Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35727

Ingress controller related certificates' validate dates gathering

XMLWordPrintable

    • No
    • CCXDEV Sprint 118 (ONSITE), CCXDEV Sprint 119, CCXDEV Sprint 120, CCXDEV Sprint 121
    • 4
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Insights Operator gathered information about all Ingress Controller certificates, including their `NotBefore` and `NotAfter` dates. This data is now compiled into a `JSON` file located at `aggregated/ingress_controllers_certs.json` for easier monitoring of certificate validity across the cluster.
      (link:https://issues.redhat.com/browse/OCPBUGS-35727[*OCPBUGS-35727*])
      Show
      Previously, the Insights Operator gathered information about all Ingress Controller certificates, including their `NotBefore` and `NotAfter` dates. This data is now compiled into a `JSON` file located at `aggregated/ingress_controllers_certs.json` for easier monitoring of certificate validity across the cluster. (link: https://issues.redhat.com/browse/OCPBUGS-35727 [* OCPBUGS-35727 *])
    • Enhancement
    • Done

      Business required:

      We had a recommendation to check the certificate of the default ingress controller expiration after it has expired. From the referenced KCS, it seems that many customers(hundreds) hit this issue. So, oarribas@redhat.com suggests that if we can have a recommendation to alert customers before certificate expiration. 

      Gathering method:

      1. Gather all the ingresscontroller objects(we already gathered the default ingresscontroller) with commands: 
      oc get ingresscontrollers -n openshift-ingress-operator
      2. Gather operator auto-generated certificate's validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
      #### empty output here when certificate created by the operator
      $ oc get secret router-ca -n openshift-ingress-operator -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
      
      $ oc get secret router-certs-default -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
      

      3. Gather custom certificates' validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
          defaultCertificate:
            name: [custom-cert-secret-1]
      
      #### for each [custom-cert-secret] above
      $ oc get secret [custom-cert-secret-1] -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
       

      Other Information:

      An RFE to create a cluster alert is under reveiwing: https://issues.redhat.com/browse/RFE-4269

            rh-ee-ijimeno Isaac Jimeno
            rh-ee-ijimeno Isaac Jimeno
            baiyang zhou baiyang zhou
            Subhashini T K Subhashini T K
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: