Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35727

Ingress controller related certificates' validate dates gathering

XMLWordPrintable

    • No
    • CCXDEV Sprint 118 (ONSITE), CCXDEV Sprint 119, CCXDEV Sprint 120, CCXDEV Sprint 121
    • 4
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, the Insights Operator gathered information about all Ingress Controller certificates, including their `NotBefore` and `NotAfter` dates. This data is now compiled into a `JSON` file located at `aggregated/ingress_controllers_certs.json` for easier monitoring of certificate validity across the cluster.
      (link:https://issues.redhat.com/browse/OCPBUGS-35727[*OCPBUGS-35727*])
      Show
      Previously, the Insights Operator gathered information about all Ingress Controller certificates, including their `NotBefore` and `NotAfter` dates. This data is now compiled into a `JSON` file located at `aggregated/ingress_controllers_certs.json` for easier monitoring of certificate validity across the cluster. (link: https://issues.redhat.com/browse/OCPBUGS-35727 [* OCPBUGS-35727 *])
    • Enhancement
    • Done

      Business required:

      We had a recommendation to check the certificate of the default ingress controller expiration after it has expired. From the referenced KCS, it seems that many customers(hundreds) hit this issue. So, oarribas@redhat.com suggests that if we can have a recommendation to alert customers before certificate expiration. 

      Gathering method:

      1. Gather all the ingresscontroller objects(we already gathered the default ingresscontroller) with commands: 
      oc get ingresscontrollers -n openshift-ingress-operator
      2. Gather operator auto-generated certificate's validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
#### empty output here when certificate created by the operator
      $ oc get secret router-ca -n openshift-ingress-operator -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

      $ oc get secret router-certs-default -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

      3. Gather custom certificates' validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
    defaultCertificate:
      name: [custom-cert-secret-1]

      #### for each [custom-cert-secret] above
$ oc get secret [custom-cert-secret-1] -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT
 

      Other Information:

      An RFE to create a cluster alert is under reveiwing: https://issues.redhat.com/browse/RFE-4269

              rh-ee-ijimeno Isaac Jimeno
              rh-ee-ijimeno Isaac Jimeno
              baiyang zhou baiyang zhou
              Subhashini T K Subhashini T K
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: