Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.15.z
Affects Version/s: 4.17.0
Component/s: Insights Operator
Labels:
- CCX-IO
- obsint-io

Regression:
No
Sprint:
CCXDEV Sprint 121, CCXDEV Sprint 122
sprint_count:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
The Insights Operator now collects information about all Ingress Controller certificates (NotBefore and NotAfter dates). It aggregates it into a JSON file in the path 'aggregated/ingress_controllers_certs.json'.
Release Note Type:
Enhancement
Release Note Status:
In Progress
Target Version:

4.15.z
Target Backport Versions:

4.14.z, 4.15.z, 4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-37671~~. The following is the description of the original issue:
—
This is a clone of issue ~~OCPBUGS-35727~~. The following is the description of the original issue:
—
Business required:

We had a recommendation to check the certificate of the default ingress controller expiration after it has expired. From the referenced KCS, it seems that many customers(hundreds) hit this issue. So, oarribas@redhat.com suggests that if we can have a recommendation to alert customers before certificate expiration.

Gathering method:

1. Gather all the ingresscontroller objects(we already gathered the default ingresscontroller) with commands:
oc get ingresscontrollers -n openshift-ingress-operator
2. Gather operator auto-generated certificate's validate dates with commands:

$ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
#### empty output here when certificate created by the operator

$ oc get secret router-ca -n openshift-ingress-operator -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

$ oc get secret router-certs-default -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

3. Gather custom certificates' validate dates with commands:

$ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
    defaultCertificate:
      name: [custom-cert-secret-1]

#### for each [custom-cert-secret] above
$ oc get secret [custom-cert-secret-1] -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
notBefore=Dec 28 00:00:00 2022 GMT
notAfter=Jan 22 23:59:59 2024 GMT

Other Information:

An RFE to create a cluster alert is under reveiwing: https://issues.redhat.com/browse/RFE-4269

blocks

OCPBUGS-37673 [release4.14] Ingress controller related certificates' validate dates gathering

Closed

clones

OCPBUGS-37671 [release4.16] Ingress controller related certificates' validate dates gathering

Closed

is blocked by

OCPBUGS-37671 [release4.16] Ingress controller related certificates' validate dates gathering

Closed

is cloned by

OCPBUGS-37673 [release4.14] Ingress controller related certificates' validate dates gathering

Closed

links to

openshift/insights-operator#972: [release-4.15] OCPBUGS-37672: Ingress controller related certificates' validate dates gathering

RHSA-2024:5160 OpenShift Container Platform 4.15.z security update

(1 links to)

Assignee:: Isaac Jimeno

Reporter:: OpenShift Prow Bot

QA Contact:: baiyang zhou

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/07/29 5:34 PM

Updated:: 2024/08/15 2:25 PM

Resolved:: 2024/08/15 2:25 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates