Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-15131

[2017415] [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig

    XMLWordPrintable

Details

    • CNV I/U Operators Sprint 222
    • Medium
    • OpenShift Virtualization

    Description

      Description of problem:
      ----------------------
      The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR).

      Version-Release number of selected component (if applicable):
      ------------------------------------------------------------
      4.9.0-249

      How reproducible:
      ----------------
      100%

      Steps to Reproduce:
      ------------------
      1. Modify the HCO CR spec.certconfig to:
      {
      "ca":

      { "duration": "11m", "renewBefore": "10m" }

      ,
      "server":

      { "duration": "11m", "renewBefore": "10m" }

      }

      2. run the command:
      $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout

      Actual results:
      --------------
      1. The notAfter is 2 years ahead of notBefore.
      2. the notBefore is 1 day earlier from the current date.

      Expected results:
      ----------------
      1. The difference should have been 11 minutes.
      2. notBefore should be today.

      Additional info:
      ---------------
      $ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig'
      {
      "ca":

      { "duration": "11m", "renewBefore": "10m" }

      ,
      "server":

      { "duration": "11m", "renewBefore": "10m" }

      }

      $ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned'
      {
      "ca":

      { "duration": "11m0s", "renewBefore": "10m0s" }

      ,
      "server":

      { "duration": "11m0s", "renewBefore": "10m0s" }

      }

      $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout
      notBefore=Oct 25 10:10:02 2021 GMT
      notAfter=Oct 24 10:10:02 2023 GMT

      Attachments

        Issue Links

          is blocked by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPPLAN-9555 Platform Operators

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress
          relates to

          Bug - A problem that impairs or prevents the functions of the product. CNV-14625 [2017442] [certificate renewal] virt-template-validator-certs secret certificate is not updated according to HCO CR certconfig

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New
          external trackers

          Web Link Red Hat Bugzilla 2017442

          Web Link Red Hat Issue Tracker CNV-15131

          Activity

            People

              jvilaca@redhat.com João Vilaça
              rhn-support-ibesso Issac Besso (Inactive)
              Geetika Kapoor Geetika Kapoor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: