ocp/release:4.11.0-0.nightly-2022-06-25-081133|grep -i cluster-kube-apiserver-operator
        cluster-kube-apiserver-operator                https://github.com/openshift/cluster-kube-apiserver-operator                7764681777edfa3126981a0a1d390a6060a840a3
      
      # git log --date local --pretty="%h %an %cd - %s" 776468 |grep -i "#1307"
      08973b820 openshift-ci[bot] Thu Jun 23 22:40:08 2022 - Merge pull request #1307 from tkashem/revert-cert-rotation
      
      # oc get clusterversions.config.openshift.io 
      NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
      version   4.11.0-0.nightly-2022-06-25-081133   True        False         64m     Cluster version is 4.11.0-0.nightly-2022-06-25-081133
      
      $ cat scripts/check_secret_expiry.sh
      FILE="$1"
      if [ ! -f "$1" ]; then
        echo "must provide \$1" && exit 0
      fi
      export IFS=$'\n'
      for i in `cat "$FILE"`
      do
        if `echo "$i" | grep "^#" > /dev/null`; then
          continue
        fi
        NS=`echo $i | cut -d ' ' -f 1`
        SECRET=`echo $i | cut -d ' ' -f 2`
        rm -f tls.crt; oc extract secret/$SECRET -n $NS --confirm > /dev/null
        echo "Check cert dates of $SECRET in project $NS:"
        openssl x509 -noout --dates -in tls.crt; echo
      done
      
      $ cat certs.txt
      openshift-kube-controller-manager-operator csr-signer-signer
      openshift-kube-controller-manager-operator csr-signer
      openshift-kube-controller-manager kube-controller-manager-client-cert-key
      openshift-kube-apiserver-operator aggregator-client-signer
      openshift-kube-apiserver aggregator-client
      openshift-kube-apiserver external-loadbalancer-serving-certkey
      openshift-kube-apiserver internal-loadbalancer-serving-certkey
      openshift-kube-apiserver service-network-serving-certkey
      openshift-config-managed kube-controller-manager-client-cert-key
      openshift-config-managed kube-scheduler-client-cert-key
      openshift-kube-scheduler kube-scheduler-client-cert-key
      
      Checking the Certs,  they are with one day expiry times, this is as expected.
      # ./check_secret_expiry.sh certs.txt
      Check cert dates of csr-signer-signer in project openshift-kube-controller-manager-operator:
      notBefore=Jun 27 04:41:38 2022 GMT
      notAfter=Jun 28 04:41:38 2022 GMT
      
      Check cert dates of csr-signer in project openshift-kube-controller-manager-operator:
      notBefore=Jun 27 04:52:21 2022 GMT
      notAfter=Jun 28 04:41:38 2022 GMT
      
      Check cert dates of kube-controller-manager-client-cert-key in project openshift-kube-controller-manager:
      notBefore=Jun 27 04:52:26 2022 GMT
      notAfter=Jul 27 04:52:27 2022 GMT
      
      Check cert dates of aggregator-client-signer in project openshift-kube-apiserver-operator:
      notBefore=Jun 27 04:41:37 2022 GMT
      notAfter=Jun 28 04:41:37 2022 GMT
      
      Check cert dates of aggregator-client in project openshift-kube-apiserver:
      notBefore=Jun 27 04:52:26 2022 GMT
      notAfter=Jun 28 04:41:37 2022 GMT
      
      Check cert dates of external-loadbalancer-serving-certkey in project openshift-kube-apiserver:
      notBefore=Jun 27 04:52:26 2022 GMT
      notAfter=Jul 27 04:52:27 2022 GMT
      
      Check cert dates of internal-loadbalancer-serving-certkey in project openshift-kube-apiserver:
      notBefore=Jun 27 04:52:49 2022 GMT
      notAfter=Jul 27 04:52:50 2022 GMT
      
      Check cert dates of service-network-serving-certkey in project openshift-kube-apiserver:
      notBefore=Jun 27 04:52:28 2022 GMT
      notAfter=Jul 27 04:52:29 2022 GMT
      
      Check cert dates of kube-controller-manager-client-cert-key in project openshift-config-managed:
      notBefore=Jun 27 04:52:26 2022 GMT
      notAfter=Jul 27 04:52:27 2022 GMT
      
      Check cert dates of kube-scheduler-client-cert-key in project openshift-config-managed:
      notBefore=Jun 27 04:52:47 2022 GMT
      notAfter=Jul 27 04:52:48 2022 GMT
      
      Check cert dates of kube-scheduler-client-cert-key in project openshift-kube-scheduler:
      notBefore=Jun 27 04:52:47 2022 GMT
      notAfter=Jul 27 04:52:48 2022 GMT
      # 
      
      # cat check_secret_expiry_within.sh
      #!/usr/bin/env bash
      # usage: ./check_secret_expiry_within.sh 1day # or 15min, 2days, 2day, 2month, 1year
      WITHIN=${1:-24hours}
      echo "Checking validity within $WITHIN ..."
      oc get secret --insecure-skip-tls-verify -A -o json | jq -r '.items[] | select(.metadata.annotations."auth.openshift.io/certificate-not-after" | . != null and fromdateiso8601<='$( date --date="+$WITHIN" +%s )') | "\(.metadata.annotations."auth.openshift.io/certificate-not-before")  \(.metadata.annotations."auth.openshift.io/certificate-not-after")  \(.metadata.namespace)\t\(.metadata.name)"'
      
      # ./check_secret_expiry_within.sh 1day
      Checking validity within 1day ...
      2022-06-27T04:41:37Z  2022-06-28T04:41:37Z  openshift-kube-apiserver-operator	aggregator-client-signer
      2022-06-27T04:52:26Z  2022-06-28T04:41:37Z  openshift-kube-apiserver	aggregator-client
      2022-06-27T04:52:21Z  2022-06-28T04:41:38Z  openshift-kube-controller-manager-operator	csr-signer
      2022-06-27T04:41:38Z  2022-06-28T04:41:38Z  openshift-kube-controller-manager-operator	csr-signer-signer
      
      

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

       

      Expected results:

       

      Additional info:

       

       

              Unassigned Unassigned
              akashem@redhat.com Abu H Kashem
              Ke Wang Ke Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: