Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-3038

Expired certificates are not cleaned up from secret in RHOCP 4

XMLWordPrintable

    • Important
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Many expired certificates are still present in the cluster under secrets.
      Expired certificated should be deleted/clean up automatically from the OCP cluster.

      Version-Release number of selected component (if applicable):

      4.8.18
      4.8.x
      

      How reproducible:

      Always

      Steps to Reproduce:

      1. oc project openshift-kube-apiserver
      2. oc get secrets
      3. echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t 

      Actual results:

      There are many expired certs are still present in the cluster.
      

      Expected results:

      Expired certificated should be removed from the cluster automatically.
      

      Additional info:

      Certificates listed with command `oc get secret` are present in the cluster from the date of cluster installation.
      Many certificates are already expired but not cleaned up from the cluster.
      
      Priority is set to Important as Customer is Nokia-NOM who are looking closely into this issue.
      
      Bugzilla has been raised for this issue in May 2022 : https://bugzilla.redhat.com/show_bug.cgi?id=2089888

       

              Unassigned Unassigned
              rhn-support-sdharma Suruchi Dharma
              Ke Wang Ke Wang
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: