-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.8.z
-
Important
-
Rejected
-
False
-
-
-
Description of problem:
Many expired certificates are still present in the cluster under secrets. Expired certificated should be deleted/clean up automatically from the OCP cluster.
Version-Release number of selected component (if applicable):
4.8.18 4.8.x
How reproducible:
Always
Steps to Reproduce:
1. oc project openshift-kube-apiserver
2. oc get secrets
3. echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t
Actual results:
There are many expired certs are still present in the cluster.
Expected results:
Expired certificated should be removed from the cluster automatically.
Additional info:
Certificates listed with command `oc get secret` are present in the cluster from the date of cluster installation. Many certificates are already expired but not cleaned up from the cluster. Priority is set to Important as Customer is Nokia-NOM who are looking closely into this issue. Bugzilla has been raised for this issue in May 2022 : https://bugzilla.redhat.com/show_bug.cgi?id=2089888
