-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.13, 4.12
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
No
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
spec.expirationSeconds field is not respected when issuing certificates using the CertificateSigningRequest resource
Version-Release number of selected component (if applicable):
4.13.5, 4.12.25
How reproducible:
100%
Steps to Reproduce:
1. Create a certificate request
$ openssl req -new -newkey rsa:4096 -nodes -keyout newauth-access.key -out newauth-access.csr -subj "/CN=system:admin"
2. Create the CSR resource definition:
$ cat << EOF >> newauth-access-csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: newauth-access
spec:
signerName: kubernetes.io/kube-apiserver-client
expirationSeconds: 31557600
groups:
- system:authenticated
request: $(cat newauth-access.csr | base64 -w0)
usages:
- client auth
EOF
$ oc create -f newauth-access-csr.yaml
3. Approve the CSR and extract the client certificate:
$ oc get csr
$ oc adm certificate approve newauth-access
$ oc get csr newauth-access -o jsonpath='{.status.certificate}' | base64 -d > newauth-access.crt
4. Check the certificate expiration date:
$ openssl x509 -in newauth-access.crt -noout -dates
notBefore=Aug 15 19:52:25 2023 GMT
notAfter=Sep 1 20:37:49 2023 GMT
Actual results:
The issued certificate has 15 days expiry date, even after specifying the certificate duration of 1 year.
Expected results:
Issued certificate should have 1 year of lifetime as per the `expirationSeconds` field of the `CertificateSigningRequest` resource.
Additional info:
Bug is observed after following the KCS:https://access.redhat.com/solutions/5286371 to regenerate the kubeconfig.
