Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-50014

Control plane components do not restart automatically when certificates are renewed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.14, 4.15, 4.16, 4.17, 4.18, 4.19
    • HyperShift
    • Critical
    • None
    • Hypershift Sprint 264
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          When internal serving certificates expire (and are renewed), the new certificates are not picked up automatically by control plane components, resulting in an unstable control plane.

      Version-Release number of selected component (if applicable):

        All

      How reproducible:

        Always

      Steps to Reproduce:

          1. Create a HostedCluster with annotations for a short certificate expiration time:
    
hypershift.openshift.io/certificate-validity: "1h"    
hypershift.openshift.io/certificate-renewal: "0.3"
    2. Wait for initial certificates to expire

      Actual results:

          Cluster becomes degraded, apiservices in hosted cluster API become unavailable. To test this, obtain a kubeconfig for the hosted cluster and list apiservices:
$ oc get apiservices

API services that are external to the kube-apiserver appear as unavailable.

      Expected results:

          Cluster continues to function as expected

      Additional info:

              cewong@redhat.com Cesar Wong
              cewong@redhat.com Cesar Wong
              XiuJuan Wang XiuJuan Wang
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: